daloRADIUS Installation

=======================

pfSense requires an external freeRADIUS server to authenticate users/connected devices and

account for their traffic volumes. While freeRADIUS could be set up from scratch, a pre-
prepared virtual machine called daloRADIUS is used. This VM contains an almost-ready-to-go
installation. Such a VM also makes backups of the whole system easier.

Configuration of physical host for daloRADIUS virtual machine

-------------------------------------------------------------

The system to host the daloRADIUS virtual machine could be almost any system, but the main
system currently is powered by Virtual Box on top of a Lubuntu installation. Only a few
additional changes are required:

Install and activate SSH server

add autologin http://ubuntuforums.org/showthread.php?t=1472113

ln -s backups ../Documents/

auto autostart of vbox virtual box autostart

https://forums.virtualbox.org/viewtopic.php?f=11&t=51529
http://wiki.ubuntuusers.de/LXDE_Einstellungen#Autostart-und-Sitzungseinstellungen-Default-
application-for-LXSession-und-LXSession-edit

Todo: Get history of system to see all changes

Configuration of daloRADIUS

---------------------------

After starting the VM and (re-) configure the network interface (typically a static IP in the
'server subnet') the Web UI is accessible through the network.

Create user groups as required Users, Guests, Leadership, XYZ-open-for-today (note that these
names are part of some automated scripts, so do not simply change them here). For each of
these groups the following reply or check attributes can be added to determine the
characteristics of the group Possible RADIUS attributes for each group: CS-Output-Octets-
Daily, CS-Intput-Octets-Daily, CS-Output-Octets-Weekly, CS-Input-Octets-Weekly, Session-
Timeout, Lucent-Max-Shared-Users, WISpr-Max-Down (pending exact name), WISpr-MaxUp
(pending exact name)

Create a NAS with the IP of pfSense (requires a reboot afterwards)

SSH into the system and run 'dpkg-reconfigure tzdata' from command line as root and set phone

Set timezone for PHP to date.timezone = 'Africa/Blantyre' (or 'Europe/Berlin') in

/etc/php5/apache2/php.ini

Deactivate /etc/cron.d/cron-apt in cron (to avoid system load while checking for updates)
Modify /etc/freeradius/sites-enabled/default as follows:

# checking for concurrently active users of same user group / profile

# copy/paste into daloradius /etc/freeradius/sites-enabled/default

# below the counterChilliSpot entries

if ("%{check:Lucent-Max-Shared-Users}") {

if("%{check:Lucent-Max-Shared-Users}" <= "%{sql:select count(*) from radacct where

acctstoptime is null and username in (select username from radusergroup where groupname in
(select groupname from radusergroup where username='%{User-Name}'));}") {

update reply {

Reply-Message := "Too many users - please try again later (%{sql:select count(*) from radacct
where acctstoptime is null and username in (select username from radusergroup where
groupname in (select groupname from radusergroup where username='%{User-Name}'))} of
%{check:Lucent-Max-Shared-Users})"

reject

add to /etc/freeradius/sites-enabled/default in authroize section

# accounting during working hours

update control {

# based on content in table daily_accounting, which is updated by cronjobs

My-Local-Output = "%{sql:SELECT IFNULL((SELECT ROUND((outputoctets_work_end -

outputoctets_work_beg) / 1000000) FROM daily_accounting WHERE username = '%{SQL-
User-Name}' AND day = date_format(now(), '%Y-%m-%d') AND work_end IS NOT NULL
AND day_end IS NULL), '0')}"

My-Local-Input = "%{sql:SELECT IFNULL((SELECT ROUND((inputoctets_work_end -

inputoctets_work_beg) / 1000000) FROM daily_accounting WHERE username = '%{SQL-
User-Name}' AND day = date_format(now(), '%Y-%m-%d') AND work_end IS NOT NULL
AND day_end IS NULL), '0')}"

# check for daily volume restrictions during working hours

if ("%{check:xian-Output-Megabytes-Daily-Work-Hours}" && "%{check:xian-Input-

Megabytes-Daily-Work-Hours}") {

if (("%{control:My-Local-Output}" > "%{check:xian-Output-Megabytes-Daily-Work-Hours}")

|| ("%{control:My-Local-Input}" > "%{check:xian-Input-Megabytes-Daily-Work-Hours}")) {

update reply {

Reply-Message := "Data bundle during business hours exceeded. Used: %{control:My-Local-

Output} / %{control:My-Local-Input} MB - Granted: %{check:xian-Output-Megabytes-Daily-
Work-Hours} / %{check:xian-Input-Megabytes-Daily-Work-Hours} MB (download/upload)"

reject
}

add in accounting section

# accounting during working hours

update control {

# based on content in table daily_accounting, which is updated by cronjobs

My-Local-Output = "%{sql:SELECT IFNULL((SELECT ROUND((outputoctets_work_end -

outputoctets_work_beg) / 1000000) FROM daily_accounting WHERE username = '%{SQL-
User-Name}' AND day = date_format(now(), '%Y-%m-%d') AND work_end IS NOT NULL
AND day_end IS NULL), '0')}"

My-Local-Input = "%{sql:SELECT IFNULL((SELECT ROUND((inputoctets_work_end -

inputoctets_work_beg) / 1000000) FROM daily_accounting WHERE username = '%{SQL-
User-Name}' AND day = date_format(now(), '%Y-%m-%d') AND work_end IS NOT NULL
AND day_end IS NULL), '0')}"

