Hi Federico,
Thank you for your response.
1. I am using OPNsense as a captive portal. I tested logged in using a test
user with 5 MB limit, use all the limit and but it does not disconnected
for about 30 mins or so.
I can see the accounting is running but there is no action from radius to
disconnect the user.
11) rest:--> {"username": "testvpn2", "password": "xx"}
*...omitted...*
(11) rest: Auth-Type := Accept
(11) rest: Parsing attribute "Reply-Message"
(11) rest: EXPAND Hello
(11) rest:--> Hello
(11) rest: Reply-Message = "Hello"
(11) rest: Parsing attribute "ChilliSpot-Max-Total-Octets"
(11) rest: EXPAND 500
(11) rest:--> 500
*(11) rest: ChilliSpot-Max-Total-Octets := 500 <<<<< 5 MB limit, *
*I guess OPNsense does not understand this attribute, *
*Does captive portal normally understand this response attribute and will
honor it by disconnecting the user if the value are over?*
*From openwisp doc as reference: *
ChilliSpot-Max-Total-Octets u*sed by DailyTrafficCounter, it indicates the
reply attribute which is returned to the NAS to indicate how much remaining
traffic users which users having the default users radius group assigned
can consume.*
*It should be changed according to the NAS software in use, for example, if
using PfSense, this setting should be set to pfSense-Max-Total-Octets.*
((542) User-Name = "testvpn2"
(542) Acct-Status-Type = Interim-Update
(542) Acct-Session-Id = "iKXzJgRnCQ2VAj/cCCGqFA=="
(542) Acct-Authentic = Local
(542) Acct-Session-Time = 2703
(542) Acct-Input-Octets = 271614862
*(542) Acct-Output-Octets = 86124311 <<<< counter is over * *500 but
still connected and able to reach internet.*
(542) Framed-IP-Address = 10.1.1.2
2. Thank you for the links, I will check it out and play around with it. If
all fails, I will definitely fallback and try to use freeradius without
openwisp.
Thanks!
On Wednesday, July 19, 2023 at 8:53:33 PM UTC+7 f.capoano wrote:
> Hi,
>
> 1. Whether the user is disconnected or not depends on the NAS and what
> attribute it uses. What NAS are you using? Coova-chilli, Pfsesne, Hostapd
> (WPA Enterprise) a PPPoE server, or what else?
> What I have seen with popular open source captive portals is that users
> are disconnected close to the limit but not at the exact limit.
> CoA is a different concept, it is needed to propagate changes from the
> central server to the NAS while the user is authenticated. Eg: the user has
> upgraded its plan and now has different limits, without CoA the user will
> need to log out and log in again, with CoA the NAS can update the
> authorization details of the user while the session is still active. CoA
> can also be used to de-authenticate the user from a central point, but it's
> not the mechanism used to log out users who reached their limit.
>
> 2. Here's the counters code:
>
> https://github.com/openwisp/openwisp-radius/tree/master/openwisp_radius/counters
> For example, the monthly traffic counter for postgresql:
>
> https://github.com/openwisp/openwisp-radius/blob/master/openwisp_radius/counters/postgresql/monthly_traffic_counter.py
>
> Now if you don't have any experience with code, this may be tricky. You
> could also fallback to the sqlcounters module in freeradius and not do this
> via OpenWISP, the catch is that freeradius has no concept of multi-tenancy,
> that means you will only be allowed to set the limit once on the entire
> instance and this will be enforced for all organizations.
>
> I hope this helps.
> Federico
>
> On Wed, 19 Jul 2023 at 08:22, Mindf wrote:
>
>> Hello,
>>
>> I have configured a captive portal with openwisp-radius (running on
>> virtualenv locally) with free radius. I am able to use it to authenticate
>> and accounting + basic function to create user through GUI, etc. also ok.
>>
>> I do have some question below about the 'users' group
>>
>> The default group 'users' have a limits users sessions to 3 hours and 300
>> MB (reset daily)
>>
>> 1. I noticed that the user will not be disconnected immediately if user
>> breach his daily data limit? I understand that radius need to send
>> disconnect request (COA) to do this.
>>
>> Instead of disconnect request, I have a specific command/script that I
>> would like to run to disconnect the user from my NAS if users breach the
>> limit. Where can I configure this?
>>
>> 2. I want to create a new group with a specific bandwidth limit but it
>> will not reset.
>> I understand from the doc that the reset period 'never' is already
>> available but it is
