Re: [openwisp] OPENWISP RADIUS

[Federico Capoano]

You would have to deploy that manually, on your own, or edit the settings
generated by ansible to remove anything not related to what you need.
You can use the test project of OpenWISP RADIUS for reference:
https://github.com/openwisp/openwisp-radius/blob/master/tests/openwisp2/settings.py

Best regards
Federico Capoano

On Fri, 21 Jun 2024 at 13:32, Tommaso Feola  wrote:

> I would need to install openwisp with just the radius module. If I follow
> the instructions in https://github.com/openwisp/openwisp-radius where I
> read "It can be used as a standalone application or integrated with the
> rest of OpenWISP",
>
> I can't understand how it works: I still have to install ausible ? if so,
> how do I install just the openwisp-radius module?
>
> Thank you
>
> --
> You received this message because you are subscribed to the Google Groups
> "OpenWISP" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to openwisp+unsubscr...@googlegroups.com.
> To view this discussion on the web, visit
> https://groups.google.com/d/msgid/openwisp/d1cefa52-96b5-4e17-94bb-13df086cb266n%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"OpenWISP" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to openwisp+unsubscr...@googlegroups.com.
To view this discussion on the web, visit 
https://groups.google.com/d/msgid/openwisp/CAAGgX6%2BjW0OoCboRmniiJoevaET1%3DxBp%3DwCiVyeTstkusTTe9A%40mail.gmail.com.

Re: [openwisp] OPENWISP RADIUS

[Kolla Honey]

I m hereby attaching the logs for freeradius  -X output. Please take a look 
in to it.

On Friday, June 7, 2024 at 7:19:58 PM UTC+5:30 Kolla Honey wrote:

> Hi, 
> I am trying to up the RADIUS in the openwisp server, so I  have added 
> following lines in my playbook.yml 
> openwisp2_radius: true 
> openwisp2_freeradius_install: false
>  Openwisp2_radius_urls: true
> openwisp2_RADIUS_API: true
> After installing openwisp server with ansible , I m able to see the radius 
> tab in the webserver. I followed the openwisp -radius documentation for 
> eap-ttls configuration with bearer token mechanism and followed all the 
> steps.
> I have updated all the details like nas, rad-reply and other rad-tabled in 
> the sqlite.db based on freeradius documentation and i made necessary 
> configurations in the openwisp webserver also.
> I used freeradius -X command to run the RADIUS server in the debug mode. 
> Then I m getting the following error:
>
>  rest ERROR: Request failed: 60 -ssl peer certificate or ssh remote key 
> was not ok.
>
> For this error, I contacted the support group and they have suggested to 
> generate automatic ssl certificates.
>
> Problem for this, Our team is not ready to buy the domain name. So, I have 
> installed a local dns server and assigned the domain name for my openwisp 
> server.
> I am able to ping to my website and able to see the results at nslookup 
> and dig commands. Then I followed the documentation for automatic ssl 
> certificates, when I m running my ansible with hosts and playbook with new 
> domain name as input, I m getting error as the dns record is not found for 
> my domain name. So, I come to know that DNS record has to be their in 
> internet for Lets encrypt to work. So I went through the playbook about 
> what output Let's encrypt is providing, I come to know that we are feeding 
> inputs like  openwisp2_ssl_cert and openwisp2_ssl_key . Then I have 
> generated fullchain.pem and privkey.pem as inputs to the playbook for 
> openwisp2_ssl_cert and openwisp2_ssl_key and run the ansible with the 
> playbook as input. 
> Generated keys are also given as input at EAP file of freeradius.The 
> openwisp server webpage is generated but still I getting connection not 
> secure at my web browser. I m getting same error: " rest ERROR: Request 
> failed: 60 -ssl peer certificate or ssh remote key was not ok."
> when running freeradius.
>
>
> Please correct me if  I went wrong. Is it correct way of the Up the RADIUS 
> in openwisp server or any better way is there, Please let me know.
>
> On Saturday, May 11, 2024 at 11:50:39 PM UTC+5:30 Kolla Honey wrote:
>
>> I have created the certificates and given as an input in the eap file of 
>> freeradius.But still I m seeing the same error. What should I  do??
>>
>>  
>>
>> On Sat, 11 May 2024, 10:31 pm Federico Capoano,  
>> wrote:
>>
>>> If I was you I wouldn't bother to do that and would simply get a valid 
>>> SSL certificate from Letsencrypt 
>>> 
>>> .
>>>
>>> For anything about freeradius, refer to the freeradius documentation 
>>>  and community support 
>>> .
>>>
>>> I hope this helps.
>>>
>>> Federico
>>>
>>> -- 
>>>
>> You received this message because you are subscribed to the Google Groups 
>>> "OpenWISP" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to openwisp+u...@googlegroups.com.
>>>
>> To view this discussion on the web, visit 
>>> https://groups.google.com/d/msgid/openwisp/CAAGgX6KwkCE%3DCK1SvOrM6h72cWjfW4VDEuCC3fitToip1_NgkA%40mail.gmail.com
>>>  
>>> 
>>> .
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"OpenWISP" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to openwisp+unsubscr...@googlegroups.com.
To view this discussion on the web, visit 
https://groups.google.com/d/msgid/openwisp/0ea0df40-05df-4701-acd2-5bd6afac54adn%40googlegroups.com.


