2018-01-30 10:40:13 +00:00
|
|
|
|
===============================
|
|
|
|
|
|
Setup FreeRADIUS for accounting
|
|
|
|
|
|
===============================
|
|
|
|
|
|
|
|
|
|
|
|
---------------------
|
|
|
|
|
|
Goal of this tutorial
|
|
|
|
|
|
---------------------
|
|
|
|
|
|
|
|
|
|
|
|
This tutorial can be used to test your Captive portal setup with radius
|
|
|
|
|
|
accounting, it's not intended to use for production setups (because we
|
|
|
|
|
|
only use simple flat files for everything). We used Ubuntu linux for
|
|
|
|
|
|
this setup, a different operating system might result in some paths
|
|
|
|
|
|
being different.
|
|
|
|
|
|
|
|
|
|
|
|
User limits on the OPNsense firewall are set right after login, the
|
2018-12-24 11:06:22 +00:00
|
|
|
|
Radius server should tell the firewall how many resources are left for
|
2018-01-30 10:40:13 +00:00
|
|
|
|
the user that logged in successfully. A normal login sequence look like
|
|
|
|
|
|
this:
|
|
|
|
|
|
|
|
|
|
|
|
[login] -> [send accounting start] -> [send interim updates while
|
|
|
|
|
|
connected] -> [on logout, send accounting stop]
|
|
|
|
|
|
|
|
|
|
|
|
-----
|
|
|
|
|
|
Setup
|
|
|
|
|
|
-----
|
|
|
|
|
|
|
|
|
|
|
|
To setup freeradius in ubuntu, execute the following command:
|
|
|
|
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
|
|
|
|
apt-get install freeradius
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Arrange client access
|
|
|
|
|
|
---------------------
|
|
|
|
|
|
|
|
|
|
|
|
Edit the file /etc/freeradius/clients.conf and append a block for your
|
|
|
|
|
|
network, as sample we will use 10.211.55.0/24.
|
|
|
|
|
|
|
|
|
|
|
|
.. code-block:: php
|
|
|
|
|
|
|
|
|
|
|
|
client 10.211.55.0/24 {
|
|
|
|
|
|
secret = testing123
|
|
|
|
|
|
shortname = test-network
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
Enable daily session limits
|
|
|
|
|
|
---------------------------
|
|
|
|
|
|
|
|
|
|
|
|
Enable daily session limits, which needs accounting to signal the
|
|
|
|
|
|
clients use.
|
|
|
|
|
|
|
|
|
|
|
|
- In /etc/freeradius/sites-available/default uncomment daily in
|
|
|
|
|
|
authorize and accounting sections.
|
|
|
|
|
|
- in /etc/freeradius/radiusd.conf uncomment daily in the instantiate
|
|
|
|
|
|
section
|
|
|
|
|
|
- append to /etc/freeradius/dictionary
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
.. code-block:: c
|
|
|
|
|
|
|
|
|
|
|
|
ATTRIBUTE Daily-Session-Time 3000 integer
|
|
|
|
|
|
ATTRIBUTE Max-Daily-Session 3001 integer
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- uncomment sradutmp in the accounting section, to be able to use the
|
|
|
|
|
|
radwho command.
|
|
|
|
|
|
|
|
|
|
|
|
--------------
|
|
|
|
|
|
Add test users
|
|
|
|
|
|
--------------
|
|
|
|
|
|
|
|
|
|
|
|
You can add your test users to /etc/freeradius/users, they should look
|
|
|
|
|
|
like this:
|
|
|
|
|
|
|
|
|
|
|
|
.. code-block:: c
|
|
|
|
|
|
|
|
|
|
|
|
"test" Cleartext-Password := "test", Max-Daily-Session := 1800
|
|
|
|
|
|
Framed-IP-Address = 10.211.55.100,
|
|
|
|
|
|
Reply-Message = "Hello, %{User-Name}"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Make sure the second and third lines are indented by a single tab
|
|
|
|
|
|
character.
|
|
|
|
|
|
|
|
|
|
|
|
This should result in a user with a maxim use per day of 1800 seconds.
|
|
|
|
|
|
|
|
|
|
|
|
-----------
|
|
|
|
|
|
Test radius
|
|
|
|
|
|
-----------
|
|
|
|
|
|
|
|
|
|
|
|
For the initial test, it might be practical to debug the traffic going
|
|
|
|
|
|
in and out from Freeradius. The next steps help you start Freeradius in
|
|
|
|
|
|
debug mode, without output to console:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
.. code-block:: c
|
|
|
|
|
|
|
|
|
|
|
|
/etc/init.d/freeradius stop
|
|
|
|
|
|
freeradius -X
|
