Just fixed this on my system, added this line in the radius user and it worked great.

WISPr-Bandwidth-Max-Up = 256,WISPr-Bandwidth-Max-Down = 512

I looked at the software and it appears that it is Windows-based.  Why would you use TekRADIUS instead of the built-in IAS/NPS?  Especially when it looks like the TekRADIUS software isn't being updated and is more difficult to set up.

What DNS server is being used by the clients?

It should be using 192.168.1.1 as its DNS server. If you are using an external DNS server supplied directly to clients, you will need to add an IP bypass to the portal config for the DNS server IPs, or else the clients can't resolve DNS, which means they can't ever try to make the connection, let alone redirect.

That may not be your issue, but it's one of the most common.

@jttodorov:

WAN 62.xx.xx.xx
room subnet 172.xx.xx.xx
addtional anthenas 192.xx.xx.xx
172.xx.xx.xx uses WAN 62.xx.xx.xx without authentication
192.xx.xx.xx anthena users need authentication for internet through 62.xx.xx.xx

How can I get the two subnets (172.xx.xx.xx and 192.xx.xx.xx) working?
I think that can be managed through the firewall rules for PPTP VPN.
Thank you in advance.

Hi,
Tu use CP on more than one interface you must go to PFS2.0.
If I have get you idea correctly you wish to connect AP's this which are connected on 62.x.x.x by using PPTP to inside net, then use CP to control traffic from them.
It will be much better if you create VLAN's, then put those AP's together on same (or different VLAN's to distinguish between AP for students and those for stuff) VLAN. PFS will be then between WAN and VLAN's inside campus.
Each VLAN can have then different set of rules (firewall) and you can choose in what way will CP work on them.

I hope that this is good explanation.

Br

Sasa

Only 2.0 can do that for you.

Services –> captive portal --> "allowed ip addresses"

Thanks

@dclemens:

I'd rather go with pfSense, but I need the option to limit the volume we allow each user to use on a daily basis. And I understood from a previous reply that this is not easily doable in PFS. Maybe you could comment further on this?

Cheers

Using FreeRadius as AAA solution with PFS can help you to achieve that. Yes, I know that it is not easy but there is "small" application (dial-up admin) added to FreeRadius which can be used to do what you need but you must to put some effort to get that running as you need.

It is true that you need to know some scripting/programming and SQL to set/fix some things (not in PFS) but it is FREE. If your budget is not tight or not-existent go for other solutions. Well, if you are a good programmer you can write your on application behind FreeRadius, PFS have all what you need.

That's only my opinion and some other people will say differently or disagree with me but … it is up to you.

Regards

@illamas:

I've got RADIUS working with CA to another box, I also want to use local accounts for guest users (to have expatriation dates and such) I have searched but don't seem to find a solution. Anyone have an idea?

You can use database behind radius and then re-authenticate user in some period predefined on CP. You will need to write some business logic for that to work. I think that there is some example in free-radius (application dial-up_admin) how to do that.

Possibly cisco controller is using a tunnel between controller and access point so that it can enforce policies to the users who connect to wireless AP. Use the spare interface which u have on pfsense to connect to Cisco controller and see that the whatever IP you are assigning to that PFsense spare Interface will be the default gateway for cisco controller. Enable captive portal on that spare interface. In captive portal allow requests to dns server ip without authentication. and disable all the captive portal authentication on cisco controller and keep it as open SSID without authentication or use a simple wep key so that u can provide basic authentication for wireless Access. Enable DHCP on pfsense Spare Interface. things should work fine for you.

:)

Thank you for your reply. We will try it out once stable version of 2.0 release.

@SiY11:

You could turn off hard and idle timeouts in the CP so they only need to login once, the problem with this is if they use a different network card/computer they must login again.

Ok, this solution sounds good. I think, that ought to work. I'll try this. :)

Thx!

Edit:
hm,
ok I tried … next problem ... each user can now access the internet from this pc. I thought only the user, who was logged in, can access without a new login.