Freeradius_log.odt
Description: Zip archive

Re: [openwisp] OPENWISP RADIUS

[Kolla Honey]

Hi, 
I am trying to up the RADIUS in the openwisp server, so I  have added 
following lines in my playbook.yml 
openwisp2_radius: true 
openwisp2_freeradius_install: false
 Openwisp2_radius_urls: true
openwisp2_RADIUS_API: true
After installing openwisp server with ansible , I m able to see the radius 
tab in the webserver. I followed the openwisp -radius documentation for 
eap-ttls configuration with bearer token mechanism and followed all the 
steps.
I have updated all the details like nas, rad-reply and other rad-tabled in 
the sqlite.db based on freeradius documentation and i made necessary 
configurations in the openwisp webserver also.
I used freeradius -X command to run the RADIUS server in the debug mode. 
Then I m getting the following error:

 rest ERROR: Request failed: 60 -ssl peer certificate or ssh remote key was 
not ok.

For this error, I contacted the support group and they have suggested to 
generate automatic ssl certificates.

Problem for this, Our team is not ready to buy the domain name. So, I have 
installed a local dns server and assigned the domain name for my openwisp 
server.
I am able to ping to my website and able to see the results at nslookup and 
dig commands. Then I followed the documentation for automatic ssl 
certificates, when I m running my ansible with hosts and playbook with new 
domain name as input, I m getting error as the dns record is not found for 
my domain name. So, I come to know that DNS record has to be their in 
internet for Lets encrypt to work. So I went through the playbook about 
what output Let's encrypt is providing, I come to know that we are feeding 
inputs like  openwisp2_ssl_cert and openwisp2_ssl_key . Then I have 
generated fullchain.pem and privkey.pem as inputs to the playbook for 
openwisp2_ssl_cert and openwisp2_ssl_key and run the ansible with the 
playbook as input. 
Generated keys are also given as input at EAP file of freeradius.The 
openwisp server webpage is generated but still I getting connection not 
secure at my web browser. I m getting same error: " rest ERROR: Request 
failed: 60 -ssl peer certificate or ssh remote key was not ok."
when running freeradius.


Please correct me if  I went wrong. Is it correct way of the Up the RADIUS 
in openwisp server or any better way is there, Please let me know.

On Saturday, May 11, 2024 at 11:50:39 PM UTC+5:30 Kolla Honey wrote:

> I have created the certificates and given as an input in the eap file of 
> freeradius.But still I m seeing the same error. What should I  do??
>
>  
>
> On Sat, 11 May 2024, 10:31 pm Federico Capoano,  
> wrote:
>
>> If I was you I wouldn't bother to do that and would simply get a valid 
>> SSL certificate from Letsencrypt 
>> 
>> .
>>
>> For anything about freeradius, refer to the freeradius documentation 
>>  and community support 
>> .
>>
>> I hope this helps.
>>
>> Federico
>>
>> -- 
>>
> You received this message because you are subscribed to the Google Groups 
>> "OpenWISP" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to openwisp+u...@googlegroups.com.
>>
> To view this discussion on the web, visit 
>> https://groups.google.com/d/msgid/openwisp/CAAGgX6KwkCE%3DCK1SvOrM6h72cWjfW4VDEuCC3fitToip1_NgkA%40mail.gmail.com
>>  
>> 
>> .
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"OpenWISP" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to openwisp+unsubscr...@googlegroups.com.
To view this discussion on the web, visit 
https://groups.google.com/d/msgid/openwisp/1f8a6b6f-a827-4b14-904d-bad571d4ca97n%40googlegroups.com.

Re: [openwisp] OPENWISP RADIUS

[Kolla Honey]

I have created the certificates and given as an input in the eap file of
freeradius.But still I m seeing the same error. What should I  do??



On Sat, 11 May 2024, 10:31 pm Federico Capoano, 
wrote:

> If I was you I wouldn't bother to do that and would simply get a valid
> SSL certificate from Letsencrypt
> 
> .
>
> For anything about freeradius, refer to the freeradius documentation
>  and community support
> .
>
> I hope this helps.
>
> Federico
>
> --
> You received this message because you are subscribed to the Google Groups
> "OpenWISP" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to openwisp+unsubscr...@googlegroups.com.
> To view this discussion on the web, visit
> https://groups.google.com/d/msgid/openwisp/CAAGgX6KwkCE%3DCK1SvOrM6h72cWjfW4VDEuCC3fitToip1_NgkA%40mail.gmail.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"OpenWISP" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to openwisp+unsubscr...@googlegroups.com.
To view this discussion on the web, visit 
https://groups.google.com/d/msgid/openwisp/CAPA_3x7aux6mNngsHZLY3LgaNxYfQdgRo8%3DuYZcEw67vr1VaBA%40mail.gmail.com.

Re: [openwisp] OPENWISP RADIUS

[Federico Capoano]

If I was you I wouldn't bother to do that and would simply get a valid SSL
certificate from Letsencrypt

.

For anything about freeradius, refer to the freeradius documentation
 and community support
.

I hope this helps.

Federico

-- 
You received this message because you are subscribed to the Google Groups 
"OpenWISP" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to openwisp+unsubscr...@googlegroups.com.
To view this discussion on the web, visit 
https://groups.google.com/d/msgid/openwisp/CAAGgX6KwkCE%3DCK1SvOrM6h72cWjfW4VDEuCC3fitToip1_NgkA%40mail.gmail.com.

Re: [openwisp] OPENWISP RADIUS

[Kolla Honey]

Hi,
When I opened my openwisp server, I got warning as connection not secure. 
Now, How can I configure the freeradius to either not verify the validity 
of the certificate or trust it?