# check for daily volume restrictions during working hours

if ("%{check:xian-Output-Megabytes-Daily-Work-Hours}" && "%{check:xian-Input-

Megabytes-Daily-Work-Hours}") {

if (("%{control:My-Local-Output}" > "%{check:xian-Output-Megabytes-Daily-Work-Hours}")

|| ("%{control:My-Local-Input}" > "%{check:xian-Input-Megabytes-Daily-Work-Hours}")) {

captiveportal-disconnect-user
}

add to /etc/freeradius/modules/exec

# enforce user disconnect from pfSense

exec captiveportal-disconnect-user {

wait = no

program = "/bin/bash /home/pfSensePortal/misc/captiveportal-disconnect-user.sh %{User-

Name}"

input_pairs = request

shell_escape = yes

output = none

Copy all files from setup-daloradius/www/statistics to daloradius system under

/var/www/statistics

Add lines to /etc/freeradius/dictionary

ATTRIBUTE xian-Input-Megabytes-Daily-Work-Hours 3003 integer

ATTRIBUTE xian-Output-Megabytes-Daily-Work-Hours 3004 integer

ATTRIBUTE My-Local-Input 3005 integer

ATTRIBUTE My-Local-Output 3006 integer

Add additional attributes via Management - Attributes - New Vendor Attribute

xian

xian-Input-Megabytes-Daily-Work-Hours and xian-Output-Megabytes-Daily-Work-Hours

integer

:=

check

Manual configs

--------------

cd /home

git clone https://github.com/x-ian/pfSensePortal.git

DROP TABLE `daily_accounting`;

CREATE TABLE `daily_accounting` (

`id` int(32) NOT NULL AUTO_INCREMENT,

`username` varchar(64) COLLATE utf8_unicode_ci NOT NULL,

`day` date NOT NULL,

`day_beg` datetime,

`inputoctets_day_beg` bigint(20) DEFAULT 0,

`outputoctets_day_beg` bigint(20) DEFAULT 0,

`work_beg` datetime,

`inputoctets_work_beg` bigint(20) DEFAULT 0,

`outputoctets_work_beg` bigint(20) DEFAULT 0,

`work_end` datetime,

`inputoctets_work_end` bigint(20) DEFAULT 0,

`outputoctets_work_end` bigint(20) DEFAULT 0,

`day_end` datetime,

`inputoctets_day_end` bigint(20) DEFAULT 0,

`outputoctets_day_end` bigint(20) DEFAULT 0,

PRIMARY KEY (`id`),

UNIQUE `unique` (`username`, `day`)

) ENGINE=MyISAM DEFAULT CHARSET=latin1;

crontab

59 23 * * * /home/pfSensePortal/daloradius-accounting/reset-groups-open-for-today.sh

5 0 * * * /home/pfSensePortal/daloradius-accounting/accounting-snapshot-beg-of-day.sh

0 7 * * 1-5 /home/pfSensePortal/daloradius-accounting/accounting-snapshot-beg-of-work.sh

1,9,19,29,39,49,59 7-17 * * 1-5 /home/pfSensePortal/daloradius-accounting/accounting-

snapshot-end-of-work.sh

0,10,20,30,40,50,59 18-23 * * * /home/pfSensePortal/daloradius-accounting/accounting-

snapshot-end-of-day.sh

conditional accounting

enabling/disabling captive portal accounting together with kicking out all sessions seems to do
the trick. it however terminates all active sessions and connections. in case someone would like
to work around this, these are potential places to look at

https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting
https://github.com/pfsense/pfsense/blob/27c2e32e28f871adf036b666e8e3ae1bf54ea7a2/etc/inc/
captiveportal.inc

https://github.com/pfsense/pfsense/blob/9775c69d65dd629f29bf3daa0b1efa277719f0d0/usr/loc
al/captiveportal/radius_accounting.inc

https://github.com/pfsense/pfsense/search?utf8=%E2%9C%93&q=pfSense_ipfw_getTablestats

another attempt to externaize accounting out of radius

http://www.netexpertise.eu/en/freeradius/daily-accounting.html

Additional information & usage notes

------------------------------------

Mapping of APZUnet attributes to daloRADIUS user attributes (APZUnet attribute :

daloRADIUS attribute)

mac: username

name: lastnames

email: email

primary device: mobile phone

initial_ip: state
owner: company

hostname: address

mac_vendor: city

registration_date: creation_date

notes: notes reserved for manual comments

freeradius daloradius sql counter module:

https://web.archive.org/web/20120428165635/http://sourceforge.net/projects/daloradius/forums/
forum/684102/topic/3307738

Apply backups from another installation:

http://sourceforge.net/p/daloradius/discussion/684102/thread/cc248889/

Avoid running freeradius -X from the command line. it will permanently crash the free radius
installation as it seems to activate an additional set of config files which will fail as a default
(mainly EAP). Better increase the logging level by adding this line to
/etc/freeradius/radiusd.conf: "debug_level = 2". Run '/etc/init.d/freeradius force-reload' to re-
apply config changes

Debugging/logging radius messages

incoming msg log: /var/log/freeradius/radacct/192.168.11.188/detail-XXX

uncomment auth_log in sites-enabled/default: /var/log/freeradius/radacct/192.168.11.188/auth-

XXX
on pfsense: clog -f /var/log/portalauth.log &