Captive Portal with external RADIUS authentications… help?
-
Can anyone help me with getting captive portal working with a RADIUS server which is sitting on another machine?
I have tried, but when i go to login, i just get "Error sending request: No valid RADIS responses received"
no firewall on the radius server machine.. can ping the IP of the server from my laptop on same network connected to pfSense
-
tcpdump to pick up the RADIUS traffic, see what you're getting back if anything. Start on the firewall, then move to the RADIUS server.
-
Thanks for the reply, but can you please explain hoe to do this? Sorry, but very new with pfSense and UNIX.
-
easy way - Diagnostics>Packet capture, pick the interface where the firewall reaches the RADIUS server, enter the RADIUS server's IP as the host, and click Start. Try to authenticate a couple times, then click stop. Summary view will be shown there, details can be viewed by downloading the pcap and opening in Wireshark.
-
Could you maybe help me understand this.. I started the packet capture and then tried to log in to captive portao with my radius username and password, i got the same error saying no valid radius… here is the packet capture results:
17:05:09.348856 IP 201.73.17.178 > 201.73.17.177: ICMP echo request, id 41958, seq 17154, length 60
17:05:09.349684 IP 201.73.17.177 > 201.73.17.178: ICMP echo reply, id 41958, seq 17154, length 60
17:05:10.348990 IP 201.73.17.178 > 201.73.17.177: ICMP echo request, id 41958, seq 17410, length 60
17:05:10.349803 IP 201.73.17.177 > 201.73.17.178: ICMP echo reply, id 41958, seq 17410, length 60
17:05:11.348988 IP 201.73.17.178 > 201.73.17.177: ICMP echo request, id 41958, seq 17666, length 60
17:05:11.349848 IP 201.73.17.177 > 201.73.17.178: ICMP echo reply, id 41958, seq 17666, length 60
17:05:12.349108 IP 201.73.17.178 > 201.73.17.177: ICMP echo request, id 41958, seq 17922, length 60
17:05:12.350387 IP 201.73.17.177 > 201.73.17.178: ICMP echo reply, id 41958, seq 17922, length 60
17:05:13.349097 IP 201.73.17.178 > 201.73.17.177: ICMP echo request, id 41958, seq 18178, length 60
17:05:13.350170 IP 201.73.17.177 > 201.73.17.178: ICMP echo reply, id 41958, seq 18178, length 60
17:05:13.463705 IP 201.73.17.178.2994 > 208.67.222.222.53: UDP, length 33
17:05:13.463722 IP 201.73.17.178.2994 > 208.67.220.220.53: UDP, length 33
17:05:13.645597 IP 208.67.220.220.53 > 201.73.17.178.2994: UDP, length 323
17:05:13.670079 IP 208.67.222.222.53 > 201.73.17.178.2994: UDP, length 323
17:05:14.055001 IP 99.229.129.153.27000 > 201.73.17.178.25209: UDP, length 103
17:05:14.349100 IP 201.73.17.178 > 201.73.17.177: ICMP echo request, id 41958, seq 18434, length 60
17:05:14.349923 IP 201.73.17.177 > 201.73.17.178: ICMP echo reply, id 41958, seq 18434, length 60
17:05:15.349101 IP 201.73.17.178 > 201.73.17.177: ICMP echo request, id 41958, seq 18690, length 60
17:05:15.349976 IP 201.73.17.177 > 201.73.17.178: ICMP echo reply, id 41958, seq 18690, length 60
17:05:16.349365 IP 201.73.17.178 > 201.73.17.177: ICMP echo request, id 41958, seq 18946, length 60
17:05:16.350190 IP 201.73.17.177 > 201.73.17.178: ICMP echo reply, id 41958, seq 18946, length 60
17:05:17.045014
17:05:17.349355 IP 201.73.17.178 > 201.73.17.177: ICMP echo request, id 41958, seq 19202, length 60
17:05:17.351245 IP 201.73.17.177 > 201.73.17.178: ICMP echo reply, id 41958, seq 19202, length 60
17:05:17.697322 IP 78.106.248.51.18003 > 201.73.17.178.14672: UDP, length 103
17:05:18.349517 IP 201.73.17.178 > 201.73.17.177: ICMP echo request, id 41958, seq 19458, length 60
17:05:18.350343 IP 201.73.17.177 > 201.73.17.178: ICMP echo reply, id 41958, seq 19458, length 60
17:05:19.349515 IP 201.73.17.178 > 201.73.17.177: ICMP echo request, id 41958, seq 19714, length 60
17:05:19.350356 IP 201.73.17.177 > 201.73.17.178: ICMP echo reply, id 41958, seq 19714, length 60
17:05:19.667929 IP 201.73.17.178.62521 > 69.164.222.108.123: UDP, length 48
17:05:19.820847 IP 69.164.222.108.123 > 201.73.17.178.62521: UDP, length 48
17:05:20.349648 IP 201.73.17.178 > 201.73.17.177: ICMP echo request, id 41958, seq 19970, length 60
17:05:20.350471 IP 201.73.17.177 > 201.73.17.178: ICMP echo reply, id 41958, seq 19970, length 60
17:05:21.350203 IP 201.73.17.178 > 201.73.17.177: ICMP echo request, id 41958, seq 20226, length 60
17:05:21.351015 IP 201.73.17.177 > 201.73.17.178: ICMP echo reply, id 41958, seq 20226, length 60
17:05:22.350189 IP 201.73.17.178 > 201.73.17.177: ICMP echo request, id 41958, seq 20482, length 60
17:05:22.350998 IP 201.73.17.177 > 201.73.17.178: ICMP echo reply, id 41958, seq 20482, length 60
17:05:22.495354 IP 88.16.32.226.47473 > 201.73.17.178.25209: UDP, length 103
17:05:22.820554 IP 201.73.17.178.3304 > 67.18.187.111.123: UDP, length 48
17:05:22.994949 IP 67.18.187.111.123 > 201.73.17.178.3304: UDP, length 48
17:05:23.350346 IP 201.73.17.178 > 201.73.17.177: ICMP echo request, id 41958, seq 20738, length 60
17:05:23.351389 IP 201.73.17.177 > 201.73.17.178: ICMP echo reply, id 41958, seq 20738, length 60
17:05:24.350345 IP 201.73.17.178 > 201.73.17.177: ICMP echo request, id 41958, seq 20994, length 60
17:05:24.352003 IP 201.73.17.177 > 201.73.17.178: ICMP echo reply, id 41958, seq 20994, length 60
17:05:24.550735 IP 94.28.150.230.28876 > 201.73.17.178.62576: UDP, length 103
17:05:25.350505 IP 201.73.17.178 > 201.73.17.177: ICMP echo request, id 41958, seq 21250, length 60
17:05:25.351779 IP 201.73.17.177 > 201.73.17.178: ICMP echo reply, id 41958, seq 21250, length 60
17:05:25.671316 CDPv2, ttl: 180s, Device-ID 'MULTIBAR', length 351
17:05:26.350493 IP 201.73.17.178 > 201.73.17.177: ICMP echo request, id 41958, seq 21506, length 60
17:05:26.351739 IP 201.73.17.177 > 201.73.17.178: ICMP echo reply, id 41958, seq 21506, length 60
17:05:27.038894
17:05:27.350486 IP 201.73.17.178 > 201.73.17.177: ICMP echo request, id 41958, seq 21762, length 60
17:05:27.351645 IP 201.73.17.177 > 201.73.17.178: ICMP echo reply, id 41958, seq 21762, length 60
17:05:28.350490 IP 201.73.17.178 > 201.73.17.177: ICMP echo request, id 41958, seq 22018, length 60
17:05:28.351327 IP 201.73.17.177 > 201.73.17.178: ICMP echo reply, id 41958, seq 22018, length 60
17:05:29.350745 IP 201.73.17.178 > 201.73.17.177: ICMP echo request, id 41958, seq 22274, length 60
17:05:29.351537 IP 201.73.17.177 > 201.73.17.178: ICMP echo reply, id 41958, seq 22274, length 60
17:05:30.350745 IP 201.73.17.178 > 201.73.17.177: ICMP echo request, id 41958, seq 22530, length 60
17:05:30.351566 IP 201.73.17.177 > 201.73.17.178: ICMP echo reply, id 41958, seq 22530, length 60
17:05:30.734244 IP 122.176.217.134.49548 > 201.73.17.178.63712: UDP, length 103
17:05:31.350867 IP 201.73.17.178 > 201.73.17.177: ICMP echo request, id 41958, seq 22786, length 60
17:05:31.351667 IP 201.73.17.177 > 201.73.17.178: ICMP echo reply, id 41958, seq 22786, length 60