On Friday, May 10, 2024 at 5:39:40 AM UTC-7 f.capoano wrote:

> If you open the URL of the OpenWISP admin web interface, do you see any 
> SSL certificate warning?
> If so, you're using an untrusted certificate. You can still use it, but 
> will have to configure freeradius to either not verify the validity of the 
> certificate or trust it.
>
> Best regards
> *Federico Capoano*
>
> On Fri, 10 May 2024 at 08:31, Kolla Honey  wrote:
>
>> Hello, I m new to openwisp. I have downloaded RADIUS using ansible and I 
>> followed the documentation provided in the web, yet whenever I m running my 
>> freeradius server, I m getting error as rest: ERROR: Request failed: 60 
>> -SSL peer certificate or SSHkey was not ok.
>> rest:ERROR: Server returned no data. I did try different combinations to 
>> make it work but it is still throwing same error. Can anyone help me what 
>> need to done? any inputs are needed from my end. 
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "OpenWISP" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to openwisp+u...@googlegroups.com.
>> To view this discussion on the web, visit 
>> https://groups.google.com/d/msgid/openwisp/a3be1e62-45e4-42ea-825a-8cc0e94b986bn%40googlegroups.com
>>  
>> 
>> .
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"OpenWISP" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to openwisp+unsubscr...@googlegroups.com.
To view this discussion on the web, visit 
https://groups.google.com/d/msgid/openwisp/0548fa2a-1c40-44bb-be85-8f0206ce9c02n%40googlegroups.com.

Re: [openwisp] OPENWISP RADIUS

[Federico Capoano]

If you open the URL of the OpenWISP admin web interface, do you see any SSL
certificate warning?
If so, you're using an untrusted certificate. You can still use it, but
will have to configure freeradius to either not verify the validity of the
certificate or trust it.

Best regards
*Federico Capoano*

On Fri, 10 May 2024 at 08:31, Kolla Honey  wrote:

> Hello, I m new to openwisp. I have downloaded RADIUS using ansible and I
> followed the documentation provided in the web, yet whenever I m running my
> freeradius server, I m getting error as rest: ERROR: Request failed: 60
> -SSL peer certificate or SSHkey was not ok.
> rest:ERROR: Server returned no data. I did try different combinations to
> make it work but it is still throwing same error. Can anyone help me what
> need to done? any inputs are needed from my end.
>
> --
> You received this message because you are subscribed to the Google Groups
> "OpenWISP" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to openwisp+unsubscr...@googlegroups.com.
> To view this discussion on the web, visit
> https://groups.google.com/d/msgid/openwisp/a3be1e62-45e4-42ea-825a-8cc0e94b986bn%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"OpenWISP" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to openwisp+unsubscr...@googlegroups.com.
To view this discussion on the web, visit 
https://groups.google.com/d/msgid/openwisp/CAAGgX6Ko2SzmCFUpeG0gK8FzY1Fb0-ZRAuRt-ij-Rbxjk4E5SA%40mail.gmail.com.

Re: [openwisp] openwisp-radius & freeradius only PAP

[Federico Capoano]

The password in the DB is hashed by Django (the framework on which OpenWISP
is based), for more info on this, see
https://docs.djangoproject.com/en/4.2/topics/auth/passwords/.
We have no way to calculate a different hash, that would mean having to
store the password in clear text which we do not do, the other way would be
to change the hashing algorithm to be the same used by chap/mschap but
these algorithms are too weak nowadays.

At least this is the situation if you want to use the users defined in
OpenWISP, if you are storing passwords elsewhere you would need to
configure freeradius to look for passwords differently.

Federico


On Wed, 15 Nov 2023 at 08:35, Tommaso Feola  wrote:

> I'll start by saying that I'm new to openwisp: after reading various
> documentation and some help in chat, I managed to install Openwisp with the
> RADIUS module. I did several tests with radtest: the authorization only
> works if I use PAP. If I try to use chap or mschap , rest (using the
> freeradius -X command) reports that the password is empty. Can anyone give
> me a tip? Thank you
> Tommaso
>
> --
> You received this message because you are subscribed to the Google Groups
> "OpenWISP" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to openwisp+unsubscr...@googlegroups.com.
> To view this discussion on the web, visit
> https://groups.google.com/d/msgid/openwisp/03a3fd94-80f8-4f0c-a183-f78d6c1090f4n%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"OpenWISP" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to openwisp+unsubscr...@googlegroups.com.
To view this discussion on the web, visit 
https://groups.google.com/d/msgid/openwisp/CAAGgX6LOc5SLio-3PifZS%2BBx%2B4frtvmYMkS%2BRr7Eg%2BF5y9JJ5w%40mail.gmail.com.

Re: [openwisp] openwisp-radius

[Federico Capoano]

Hi,

Freeradius talks to OpenWISP mostly via the REST API, the setup process is
explained here:

https://openwisp-radius.readthedocs.io/en/stable/developer/freeradius.html
https://openwisp-radius.readthedocs.io/en/stable/developer/freeradius_wpa_enterprise.html

Best regards
*Federico Capoano*
OpenWISP OÜ
Harjumaa, Tallinn, Sepapaja tn 6, 15551
VAT: EE101989729
*openwisp.io* 


On Thu, 9 Nov 2023 at 07:29, Tommaso Feola  wrote:

> Let me start by saying that I am new to openwisp. I tried to install it in
> different ways: I normally access the web page with the admin account.
> After I create a new NAS and a new user, doing a debug in freeradius, the
> NAS is unknown and if I add it manually in clients.conf of freeradius, the
> new user added in openwisp is not recognized by freeradius. I have enabled
> freeradius to mysql access to its database - I can't figure out how
> freeradius talks to the openwisp database. Can you help me understand what
> I can do, what checks can I do?
>
> --
> You received this message because you are subscribed to the Google Groups
> "OpenWISP" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to openwisp+unsubscr...@googlegroups.com.
> To view this discussion on the web, visit
> https://groups.google.com/d/msgid/openwisp/71f655cf-6418-47af-bc87-45a1a651075an%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"OpenWISP" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to openwisp+unsubscr...@googlegroups.com.
To view this discussion on the web, visit 
https://groups.google.com/d/msgid/openwisp/CAAGgX6%2BnUX1ztiyg-R9P_%3DS5V2UGU%2Bq7MW%3DMZT-3tqK%2BNsiVZg%40mail.gmail.com.

Re: [openwisp] OpenWisp Radius Enforcing Session Limit

[Federico Capoano]

You have to find the attribute used by opnsense and
change OPENWISP_RADIUS_TRAFFIC_COUNTER_REPLY_NAME accordingly.
OpenWISP is clearly returning it in the RADIUS packet which then is shown
in the freeradius debug output, so if the NAS does not respect the
attribute, it's either not an attribute it supports or it expects another
attribute.

Best regards
Federico Capoano

On Thu, 20 Jul 2023 at 08:27, Mindf  wrote:

> Hi Federico,
>
> Thank you for your response.
>
> 1. I am using OPNsense as a captive portal. I tested logged in using a
> test user with 5 MB limit, use all the limit and but it does not
> disconnected for about 30 mins or so.
> I can see the accounting is running but there is no action from radius to
> disconnect the user.
>
>
>
> 11) rest:--> {"username": "testvpn2", "password": "xx"}
> *...omitted...*
> (11) rest: Auth-Type := Accept
> (11) rest: Parsing attribute "Reply-Message"
> (11) rest: EXPAND Hello
> (11) rest:--> Hello
> (11) rest: Reply-Message = "Hello"
> (11) rest: Parsing attribute "ChilliSpot-Max-Total-Octets"
> (11) rest: EXPAND 500
> (11) rest:--> 500
> *(11) rest: ChilliSpot-Max-Total-Octets := 500 < 5 MB limit, *
>
> *I guess OPNsense does not understand this attribute, *
> *Does captive portal normally understand this response attribute and will
> honor it by disconnecting the user if the value are over?*
>
> *From openwisp doc as reference: *
>
> ChilliSpot-Max-Total-Octets u*sed by DailyTrafficCounter, it indicates
> the reply attribute which is returned to the NAS to indicate how much
> remaining traffic users which users having the default users radius group
> assigned can consume.*
> *It should be changed according to the NAS software in use, for example,
> if using PfSense, this setting should be set to pfSense-Max-Total-Octets.*
>
> ((542)   User-Name = "testvpn2"
> (542)   Acct-Status-Type = Interim-Update
> (542)   Acct-Session-Id = "iKXzJgRnCQ2VAj/cCCGqFA=="
> (542)   Acct-Authentic = Local
> (542)   Acct-Session-Time = 2703
> (542)   Acct-Input-Octets = 271614862
> *(542)   Acct-Output-Octets = 86124311  counter is over * *500 but
> still connected and able to reach internet.*
> (542)   Framed-IP-Address = 10.1.1.2
>
> 2. Thank you for the links, I will check it out and play around with it.
> If all fails, I will definitely fallback and try to use freeradius without
> openwisp.
>
> Thanks!
>
> On Wednesday, July 19, 2023 at 8:53:33 PM UTC+7 f.capoano wrote:
>
>> Hi,
>>
>> 1. Whether the user is disconnected or not depends on the NAS and what
>> attribute it uses. What NAS are you using? Coova-chilli, Pfsesne, Hostapd
>> (WPA Enterprise) a PPPoE server, or what else?
>> What I have seen with popular open source captive portals is that users
>> are disconnected close to the limit but not at the exact limit.
>> CoA is a different concept, it is needed to propagate changes from the
>> central server to the NAS while the user is authenticated. Eg: the user has
>> upgraded its plan and now has different limits, without CoA the user will
>> need to log out and log in again, with CoA the NAS can update the
>> authorization details of the user while the session is still active. CoA
>> can also be used to de-authenticate the user from a central point, but it's
>> not the mechanism used to log out users who reached their limit.
>>
>> 2. Here's the counters code:
>>
>> https://github.com/openwisp/openwisp-radius/tree/master/openwisp_radius/counters
>> For example, the monthly traffic counter for postgresql:
>>
>> https://github.com/openwisp/openwisp-radius/blob/master/openwisp_radius/counters/postgresql/monthly_traffic_counter.py
>>
>> Now if you don't have any experience with code, this may be tricky. You
>> could also fallback to the sqlcounters module in freeradius and not do this
>> via OpenWISP, the catch is that freeradius has no concept of multi-tenancy,
>> that means you will only be allowed to set the limit once on the entire
>> instance and this will be enforced for all organizations.
>>
>> I hope this helps.
>> Federico
>>
>> On Wed, 19 Jul 2023 at 08:22, Mindf  wrote:
>>
>>> Hello,
>>>
>>> I have configured a captive portal with openwisp-radius (running on
>>> virtualenv locally) with free radius. I am able to use it to authenticate
>>> and accounting + basic function to create user through GUI, etc. also ok.
>>>
>>> I do have some question below about the 'users' group
>>>
>>> The default group 'users' have a limits users sessions to 3 hours and
>>> 300 MB (reset daily)
>>>
>>> 1. I noticed that the user will not be disconnected immediately if user
>>> breach his daily data limit? I understand that radius need to send
>>> disconnect request (COA) to do this.
>>>
>>> Instead of disconnect request,  I have a specific command/script that I
>>> would like to run to disconnect the user from my NAS if users breach the
>>> limit. Where can I configure this?
>>>
>>> 2. I want to create a new group with a specific bandwidth 

Re: [openwisp] OpenWisp Radius Enforcing Session Limit

[Mindf]

Hi Federico,

Thank you for your response.

1. I am using OPNsense as a captive portal. I tested logged in using a test 
user with 5 MB limit, use all the limit and but it does not disconnected 
for about 30 mins or so.
I can see the accounting is running but there is no action from radius to 
disconnect the user.



11) rest:--> {"username": "testvpn2", "password": "xx"}
*...omitted...*
(11) rest: Auth-Type := Accept
(11) rest: Parsing attribute "Reply-Message"
(11) rest: EXPAND Hello
(11) rest:--> Hello
(11) rest: Reply-Message = "Hello"
(11) rest: Parsing attribute "ChilliSpot-Max-Total-Octets"
(11) rest: EXPAND 500
(11) rest:--> 500
*(11) rest: ChilliSpot-Max-Total-Octets := 500 < 5 MB limit, *

*I guess OPNsense does not understand this attribute, *
*Does captive portal normally understand this response attribute and will 
honor it by disconnecting the user if the value are over?*

*From openwisp doc as reference: *

ChilliSpot-Max-Total-Octets u*sed by DailyTrafficCounter, it indicates the 
reply attribute which is returned to the NAS to indicate how much remaining 
traffic users which users having the default users radius group assigned 
can consume.*
*It should be changed according to the NAS software in use, for example, if 
using PfSense, this setting should be set to pfSense-Max-Total-Octets.*

((542)   User-Name = "testvpn2"
(542)   Acct-Status-Type = Interim-Update
(542)   Acct-Session-Id = "iKXzJgRnCQ2VAj/cCCGqFA=="
(542)   Acct-Authentic = Local
(542)   Acct-Session-Time = 2703
(542)   Acct-Input-Octets = 271614862
*(542)   Acct-Output-Octets = 86124311  counter is over * *500 but 
still connected and able to reach internet.*
(542)   Framed-IP-Address = 10.1.1.2

2. Thank you for the links, I will check it out and play around with it. If 
all fails, I will definitely fallback and try to use freeradius without 
openwisp.

Thanks!

On Wednesday, July 19, 2023 at 8:53:33 PM UTC+7 f.capoano wrote:

> Hi,
>
> 1. Whether the user is disconnected or not depends on the NAS and what 
> attribute it uses. What NAS are you using? Coova-chilli, Pfsesne, Hostapd 
> (WPA Enterprise) a PPPoE server, or what else?
> What I have seen with popular open source captive portals is that users 
> are disconnected close to the limit but not at the exact limit.
> CoA is a different concept, it is needed to propagate changes from the 
> central server to the NAS while the user is authenticated. Eg: the user has 
> upgraded its plan and now has different limits, without CoA the user will 
> need to log out and log in again, with CoA the NAS can update the 
> authorization details of the user while the session is still active. CoA 
> can also be used to de-authenticate the user from a central point, but it's 
> not the mechanism used to log out users who reached their limit.
>
> 2. Here's the counters code:
>
> https://github.com/openwisp/openwisp-radius/tree/master/openwisp_radius/counters
> For example, the monthly traffic counter for postgresql:
>
> https://github.com/openwisp/openwisp-radius/blob/master/openwisp_radius/counters/postgresql/monthly_traffic_counter.py
>
> Now if you don't have any experience with code, this may be tricky. You 
> could also fallback to the sqlcounters module in freeradius and not do this 
> via OpenWISP, the catch is that freeradius has no concept of multi-tenancy, 
> that means you will only be allowed to set the limit once on the entire 
> instance and this will be enforced for all organizations.
>
> I hope this helps.
> Federico
>
> On Wed, 19 Jul 2023 at 08:22, Mindf  wrote:
>
>> Hello,
>>
>> I have configured a captive portal with openwisp-radius (running on 
>> virtualenv locally) with free radius. I am able to use it to authenticate 
>> and accounting + basic function to create user through GUI, etc. also ok.
>>
>> I do have some question below about the 'users' group
>>
>> The default group 'users' have a limits users sessions to 3 hours and 300 
>> MB (reset daily)
>>
>> 1. I noticed that the user will not be disconnected immediately if user 
>> breach his daily data limit? I understand that radius need to send 
>> disconnect request (COA) to do this. 
>>
>> Instead of disconnect request,  I have a specific command/script that I 
>> would like to run to disconnect the user from my NAS if users breach the 
>> limit. Where can I configure this?
>>
>> 2. I want to create a new group with a specific bandwidth limit but it 
>> will not reset. 
>> I understand from the doc that the reset period 'never' is already 
>> available but it is suggested to subclass 
>> openwisp_radius.counters.base.BaseCounter,
>> and once the new class is ready, you will need to add it to 
>> OPENWISP_RADIUS_COUNTERS (
>> https://openwisp-radius.readthedocs.io/en/stable/user/enforcing_limits.html
>> )
>>
>> Is there any example that I can follow to do this? as I have limited 
>> django/python or in scripting background.
>>
>> Thanks!
>>
>> -- 
>> You received 

Re: [openwisp] OpenWisp Radius Enforcing Session Limit

[Federico Capoano]

Hi,

1. Whether the user is disconnected or not depends on the NAS and what
attribute it uses. What NAS are you using? Coova-chilli, Pfsesne, Hostapd
(WPA Enterprise) a PPPoE server, or what else?
What I have seen with popular open source captive portals is that users are
disconnected close to the limit but not at the exact limit.
CoA is a different concept, it is needed to propagate changes from the
central server to the NAS while the user is authenticated. Eg: the user has
upgraded its plan and now has different limits, without CoA the user will
need to log out and log in again, with CoA the NAS can update the
authorization details of the user while the session is still active. CoA
can also be used to de-authenticate the user from a central point, but it's
not the mechanism used to log out users who reached their limit.

2. Here's the counters code:
https://github.com/openwisp/openwisp-radius/tree/master/openwisp_radius/counters
For example, the monthly traffic counter for postgresql:
https://github.com/openwisp/openwisp-radius/blob/master/openwisp_radius/counters/postgresql/monthly_traffic_counter.py

Now if you don't have any experience with code, this may be tricky. You
could also fallback to the sqlcounters module in freeradius and not do this
via OpenWISP, the catch is that freeradius has no concept of multi-tenancy,
that means you will only be allowed to set the limit once on the entire
instance and this will be enforced for all organizations.

I hope this helps.
Federico

On Wed, 19 Jul 2023 at 08:22, Mindf  wrote:

> Hello,
>
> I have configured a captive portal with openwisp-radius (running on
> virtualenv locally) with free radius. I am able to use it to authenticate
> and accounting + basic function to create user through GUI, etc. also ok.
>
> I do have some question below about the 'users' group
>
> The default group 'users' have a limits users sessions to 3 hours and 300
> MB (reset daily)
>
> 1. I noticed that the user will not be disconnected immediately if user
> breach his daily data limit? I understand that radius need to send
> disconnect request (COA) to do this.
>
> Instead of disconnect request,  I have a specific command/script that I
> would like to run to disconnect the user from my NAS if users breach the
> limit. Where can I configure this?
>
> 2. I want to create a new group with a specific bandwidth limit but it
> will not reset.
> I understand from the doc that the reset period 'never' is already
> available but it is suggested to subclass
> openwisp_radius.counters.base.BaseCounter,
> and once the new class is ready, you will need to add it to
> OPENWISP_RADIUS_COUNTERS (
> https://openwisp-radius.readthedocs.io/en/stable/user/enforcing_limits.html
> )
>
> Is there any example that I can follow to do this? as I have limited
> django/python or in scripting background.
>
> Thanks!
>
> --
> You received this message because you are subscribed to the Google Groups
> "OpenWISP" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to openwisp+unsubscr...@googlegroups.com.
> To view this discussion on the web, visit
> https://groups.google.com/d/msgid/openwisp/e7a1c582-7ed8-4d75-a12a-74cfcd063052n%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"OpenWISP" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to openwisp+unsubscr...@googlegroups.com.
To view this discussion on the web, visit 
https://groups.google.com/d/msgid/openwisp/CAAGgX6LuAirCZuqAo5pZ5hFH4yy4x4aDbwxMwct5iE%3DF%3DhUNDQ%40mail.gmail.com.

Re: [openwisp] Openwisp-Radius logs 'Token authentication failed' with correct UUID + Token

[Filip Waluda]

Thanks for this - totally missed it when glancing over and comparing the 
configuration file. After removing the ampersand it started working 
immediately.

I am 90% sure that I've copied the line from one of the docs and exchanged 
the uuid and token, but couldn't find said doc just yet. I'll look through 
them when I have time later this week. I can create a pull request in case 
I find it if you wish.

On Tuesday, November 23, 2021 at 6:53:28 PM UTC+1 f.capoano wrote:

