Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Enabling MIM causes Authentication Error for voucher based logins in Captive Portal

    Scheduled Pinned Locked Moved Multi-Instance Management
    43 Posts 3 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      EDaleH @stephenw10
      last edited by

      @stephenw10 -
      I am not sure what you refer to as radius accounting mods but we do use mods for captive portal (all in captiveportal.inc) that include freeRadius authentication and the re-authenticate every minute override to use the accounting interval instead (10 minutes). It is easy to cease to use them, simply put the original captiveportal.inc that came with 24.11 Beta back and reboot.

      All of my testing has been done with the original captiveportal.inc that shipped with 24.11 Beta except for a couple of times where I put the modified captiveportal.inc in to see if anything changed. It did not make any difference.

      All of the captive portal pages are also customized for login, error and logout. We use logout as an information dashboard that shows remaining time and data for that account i.e. the venue url for RFC8910, DHCP Option 114.. During my testing, I set the test portal back to the defaults for the full set of login, error, and logout as well. In every case it made no difference.

      It will be very difficult to isolate this but now that I know the MIM controller doesn't have to be setup first, just turned on, I will toggle it on and off regularly and hopefully get more info for you.

      1 Reply Last reply Reply Quote 1
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Ok, we will continue trying to replicate it here. Let us know if you manage to narrow it down any further.

        E 1 Reply Last reply Reply Quote 0
        • E
          EDaleH @stephenw10
          last edited by

          @stephenw10
          One thing that was interesting, I switched the authentication server from freeRadius to Local user and the error changed from unable to reach ... to invalid. That setting should not matter for vouchers and although the error changed, the symptoms remained identical.

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Mmm, initially it 'felt' to me like it's somehow treating the vouchers as a remote auth server. Hard to see how enabling MIM could make any difference though... 🤔

            E 1 Reply Last reply Reply Quote 0
            • E
              EDaleH @stephenw10
              last edited by

              @stephenw10
              Agreed, especially given the bare system controller test did not display the same symptoms. I have now rebuilt and reproduced the symptoms 4 times. I have a 4 Vlan Captive Portal installation at another site that I can throw onto the lab machine and do the same test. I will try to do that today. That setup has no customization.

              rlinnemannR 1 Reply Last reply Reply Quote 1
              • rlinnemannR
                rlinnemann Netgate Developer @EDaleH
                last edited by

                @EDaleH do you need to have multiple VLANs with CPs or can you reproduce this with a singe VLAN with a CP?

                E 1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  Mmm also when you hit this does it fail in the same way for all CP instances?

                  1 Reply Last reply Reply Quote 0
                  • E
                    EDaleH @rlinnemann
                    last edited by

                    @rlinnemann said in Enabling MIM causes Authentication Error for voucher based logins in Captive Portal:

                    can you reproduce this with a singe VLAN with a CP?

                    @stephenw10 said in Enabling MIM causes Authentication Error for voucher based logins in Captive Portal:

                    does it fail in the same way for all CP instances

                    OK, on the 8 CP system restore to lab server test, so far it is the only setup that is failing consistently. Both Local Users and vouchers fail on all Captive Portals that are configured for vouchers. FreeRadius authenticated CPs continue to work fine. I have eliminated the SSL certificate (https vrs http), removed my custom CP code, reset CP login/error/logout code to defaults and the issue with failed authentication did not change. It fails on all voucher enabled CPs when MIM is enabled and works fine when it is disabled. Unfortunately I don't have a CP on that system that is just Local user authentication but I will try to isolate that when I get a chance.

                    I have been unable to reproduce the problem with a new install with single CP and I just bench tested a different site restore that had 4 CPs and VLans, it worked fine too.

                    I am running out of corners to look in but I will give more thought to what is different between my two restored site tests as they are reasonably similar.

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      Ah OK. Well the fact it only fails on systems with multiple CPs seems like a good clue. 🤔

                      E 1 Reply Last reply Reply Quote 0
                      • E
                        EDaleH @stephenw10
                        last edited by

                        @stephenw10

                        @stephenw10 said in Enabling MIM causes Authentication Error for voucher based logins in Captive Portal:

                        Ah OK. Well the fact it only fails on systems with multiple CPs seems like a good clue

                        Perhaps but the clue that worked for me was that the 4 portal restore test that worked fine was on a Plus 24.03 and the 8 portal restore that was causing all the trouble was on a CE 2.7.2 system. So.... I rebuilt the 8 portal lab test and instead of installing 24.11 Beta directly, I installed 24.03, restored the CE 2.7.2 8 portal backup onto it, tested it, then upgraded to 24.11 Beta and it worked just fine, no authentication errors.

                        Now I was happy but wanted to be sure I found a way to reproduce it as this was a brand new backup of that 8 portal production system. So... I did a fresh install of 24.11 Beta and restored the identical backup onto it and tested it. Voila!, authentication errors when MIM is enabled.

                        So Advice to everyone, go through 24.03 before you go to 24.11 Beta.

                        For you Stephen, the cause is hiding in the restore of the config file from a 2.7.2 directly to a 24.11 beta. I guess you can solve it with the traditional slap on the hand and a firm "so, don't do that"?

