OpenWisp Radius Enforcing Session Limit
225 views
Skip to first unread message
Mindf
Jul 19, 2023, 8:22:51 AM7/19/23
to OpenWISP
Hello,
I have configured a captive portal with openwisp-radius (running on virtualenv locally) with free radius. I am able to use it to authenticate and accounting + basic function to create user through GUI, etc. also ok.
I do have some question below about the 'users' group
The default group 'users' have a limits users sessions to 3 hours and 300 MB (reset daily)
1. I noticed that the user will not be disconnected immediately if user breach his daily data limit? I understand that radius need to send disconnect request (COA) to do this.
2. I want to create a new group with a specific bandwidth limit but it will not reset.
I have configured a captive portal with openwisp-radius (running on virtualenv locally) with free radius. I am able to use it to authenticate and accounting + basic function to create user through GUI, etc. also ok.
I do have some question below about the 'users' group
The default group 'users' have a limits users sessions to 3 hours and 300 MB (reset daily)
1. I noticed that the user will not be disconnected immediately if user breach his daily data limit? I understand that radius need to send disconnect request (COA) to do this.
Instead of disconnect request, I have a specific command/script that I would like to run to disconnect the user from my NAS if users breach the limit. Where can I configure this?
2. I want to create a new group with a specific bandwidth limit but it will not reset.
I understand from the doc that the reset period 'never' is already available but it is suggested to subclass openwisp_radius.counters.base.BaseCounter,
and once the new class is ready, you will need to add it to OPENWISP_RADIUS_COUNTERS (https://openwisp-radius.readthedocs.io/en/stable/user/enforcing_limits.html)
Is there any example that I can follow to do this? as I have limited django/python or in scripting background.
Thanks!
and once the new class is ready, you will need to add it to OPENWISP_RADIUS_COUNTERS (https://openwisp-radius.readthedocs.io/en/stable/user/enforcing_limits.html)
Is there any example that I can follow to do this? as I have limited django/python or in scripting background.
Thanks!
Federico Capoano
Jul 19, 2023, 9:53:33 AM7/19/23
to open...@googlegroups.com
Hi,
1. Whether the user is disconnected or not depends on the NAS and what attribute it uses. What NAS are you using? Coova-chilli, Pfsesne, Hostapd (WPA Enterprise) a PPPoE server, or what else?
What I have seen with popular open source captive portals is that users are disconnected close to the limit but not at the exact limit.
CoA is a different concept, it is needed to propagate changes from the central server to the NAS while the user is authenticated. Eg: the user has upgraded its plan and now has different limits, without CoA the user will need to log out and log in again, with CoA the NAS can update the authorization details of the user while the session is still active. CoA can also be used to de-authenticate the user from a central point, but it's not the mechanism used to log out users who reached their limit.
CoA is a different concept, it is needed to propagate changes from the central server to the NAS while the user is authenticated. Eg: the user has upgraded its plan and now has different limits, without CoA the user will need to log out and log in again, with CoA the NAS can update the authorization details of the user while the session is still active. CoA can also be used to de-authenticate the user from a central point, but it's not the mechanism used to log out users who reached their limit.
2. Here's the counters code:
For example, the monthly traffic counter for postgresql:
Now if you don't have any experience with code, this may be tricky. You could also fallback to the sqlcounters module in freeradius and not do this via OpenWISP, the catch is that freeradius has no concept of multi-tenancy, that means you will only be allowed to set the limit once on the entire instance and this will be enforced for all organizations.
I hope this helps.
Federico
--
You received this message because you are subscribed to the Google Groups "OpenWISP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openwisp+u...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/openwisp/e7a1c582-7ed8-4d75-a12a-74cfcd063052n%40googlegroups.com.
Mindf
Jul 20, 2023, 8:27:28 AM7/20/23
to OpenWISP
Hi Federico,
((542) User-Name = "testvpn2"(542) Acct-Status-Type = Interim-Update
(542) Acct-Session-Id = "iKXzJgRnCQ2VAj/cCCGqFA=="
(542) Acct-Authentic = Local
(542) Acct-Session-Time = 2703
(542) Acct-Input-Octets = 271614862
(542) Acct-Output-Octets = 86124311 <<<< counter is over 5000000 but still connected and able to reach internet.
(542) Framed-IP-Address = 10.1.1.2
2. Thank you for the links, I will check it out and play around with it. If all fails, I will definitely fallback and try to use freeradius without openwisp.
Thank you for your response.
1. I am using OPNsense as a captive portal. I tested logged in using a test user with 5 MB limit, use all the limit and but it does not disconnected for about 30 mins or so.
I can see the accounting is running but there is no action from radius to disconnect the user.
11) rest: --> {"username": "testvpn2", "password": "xxxxxxxxxx"}
...omitted...
(11) rest: Auth-Type := Accept
(11) rest: Parsing attribute "Reply-Message"
(11) rest: EXPAND Hello
(11) rest: --> Hello
(11) rest: Reply-Message = "Hello"
(11) rest: Parsing attribute "ChilliSpot-Max-Total-Octets"
(11) rest: EXPAND 5000000
(11) rest: --> 5000000
(11) rest: ChilliSpot-Max-Total-Octets := 5000000 <<<<< 5 MB limit,
...omitted...
(11) rest: Auth-Type := Accept
(11) rest: Parsing attribute "Reply-Message"
(11) rest: EXPAND Hello
(11) rest: --> Hello
(11) rest: Reply-Message = "Hello"
(11) rest: Parsing attribute "ChilliSpot-Max-Total-Octets"
(11) rest: EXPAND 5000000
(11) rest: --> 5000000
(11) rest: ChilliSpot-Max-Total-Octets := 5000000 <<<<< 5 MB limit,
I guess OPNsense does not understand this attribute,
Does captive portal normally understand this response attribute and will honor it by disconnecting the user if the value are over?
From openwisp doc as reference:
ChilliSpot-Max-Total-Octets used by DailyTrafficCounter, it indicates the reply attribute which is returned to the NAS to indicate how much remaining traffic users which users having the default users radius group assigned can consume.
It should be changed according to the NAS software in use, for example, if using PfSense, this setting should be set to pfSense-Max-Total-Octets.
((542) User-Name = "testvpn2"
(542) Acct-Session-Id = "iKXzJgRnCQ2VAj/cCCGqFA=="
(542) Acct-Authentic = Local
(542) Acct-Session-Time = 2703
(542) Acct-Input-Octets = 271614862
(542) Acct-Output-Octets = 86124311 <<<< counter is over 5000000 but still connected and able to reach internet.
(542) Framed-IP-Address = 10.1.1.2
Thanks!
Federico Capoano
Jul 20, 2023, 9:31:21 AM7/20/23
to open...@googlegroups.com
You have to find the attribute used by opnsense and change OPENWISP_RADIUS_TRAFFIC_COUNTER_REPLY_NAME accordingly.
OpenWISP is clearly returning it in the RADIUS packet which then is shown in the freeradius debug output, so if the NAS does not respect the attribute, it's either not an attribute it supports or it expects another attribute.
Best regards
Federico CapoanoTo view this discussion on the web, visit https://groups.google.com/d/msgid/openwisp/e25a1718-ae0e-4edc-a301-246a13c2dd77n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages