Open iesreza opened 4 weeks ago
Hi @iesreza, next time please open individual tickets if possible.
If you are using one of the latest dev versions (Sept builds are ok) you can find a preference that allows you to set the cache duration for MAC addresses. As you can see it is honoured in the picture
In radius messages the username is not the pool name. Please explain
With /lua/rest/v2/set/pool/members.lua you trigger the radius start (connectivity = start) and stop (connectivity = reject). Changing a pool does not affect radius as they are two unrelated things. If this is what you need a start/reject message is required
Hi @iesreza, next time please open individual tickets if possible.
- If you are using one of the latest dev versions (Sept builds are ok) you can find a preference that allows you to set the cache duration for MAC addresses. As you can see it is honoured in the picture
- In radius messages the username is not the pool name. Please explain
- With /lua/rest/v2/set/pool/members.lua you trigger the radius start (connectivity = start) and stop (connectivity = reject). Changing a pool does not affect radius as they are two unrelated things. If this is what you need a start/reject message is required
Hi @lucaderi, regarding to above: 1- About cache settings, we have applied 1 hour cache for Local Host Idle Timeout and Local Hosts Cache Duration, Active Local Hosts Cache and Mac Address Cache Duration and still after 30 minutes we face disconnection in case the device does not do traffic.
2- It was my mistake in explnation, you are right. However in case of a logged in user instead of recieving username inside Interim Update message, we recieve captivepass
as i explained above. note the user is already authenticated via following api:
data := map[string]interface{}{
"associations": map[string]interface{}{
lease.MacAddress: map[string]interface{}{
"group": pool,
"connectivity": "pass",
"username": username,
"password": password,
},
},
}
resp, err := curl.Post( settings.NTOPNG.BasePath+"/lua/rest/v2/set/pool/members.lua", curl.BodyJSON(data), curl.BasicAuth{
Username: settings.NTOPNG.Username, Password: settings.NTOPNG.Password,
})
3- About third request i try to explain the case: Rarely it is possible throgh the dashboard the group of user get changed to captivepass. in this case user will lose connectivity and we have no way to track and sync between radius and ntopng. so one solution could be having accounting or CoA message in case of change in group so we can align both radius and ntopng. However at the moment we achievied same result by priodically prompting host info.
As of 1. Can you please check if the MAC address corresponding to the host is still in ntopng's memory?
With the latest version of ntop, we are currently testing the disconnect issue. Since reproducing the problem and completing the test takes some time, we can skip disconnect issue for now. If the issue persists, I will open a separate ticket.
Regarding the incorrect username in the interim update, I have attached the request to nedge along with another example of an Interim Update.
Assign user to group:
POST /lua/rest/v2/set/pool/members.lua HTTP/1.1
Host: 127.0.0.1:3000
User-Agent: Go-http-client/1.1
Content-Length: 136
Authorization: Basic YWRtaW46aWVzaXRhbGlhMjAyMA==
Content-Type: application/json; charset=UTF-8
Cookie: session_3000_0=; session_3000_0=
Accept-Encoding: gzip
{"associations":{"0E:F5:5F:BC:96:A1":{"connectivity":"pass","group":"gnvstarplus","password":"924202105446","username":"924202105446"}}}
=================================
HTTP/1.1 200 OK
Connection: close
Access-Control-Allow-Methods: GET, POST, HEAD
Access-Control-Allow-Origin: *
Cache-Control: max-age=0, no-cache, no-store
Content-Type: application/json
Last-Modified: Fri, 09 September 2024 12:38:16 GMT
Pragma: no-cache
Server: ntopng 6.3.240904 [Ubuntu 20.04.6 LTS [x86_64]]
Set-Cookie: tzname=CET; path=/ HttpOnly; SameSite=lax
Set-Cookie: session_3000_0=; max-age=3600; path=/; HttpOnly; SameSite=lax
Set-Cookie: timezone=-3600; path=/ HttpOnly; SameSite=lax
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
{"rsp":{"associations":{"0E:F5:5F:BC:96:A1":{"password":"924202105446","status":"OK","connectivity":"pass","group":"gnvstarplus","username":"924202105446"}}},"rc_str":"OK","rc":0,"rc_str_hr":"Success"}
Interim Update Packet:
Interim update: Username:captivepass MAC:0E:F5:5F:BC:96:A1 IP:10.1.0.50 Input:268 Output:126 SessionTime:22
041d00908f1b296e5bf4abd271499bb2eea5b6d9280600000003010d63617074697665706173732c1432353334383038353131333136383436383008060a0100321f1330453a46353a35463a42433a39363a413157066e663a30050600000000370666f6a74e2f06000001a93006000001ff2a060000010c2b060000007e2e060000001629060000000004067f000001
Hi @iesreza it looks like the group and the username are swapped in the interim update. We have just checked the code and we didn't find a swap between the two.
We have made some tests as follows
curl -u admin:admin1 -H "Content-Type: application/json" -d '{"associations": {"AC:1F:6B:AD:6A:2D" : {"group" : "captivepass", "connectivity" : "pass", "username" : "904945985341", "password" : "9049459 85341"}}}' http://192.168.2.225:3000/lua/rest/v2/set/pool/members.lua
curl -u admin:admin1 -H "Content-Type: application/json" -d '{"associations": {"B8:27:EB:4D:44:C8" : {"group" : "captivepass", "connectivity" : "pass", "username" : "904945985341", "password" : "904945985341"}}}' http://192.168.2.225:3000/lua/rest/v2/set/pool/members.lua
And data seems to be correct
As you are calling members.lua we would like you to double-check from your end if the parameters are correct and the data in redis is written properly as shown above. Can you please do this and report?
The issue seems fixed as of now.
Environment:
What happened: We noticed several issues with NTOPNG integration with RADIUS. 1- NTOPNG disconnects the users and change the group into captivepass after about 30 minutes of inactivity. This behaviour happens when the user is still present on the network but does not do any internet traffic. we already asked to remove auto disconnect in #8728
2- We have introduced a radius proxy to fill the consumption tracking gap regarding to #8706 and during integration we have noticed NTOPNG reports wrong pool (group) for some devices while do Interim Update on radius. In the provided example the user pool is
gnvcrewstar
while in the packet as provided marked ascaptivepass
.MAC stats API response:
Radius Recieved Packet:
3- Changing the pool (group) from dashboard does not trigger any RADIUS accounting request.