                        rlinnemannR 1 Reply Last reply Reply Quote 0
                        • rlinnemannR
                          rlinnemann Netgate Developer @EDaleH
                          last edited by

                          @EDaleH I'm glad it sounds like you've worked around it, but my spidey sense is still tingling here. Can you supply a redacted as necessary config that creates the problem on restore?

                          1 Reply Last reply Reply Quote 0
                          • stephenw10S
                            stephenw10 Netgate Administrator
                            last edited by

                            Just to confirm when you restored the config into 24.11 was that the full config via the webgui? In other words was the config upgrade script run against it?

                            E 1 Reply Last reply Reply Quote 0
                            • E
                              EDaleH @stephenw10
                              last edited by

                              @stephenw10

                              @stephenw10 said in Enabling MIM causes Authentication Error for voucher based logins in Captive Portal:

                              ust to confirm when you restored the config into 24.11 was that the full config via the webgui? In other words was the config upgrade script run against it?

                              The interfaces match on the production and lab units so it is a simple webgui restore that runs without any further intervention and provides a working unit (gateway for Wan has to be changed, which is simple to edit in the config file first, that's it).

                              To be honest, I don't know what you are referring to as an upgrade script. If that provides an output log, it would be excellent to run it and look over what it changes, not to mention if it fixes the symptoms.

                              This afternoon I built a 2.7.2 single portal and restored it to a 24.11 directly and did not reproduce the problem. Time permitting, I will make the installation multi-portal and try again.

                              1 Reply Last reply Reply Quote 0
                              • stephenw10S
                                stephenw10 Netgate Administrator
                                last edited by

                                If you import a config that has an older config version that whatever is current for the pfSense version it gets run through a script to upgrade it to current. That includes code for each config version step.

                                However the config version is only help in the main <system> section of the config. If you import the full config file the version is seen and any required upgrades are run. But if you import only some section of the config (other than system) the version is unknown and no upgrades are run. That can result in an invalid config.

                                The fact it worked for you importing into 24.03 first hints at a config version problem because it has the same config version as 2.7.2.
                                https://docs.netgate.com/pfsense/en/latest/releases/versions.html

                                24.11 actually uses 23.6.

                                E 1 Reply Last reply Reply Quote 0
                                • E
                                  EDaleH @stephenw10
                                  last edited by

                                  @rlinnemann said in Enabling MIM causes Authentication Error for voucher based logins in Captive Portal:

                                  glad it sounds like you've worked around it, but my spidey sense is still tingling here.

                                  Having identified a config version as the cause is the conclusion from my perspective.

                                  @stephenw10 said in Enabling MIM causes Authentication Error for voucher based logins in Captive Portal:

                                  24.11 actually uses 23.6.

                                  The chart says config ver 23.3 for Plus 24.11 but I am quite satisfied that all restores to 24.11 must be done by restoring from or through (if it is CE 2.7.2) Plus 24.03.

                                  Attempting to answer your questions is what lead to the final diagnosis here, it is comforting to know that existing installations have an upgrade path that includes MIM.

                                  stephenw10S 1 Reply Last reply Reply Quote 0
                                  • stephenw10S
                                    stephenw10 Netgate Administrator @EDaleH
                                    last edited by

                                    @EDaleH said in Enabling MIM causes Authentication Error for voucher based logins in Captive Portal:

                                    The chart says config ver 23.3 for Plus 24.11

                                    Yeah that page needs to be updated when 24.11 is released but currently it's using 23.6.

                                    So it could be failing to upgrade the config at import....🤔

                                    1 Reply Last reply Reply Quote 0
                                    • stephenw10S
                                      stephenw10 Netgate Administrator
                                      last edited by

                                      Doesn't look like is it though. The search continues...

                                      E 1 Reply Last reply Reply Quote 0
                                      • E
                                        EDaleH @stephenw10
                                        last edited by

                                        @stephenw10

                                        @stephenw10 said in Enabling MIM causes Authentication Error for voucher based logins in Captive Portal:

                                        doesn't look like is it though. The search continues...

                                        Well, your search may continue for the "fix" but the cause is clearly identified.

                                        This morning I built a 24.03, restored the CE 2.7.2 backup onto it, tested it worked and then Backed it UP. I then upgraded it to 24.11 Beta and it does not display the authentication error when MIM is turned on.

                                        Next, I built a new 24.11 Beta and restored that 24.03 backup onto it and voila! the authentication error is there every time you turn MIM on. Conclusive proof that the only way to get a stable 24.11 Beta in my case is to go through 24.03 and do a GUI upgrade.

                                        1 Reply Last reply Reply Quote 0
                                        • stephenw10S
                                          stephenw10 Netgate Administrator
                                          last edited by

                                          Right which really seems like config upgrade issue at restore. It's not doing something that is done at system upgrade.

                                          But it's more complex than that because I tried exactly that with a basic config and it still worked fine.

                                          E 2 Replies Last reply Reply Quote 0
                                          • E
                                            EDaleH @stephenw10
                                            last edited by

                                            @stephenw10

                                            @stephenw10 said in Enabling MIM causes Authentication Error for voucher based logins in Captive Portal:

                                            But it's more complex than that because I tried exactly that with a basic config and it still worked fine.

                                            I have been unable to duplicate it with a fresh install either. This install is as complex as it gets for me and runs flawlessly. I am just trying to ensure it continues to do so under 24.11, Kea and MIM. Lots of lab testing left!

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.