Enabling MIM causes Authentication Error for voucher based logins in Captive Portal
-
@stephenw10 -
I am not sure what you refer to as radius accounting mods but we do use mods for captive portal (all in captiveportal.inc) that include freeRadius authentication and the re-authenticate every minute override to use the accounting interval instead (10 minutes). It is easy to cease to use them, simply put the original captiveportal.inc that came with 24.11 Beta back and reboot.All of my testing has been done with the original captiveportal.inc that shipped with 24.11 Beta except for a couple of times where I put the modified captiveportal.inc in to see if anything changed. It did not make any difference.
All of the captive portal pages are also customized for login, error and logout. We use logout as an information dashboard that shows remaining time and data for that account i.e. the venue url for RFC8910, DHCP Option 114.. During my testing, I set the test portal back to the defaults for the full set of login, error, and logout as well. In every case it made no difference.
It will be very difficult to isolate this but now that I know the MIM controller doesn't have to be setup first, just turned on, I will toggle it on and off regularly and hopefully get more info for you.
-
Ok, we will continue trying to replicate it here. Let us know if you manage to narrow it down any further.
-
@stephenw10
One thing that was interesting, I switched the authentication server from freeRadius to Local user and the error changed from unable to reach ... to invalid. That setting should not matter for vouchers and although the error changed, the symptoms remained identical. -
Mmm, initially it 'felt' to me like it's somehow treating the vouchers as a remote auth server. Hard to see how enabling MIM could make any difference though...
-
@stephenw10
Agreed, especially given the bare system controller test did not display the same symptoms. I have now rebuilt and reproduced the symptoms 4 times. I have a 4 Vlan Captive Portal installation at another site that I can throw onto the lab machine and do the same test. I will try to do that today. That setup has no customization. -
@EDaleH do you need to have multiple VLANs with CPs or can you reproduce this with a singe VLAN with a CP?
-
Mmm also when you hit this does it fail in the same way for all CP instances?
-
@rlinnemann said in Enabling MIM causes Authentication Error for voucher based logins in Captive Portal:
can you reproduce this with a singe VLAN with a CP?
@stephenw10 said in Enabling MIM causes Authentication Error for voucher based logins in Captive Portal:
does it fail in the same way for all CP instances
OK, on the 8 CP system restore to lab server test, so far it is the only setup that is failing consistently. Both Local Users and vouchers fail on all Captive Portals that are configured for vouchers. FreeRadius authenticated CPs continue to work fine. I have eliminated the SSL certificate (https vrs http), removed my custom CP code, reset CP login/error/logout code to defaults and the issue with failed authentication did not change. It fails on all voucher enabled CPs when MIM is enabled and works fine when it is disabled. Unfortunately I don't have a CP on that system that is just Local user authentication but I will try to isolate that when I get a chance.
I have been unable to reproduce the problem with a new install with single CP and I just bench tested a different site restore that had 4 CPs and VLans, it worked fine too.
I am running out of corners to look in but I will give more thought to what is different between my two restored site tests as they are reasonably similar.
-
Ah OK. Well the fact it only fails on systems with multiple CPs seems like a good clue.
-
@stephenw10 said in Enabling MIM causes Authentication Error for voucher based logins in Captive Portal:
Ah OK. Well the fact it only fails on systems with multiple CPs seems like a good clue
Perhaps but the clue that worked for me was that the 4 portal restore test that worked fine was on a Plus 24.03 and the 8 portal restore that was causing all the trouble was on a CE 2.7.2 system. So.... I rebuilt the 8 portal lab test and instead of installing 24.11 Beta directly, I installed 24.03, restored the CE 2.7.2 8 portal backup onto it, tested it, then upgraded to 24.11 Beta and it worked just fine, no authentication errors.
Now I was happy but wanted to be sure I found a way to reproduce it as this was a brand new backup of that 8 portal production system. So... I did a fresh install of 24.11 Beta and restored the identical backup onto it and tested it. Voila!, authentication errors when MIM is enabled.