> First thing that comes to my eyes is the following:
>
> Authorization: Bearer 2463f97d-bd0e-4c29-9ccc-f845c96571d1 & 
> 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd
>
> Our docs say: 
> 
>
> Authorization: Bearer  
>
> In your case it seems to me that it's instead:
>
> Authorization: Bearer  & 
>
> Did you come up with your ampersand on your own or is it something you see 
> anywhere in the docs? If you see it anywhere please let me know so I can 
> fix it because it's not right.
>
> I think it should be:
>
> Authorization: Bearer 2463f97d-bd0e-4c29-9ccc-f845c96571d1 
> 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd
>
> Ensure the token is the organization radius settings token and not the 
> openwisp controller shared secret, instructions on how to find these values 
> are described here:
>
> https://openwisp-radius.readthedocs.io/en/latest/user/api.html#organization-uuid-token
>
> I hope this helps.
>
> Best regards
> Federico Capoano
>
> On Tue, Nov 23, 2021 at 4:18 AM Filip Waluda  wrote:
>
>> As per Gitter, here is the part of freeradius -X output as well as the 
>> configuration files for the mods and sites:
>>
>> *freeradius -X:*
>>
>> (0) Received Access-Request Id 203 from {PUBLIC-IP-OF-CLIENT}:50130 to 
>> 192.168.105.97:1812 length 79
>> (0)   Service-Type = Authenticate-Only
>> (0)   User-Name = "TestUser"
>> (0)   User-Password = "TestPassword123_"
>> (0)   NAS-Port-Type = Wireless-802.11
>> (0)   NAS-Identifier = "firewallH23"
>> (0)   NAS-Port = 0
>> (0)   NAS-IP-Address = {PUBLIC-IP-OF-CLIENT}
>> (0) # Executing section authorize from file 
>> /etc/freeradius/3.0/sites-enabled/openwisp_site
>> (0)   authorize {
>> (0) update control {
>> (0)+= "Authorization: Bearer 
>> 2463f97d-bd0e-4c29-9ccc-f845c96571d1 & 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd"
>> (0) } # update control = noop
>> rlm_rest (rest): Reserved connection (0)
>> (0) rest: Expanding URI components
>> (0) rest: EXPAND https://radius.domainplaceholder.de
>> (0) rest:--> https://radius.domainplaceholder.de
>> (0) rest: EXPAND /api/v1/freeradius/authorize/
>> (0) rest:--> /api/v1/freeradius/authorize/
>> (0) rest: Sending HTTP POST to "
>> https://radius.domainplaceholder.de/api/v1/freeradius/authorize/;
>> (0) rest: EXPAND {"username": "%{User-Name}", "password": 
>> "%{User-Password}"}
>> (0) rest:--> {"username": "TestUser", "password": "TestPassword123_"}
>> (0) rest: Processing response header
>> (0) rest:   Status : 403 (Forbidden)
>> (0) rest:   Type   : json (application/json)
>> (0) rest: ERROR: Server returned:
>> (0) rest: ERROR: {"detail":"Token authentication failed"}
>> rlm_rest (rest): Released connection (0)
>> (0) [rest] = userlock
>> (0)   } # authorize = userlock
>> (0) Invalid user (rest: Server returned:): [TestUser] (from client 
>> firewallH23 port 0)
>> (0) Using Post-Auth-Type Reject
>> (0) # Executing group from file 
>> /etc/freeradius/3.0/sites-enabled/openwisp_site
>> (0)   Post-Auth-Type REJECT {
>> (0) update control {
>> (0)+= "Authorization: Bearer 
>> 2463f97d-bd0e-4c29-9ccc-f845c96571d1 & 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd"
>> (0) } # update control = noop
>> rlm_rest (rest): Reserved connection (1)
>> (0) rest: Expanding URI components
>> (0) rest: EXPAND https://radius.domainplaceholder.de
>> (0) rest:--> https://radius.domainplaceholder.de
>> (0) rest: EXPAND /api/v1/freeradius/postauth/
>> (0) rest:--> /api/v1/freeradius/postauth/
>> (0) rest: Sending HTTP POST to "
>> https://radius.domainplaceholder.de/api/v1/freeradius/postauth/;
>> (0) rest: EXPAND {"username": "%{User-Name}", "password": 
>> "%{User-Password}", "reply": "%{reply:Packet-Type}", "called_station_id": 
>> "%{Called-Station-ID}", "calling_station_id": "%{Calling-Station-ID}"}
>> (0) rest:--> {"username": "TestUser", "password": "TestPassword123_", 
>> "reply": "Access-Reject", "called_station_id": "", "calling_station_id": ""}
>> (0) rest: Processing response header
>> (0) rest:   Status : 403 (Forbidden)
>> (0) rest:   Type   : json (application/json)
>> (0) rest: ERROR: Server returned:
>> (0) rest: ERROR: {"detail":"Token authentication failed"}
>> rlm_rest (rest): Released connection (1)
>> (0) [rest] = invalid
>> (0)   } # Post-Auth-Type REJECT = invalid
>> (0) Delaying response for 1.00 seconds
>> Waking up in 0.1 seconds.
>> Waking up in 0.8 seconds.
>> (0) Sending delayed response
>> (0) Sent Access-Reject Id 203 from 192.168.105.97:1812 

Re: [openwisp] Openwisp-Radius logs 'Token authentication failed' with correct UUID + Token

[Federico Capoano]

First thing that comes to my eyes is the following:

Authorization: Bearer 2463f97d-bd0e-4c29-9ccc-f845c96571d1 &
3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd

Our docs say:


Authorization: Bearer  

In your case it seems to me that it's instead:

Authorization: Bearer  & 

Did you come up with your ampersand on your own or is it something you see
anywhere in the docs? If you see it anywhere please let me know so I can
fix it because it's not right.

I think it should be:

Authorization: Bearer 2463f97d-bd0e-4c29-9ccc-f845c96571d1
3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd

Ensure the token is the organization radius settings token and not the
openwisp controller shared secret, instructions on how to find these values
are described here:
https://openwisp-radius.readthedocs.io/en/latest/user/api.html#organization-uuid-token

I hope this helps.

Best regards
Federico Capoano

On Tue, Nov 23, 2021 at 4:18 AM Filip Waluda  wrote:

> As per Gitter, here is the part of freeradius -X output as well as the
> configuration files for the mods and sites:
>
> *freeradius -X:*
>
> (0) Received Access-Request Id 203 from {PUBLIC-IP-OF-CLIENT}:50130 to
> 192.168.105.97:1812 length 79
> (0)   Service-Type = Authenticate-Only
> (0)   User-Name = "TestUser"
> (0)   User-Password = "TestPassword123_"
> (0)   NAS-Port-Type = Wireless-802.11
> (0)   NAS-Identifier = "firewallH23"
> (0)   NAS-Port = 0
> (0)   NAS-IP-Address = {PUBLIC-IP-OF-CLIENT}
> (0) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/openwisp_site
> (0)   authorize {
> (0) update control {
> (0)+= "Authorization: Bearer
> 2463f97d-bd0e-4c29-9ccc-f845c96571d1 & 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd"
> (0) } # update control = noop
> rlm_rest (rest): Reserved connection (0)
> (0) rest: Expanding URI components
> (0) rest: EXPAND https://radius.domainplaceholder.de
> (0) rest:--> https://radius.domainplaceholder.de
> (0) rest: EXPAND /api/v1/freeradius/authorize/
> (0) rest:--> /api/v1/freeradius/authorize/
> (0) rest: Sending HTTP POST to "
> https://radius.domainplaceholder.de/api/v1/freeradius/authorize/;
> (0) rest: EXPAND {"username": "%{User-Name}", "password":
> "%{User-Password}"}
> (0) rest:--> {"username": "TestUser", "password": "TestPassword123_"}
> (0) rest: Processing response header
> (0) rest:   Status : 403 (Forbidden)
> (0) rest:   Type   : json (application/json)
> (0) rest: ERROR: Server returned:
> (0) rest: ERROR: {"detail":"Token authentication failed"}
> rlm_rest (rest): Released connection (0)
> (0) [rest] = userlock
> (0)   } # authorize = userlock
> (0) Invalid user (rest: Server returned:): [TestUser] (from client
> firewallH23 port 0)
> (0) Using Post-Auth-Type Reject
> (0) # Executing group from file
> /etc/freeradius/3.0/sites-enabled/openwisp_site
> (0)   Post-Auth-Type REJECT {
> (0) update control {
> (0)+= "Authorization: Bearer
> 2463f97d-bd0e-4c29-9ccc-f845c96571d1 & 3IqS4FcoXeBsMwCWFrcVdpWAc9et6FSd"
> (0) } # update control = noop
> rlm_rest (rest): Reserved connection (1)
> (0) rest: Expanding URI components
> (0) rest: EXPAND https://radius.domainplaceholder.de
> (0) rest:--> https://radius.domainplaceholder.de
> (0) rest: EXPAND /api/v1/freeradius/postauth/
> (0) rest:--> /api/v1/freeradius/postauth/
> (0) rest: Sending HTTP POST to "
> https://radius.domainplaceholder.de/api/v1/freeradius/postauth/;
> (0) rest: EXPAND {"username": "%{User-Name}", "password":
> "%{User-Password}", "reply": "%{reply:Packet-Type}", "called_station_id":
> "%{Called-Station-ID}", "calling_station_id": "%{Calling-Station-ID}"}
> (0) rest:--> {"username": "TestUser", "password": "TestPassword123_",
> "reply": "Access-Reject", "called_station_id": "", "calling_station_id": ""}
> (0) rest: Processing response header
> (0) rest:   Status : 403 (Forbidden)
> (0) rest:   Type   : json (application/json)
> (0) rest: ERROR: Server returned:
> (0) rest: ERROR: {"detail":"Token authentication failed"}
> rlm_rest (rest): Released connection (1)
> (0) [rest] = invalid
> (0)   } # Post-Auth-Type REJECT = invalid
> (0) Delaying response for 1.00 seconds
> Waking up in 0.1 seconds.
> Waking up in 0.8 seconds.
> (0) Sending delayed response
> (0) Sent Access-Reject Id 203 from 192.168.105.97:1812 to
> {PUBLIC-IP-OF-CLIENT}:50130 length 20
> Waking up in 3.9 seconds.
> (0) Cleaning up request packet ID 203 with timestamp +48
> Ready to process requests
>
> *mods-enabled\rest:*
>
> rest {
> tls = {}
> connect_uri = "https://radius.domainplaceholder.de/api/v1/freeradius;
>
> authorize {
> uri = "${..connect_uri}/authorize/"
> method = 'post'
> body = 'json'
> data = '{"username": "%{User-Name}", "password":
> "%{User-Password}"}'
> tls = ${..tls}
> }
>
> # this section can be left empty
> authenticate {}
>
> post-auth {
> uri = 

Re: [openwisp] openwisp-radius - No "/admin" URL available after installation

[Federico Capoano]

Hi Marco,

ensure this line is present in your root url conf:
https://github.com/openwisp/openwisp-radius/blob/master/tests/openwisp2/urls.py#L25

Best regards
Federico

On Fri, Jan 22, 2021 at 6:01 PM Marco Tosato  wrote:

>
> Hello everyone!
>
> I'm facing a problem with openwisp-radius module. I'm trying to install
> openwisp-radius  in as a stand-alone module to get a Web UI to manage a
> Freeradius 3 installation.
>
> I followed the installation guide
> https://openwisp-radius.readthedocs.io/en/latest/developer/setup.html
>
> I took the following steps:
> 1) installed openwisp-radius via pip in a python 3 virtualenv
> 2) created the Django project
> 3) configured settings.py and urls.py as per the guide
> 4) started the dev server
>
> When I connect to the server (http://localhost:8000/admin) I get the
> following error:
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
> Page not found (404) Request Method:
> GET Request URL:
> http://localhost:1208/
>
> Using the URLconf defined in radius.urls, Django tried these URL
> patterns, in this order:
>
>1. accounts/
>2. api/v1/
>3. radiusbatch/csv/ [name='serve_private_file']
>
> The empty path didn't match any of these.
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
> Seems the /admin path is missing in the URLs config ...I can't figure out
> what I'm doing wrong.
>
> Do I need to install something else to get the Weg UI?
>
> Can someone give me some hint on what I'm doing wrong?
>
>
> Thanks a lot to everyone!!
>
> --
> You received this message because you are subscribed to the Google Groups
> "OpenWISP" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to openwisp+unsubscr...@googlegroups.com.
> To view this discussion on the web, visit
> https://groups.google.com/d/msgid/openwisp/65c480d6-3f01-4427-b363-050ae8d2b700n%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"OpenWISP" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to openwisp+unsubscr...@googlegroups.com.
To view this discussion on the web, visit 
https://groups.google.com/d/msgid/openwisp/CAERYH6U2gmk7q%3Dgi1%2BAa7mL%3Ds50dPWD14EWUxQZyT0sMg8HG_A%40mail.gmail.com.