You have to find the attribute used by opnsense and change OPENWISP_RADIUS_TRAFFIC_COUNTER_REPLY_NAME accordingly. OpenWISP is clearly returning it in the RADIUS packet which then is shown in the freeradius debug output, so if the NAS does not respect the attribute, it's either not an attribute it supports or it expects another attribute.
Best regards Federico Capoano On Thu, 20 Jul 2023 at 08:27, Mindf <[email protected]> wrote: > Hi Federico, > > Thank you for your response. > > 1. I am using OPNsense as a captive portal. I tested logged in using a > test user with 5 MB limit, use all the limit and but it does not > disconnected for about 30 mins or so. > I can see the accounting is running but there is no action from radius to > disconnect the user. > > > > 11) rest: --> {"username": "testvpn2", "password": "xxxxxxxxxx"} > *...omitted...* > (11) rest: Auth-Type := Accept > (11) rest: Parsing attribute "Reply-Message" > (11) rest: EXPAND Hello > (11) rest: --> Hello > (11) rest: Reply-Message = "Hello" > (11) rest: Parsing attribute "ChilliSpot-Max-Total-Octets" > (11) rest: EXPAND 5000000 > (11) rest: --> 5000000 > *(11) rest: ChilliSpot-Max-Total-Octets := 5000000 <<<<< 5 MB limit, * > > *I guess OPNsense does not understand this attribute, * > *Does captive portal normally understand this response attribute and will > honor it by disconnecting the user if the value are over?* > > *From openwisp doc as reference: * > > ChilliSpot-Max-Total-Octets u*sed by DailyTrafficCounter, it indicates > the reply attribute which is returned to the NAS to indicate how much > remaining traffic users which users having the default users radius group > assigned can consume.* > *It should be changed according to the NAS software in use, for example, > if using PfSense, this setting should be set to pfSense-Max-Total-Octets.* > > ((542) User-Name = "testvpn2" > (542) Acct-Status-Type = Interim-Update > (542) Acct-Session-Id = "iKXzJgRnCQ2VAj/cCCGqFA==" > (542) Acct-Authentic = Local > (542) Acct-Session-Time = 2703 > (542) Acct-Input-Octets = 271614862 > *(542) Acct-Output-Octets = 86124311 <<<< counter is over * *5000000 but > still connected and able to reach internet.* > (542) Framed-IP-Address = 10.1.1.2 > > 2. Thank you for the links, I will check it out and play around with it. > If all fails, I will definitely fallback and try to use freeradius without > openwisp. > > Thanks! > > On Wednesday, July 19, 2023 at 8:53:33 PM UTC+7 f.capoano wrote: > >> Hi, >> >> 1. Whether the user is disconnected or not depends on the NAS and what >> attribute it uses. What NAS are you using? Coova-chilli, Pfsesne, Hostapd >> (WPA Enterprise) a PPPoE server, or what else? >> What I have seen with popular open source captive portals is that users >> are disconnected close to the limit but not at the exact limit. >> CoA is a different concept, it is needed to propagate changes from the >> central server to the NAS while the user is authenticated. Eg: the user has >> upgraded its plan and now has different limits, without CoA the user will >> need to log out and log in again, with CoA the NAS can update the >> authorization details of the user while the session is still active. CoA >> can also be used to de-authenticate the user from a central point, but it's >> not the mechanism used to log out users who reached their limit. >> >> 2. Here's the counters code: >> >> https://github.com/openwisp/openwisp-radius/tree/master/openwisp_radius/counters >> For example, the monthly traffic counter for postgresql: >> >> https://github.com/openwisp/openwisp-radius/blob/master/openwisp_radius/counters/postgresql/monthly_traffic_counter.py >> >> Now if you don't have any experience with code, this may be tricky. You >> could also fallback to the sqlcounters module in freeradius and not do this >> via OpenWISP, the catch is that freeradius has no concept of multi-tenancy, >> that means you will only be allowed to set the limit once on the entire >> instance and this will be enforced for all organizations. >> >> I hope this helps. >> Federico >> >> On Wed, 19 Jul 2023 at 08:22, Mindf <[email protected]> wrote: >> >>> Hello, >>> >>> I have configured a captive portal with openwisp-radius (running on >>> virtualenv locally) with free radius. I am able to use it to authenticate >>> and accounting + basic function to create user through GUI, etc. also ok. >>> >>> I do have some question below about the 'users' group >>> >>> The default group 'users' have a limits users sessions to 3 hours and >>> 300 MB (reset daily) >>> >>> 1. I noticed that the user will not be disconnected immediately if user >>> breach his daily data limit? I understand that radius need to send >>> disconnect request (COA) to do this. >>> >>> Instead of disconnect request, I have a specific command/script that I >>> would like to run to disconnect the user from my NAS if users breach the >>> limit. Where can I configure this? >>> >>> 2. I want to create a new group with a specific bandwidth limit but it >>> will not reset. >>> I understand from the doc that the reset period 'never' is already >>> available but it is suggested to subclass >>> openwisp_radius.counters.base.BaseCounter, >>> and once the new class is ready, you will need to add it to >>> OPENWISP_RADIUS_COUNTERS ( >>> https://openwisp-radius.readthedocs.io/en/stable/user/enforcing_limits.html >>> ) >>> >>> Is there any example that I can follow to do this? as I have limited >>> django/python or in scripting background. >>> >>> Thanks! >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "OpenWISP" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web, visit >>> https://groups.google.com/d/msgid/openwisp/e7a1c582-7ed8-4d75-a12a-74cfcd063052n%40googlegroups.com >>> <https://groups.google.com/d/msgid/openwisp/e7a1c582-7ed8-4d75-a12a-74cfcd063052n%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- > You received this message because you are subscribed to the Google Groups > "OpenWISP" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web, visit > https://groups.google.com/d/msgid/openwisp/e25a1718-ae0e-4edc-a301-246a13c2dd77n%40googlegroups.com > <https://groups.google.com/d/msgid/openwisp/e25a1718-ae0e-4edc-a301-246a13c2dd77n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "OpenWISP" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web, visit https://groups.google.com/d/msgid/openwisp/CAAGgX6KrKGqy0ti5GQaNqBZbGFzf-sRMf5ihvkB8A3HhMLQRyA%40mail.gmail.com.