So Advice to everyone, go through 24.03 before you go to 24.11 Beta.
For you Stephen, the cause is hiding in the restore of the config file from a 2.7.2 directly to a 24.11 beta. I guess you can solve it with the traditional slap on the hand and a firm "so, don't do that"?
-
@EDaleH I'm glad it sounds like you've worked around it, but my spidey sense is still tingling here. Can you supply a redacted as necessary config that creates the problem on restore?
-
Just to confirm when you restored the config into 24.11 was that the full config via the webgui? In other words was the config upgrade script run against it?
-
@stephenw10 said in Enabling MIM causes Authentication Error for voucher based logins in Captive Portal:
ust to confirm when you restored the config into 24.11 was that the full config via the webgui? In other words was the config upgrade script run against it?
The interfaces match on the production and lab units so it is a simple webgui restore that runs without any further intervention and provides a working unit (gateway for Wan has to be changed, which is simple to edit in the config file first, that's it).
To be honest, I don't know what you are referring to as an upgrade script. If that provides an output log, it would be excellent to run it and look over what it changes, not to mention if it fixes the symptoms.
This afternoon I built a 2.7.2 single portal and restored it to a 24.11 directly and did not reproduce the problem. Time permitting, I will make the installation multi-portal and try again.
-
If you import a config that has an older config version that whatever is current for the pfSense version it gets run through a script to upgrade it to current. That includes code for each config version step.
However the config version is only help in the main <system> section of the config. If you import the full config file the version is seen and any required upgrades are run. But if you import only some section of the config (other than system) the version is unknown and no upgrades are run. That can result in an invalid config.
The fact it worked for you importing into 24.03 first hints at a config version problem because it has the same config version as 2.7.2.
https://docs.netgate.com/pfsense/en/latest/releases/versions.html24.11 actually uses 23.6.
-
@rlinnemann said in Enabling MIM causes Authentication Error for voucher based logins in Captive Portal:
glad it sounds like you've worked around it, but my spidey sense is still tingling here.
Having identified a config version as the cause is the conclusion from my perspective.
@stephenw10 said in Enabling MIM causes Authentication Error for voucher based logins in Captive Portal:
24.11 actually uses 23.6.
The chart says config ver 23.3 for Plus 24.11 but I am quite satisfied that all restores to 24.11 must be done by restoring from or through (if it is CE 2.7.2) Plus 24.03.
Attempting to answer your questions is what lead to the final diagnosis here, it is comforting to know that existing installations have an upgrade path that includes MIM.
-
@EDaleH said in Enabling MIM causes Authentication Error for voucher based logins in Captive Portal:
The chart says config ver 23.3 for Plus 24.11
Yeah that page needs to be updated when 24.11 is released but currently it's using 23.6.
So it could be failing to upgrade the config at import....
-
Doesn't look like is it though. The search continues...
-
@stephenw10 said in Enabling MIM causes Authentication Error for voucher based logins in Captive Portal:
doesn't look like is it though. The search continues...
Well, your search may continue for the "fix" but the cause is clearly identified.
This morning I built a 24.03, restored the CE 2.7.2 backup onto it, tested it worked and then Backed it UP. I then upgraded it to 24.11 Beta and it does not display the authentication error when MIM is turned on.
Next, I built a new 24.11 Beta and restored that 24.03 backup onto it and voila! the authentication error is there every time you turn MIM on. Conclusive proof that the only way to get a stable 24.11 Beta in my case is to go through 24.03 and do a GUI upgrade.
-
Right which really seems like config upgrade issue at restore. It's not doing something that is done at system upgrade.
But it's more complex than that because I tried exactly that with a basic config and it still worked fine.
-
@stephenw10 said in Enabling MIM causes Authentication Error for voucher based logins in Captive Portal:
But it's more complex than that because I tried exactly that with a basic config and it still worked fine.
I have been unable to duplicate it with a fresh install either. This install is as complex as it gets for me and runs flawlessly. I am just trying to ensure it continues to do so under 24.11, Kea and MIM. Lots of lab testing left!
