RADIUS MAC authentication behind bridges

rhy7s · Aug 3, 2010, 12:45 AM

I'm looking around at the moment trying to figure out a RADIUS solution to allow data-based voucher access for the pfSense captive portal. Something I was wondering was whether I would have issues with the various wireless bridges I have deployed. In the ARP table multiple IPs share the same bridge MAC address, yet the DHCP table shows the correct individual MAC address for the various client adapters. On the captive portal configuration page it says:

MAC filtering Disable MAC filtering
If this option is set, no attempts will be made to ensure that the MAC address of clients stays the same while they're logged in. This is required when the MAC address of the client cannot be determined (usually because there are routers between pfSense and the clients). If this is enabled, RADIUS MAC authentication cannot be used.

Would the captive portal see clients' MAC addresses as they are listed in the ARP table, thus running into the issue mentioned above? Or the correct MAC addresses seen in the DHCP leases?

cmb · Aug 7, 2010, 9:12 PM

@rhy7s:

I'm looking around at the moment trying to figure out a RADIUS solution to allow data-based voucher access for the pfSense captive portal. Something I was wondering was whether I would have issues with the various wireless bridges I have deployed. In the ARP table multiple IPs share the same bridge MAC address

Then your bridge isn't bridging, it's messing with MACs where it shouldn't be. That won't work if that's how it shows up.