17:05:32.350853 IP 201.73.17.178 > 201.73.17.177: ICMP echo request, id 41958, seq 23042, length 60
17:05:32.352000 IP 201.73.17.177 > 201.73.17.178: ICMP echo reply, id 41958, seq 23042, length 60
17:05:33.350854 IP 201.73.17.178 > 201.73.17.177: ICMP echo request, id 41958, seq 23298, length 60
17:05:33.367430 IP 201.73.17.177 > 201.73.17.178: ICMP echo reply, id 41958, seq 23298, length 60
17:05:34.350859 IP 201.73.17.178 > 201.73.17.177: ICMP echo request, id 41958, seq 23554, length 60
17:05:34.351799 IP 201.73.17.177 > 201.73.17.178: ICMP echo reply, id 41958, seq 23554, length 60
17:05:34.990280 IP 201.73.17.178.61751 > 198.137.202.16.123: UDP, length 48
17:05:35.037591 IP 76.125.65.25.10435 > 201.73.17.178.14672: UDP, length 103
17:05:35.220804 IP 198.137.202.16.123 > 201.73.17.178.61751: UDP, length 48
17:05:35.351139 IP 201.73.17.178 > 201.73.17.177: ICMP echo request, id 41958, seq 23810, length 60
17:05:35.351989 IP 201.73.17.177 > 201.73.17.178: ICMP echo reply, id 41958, seq 23810, length 60
17:05:36.111820 IP 109.175.83.118.64168 > 201.73.17.178.63712: UDP, length 103
17:05:36.351136 IP 201.73.17.178 > 201.73.17.177: ICMP echo request, id 41958, seq 24066, length 60
17:05:36.351968 IP 201.73.17.177 > 201.73.17.178: ICMP echo reply, id 41958, seq 24066, length 60
17:05:37.034072The 2 IP's i see there are my WAN port on pfSense, and the other is my Cisco router.. In the packet capture program i put in 192.168.100.20 port 1812 which is where my RADIUS server is.. Can you see whats going wrong from this?
-
That's not the interface where your RADIUS server resides it appears, since it's a private IP and that's Internet traffic, and no RADIUS traffic there. Probably need to choose LAN, or which ever interface the firewall uses to reach that RADIUS server.
-
Sorry, long time getting back to this, here is what i believe you were asking for:
16:25:26.372534 IP 192.168.5.11.39631 > 192.168.5.1.8000: tcp 0
16:25:26.375570 IP 192.168.5.1.8000 > 192.168.5.11.39631: tcp 0
16:25:26.375675 IP 192.168.5.11.39631 > 192.168.5.1.8000: tcp 0
16:25:26.377047 IP 192.168.5.11.39631 > 192.168.5.1.8000: tcp 734
16:25:26.377070 IP 192.168.5.1.8000 > 192.168.5.11.39631: tcp 0
16:25:26.395575 IP 192.168.5.1 > 192.168.5.11: ICMP echo request, id 30051, seq 0, length 64
16:25:26.395696 IP 192.168.5.11 > 192.168.5.1: ICMP echo reply, id 30051, seq 0, length 64
16:25:26.446909 IP 192.168.5.1.26905 > 192.168.5.11.1812: UDP, length 128
16:25:29.449781 IP 192.168.5.1.26905 > 192.168.5.11.1812: UDP, length 128
16:25:32.560983 IP 192.168.5.1.8000 > 192.168.5.11.39631: tcp 1448
16:25:32.561453 IP 192.168.5.11.39631 > 192.168.5.1.8000: tcp 0
16:25:32.575984 IP 192.168.5.1.8000 > 192.168.5.11.39631: tcp 1347
16:25:32.576325 IP 192.168.5.11.39631 > 192.168.5.1.8000: tcp 0
16:25:32.590979 IP 192.168.5.1.8000 > 192.168.5.11.39631: tcp 5
16:25:32.591076 IP 192.168.5.11.39631 > 192.168.5.1.8000: tcp 0
16:25:32.591207 IP 192.168.5.11.39631 > 192.168.5.1.8000: tcp 0
16:25:32.593984 IP 192.168.5.1.8000 > 192.168.5.11.39631: tcp 0
16:25:32.594080 IP 192.168.5.11.39631 > 192.168.5.1.8000: tcp 0
16:25:32.898495 IP 192.168.5.11.46911 > 128.91.79.58.21: tcp 0
16:25:32.902084 IP 192.168.5.11.54841 > 192.168.5.1.53: UDP, length 41
16:25:32.903003 IP 192.168.5.1.53 > 192.168.5.11.54841: UDP, length 57
16:25:32.903213 IP 192.168.5.11.46913 > 128.91.79.58.21: tcp 0
16:25:33.049014 IP 128.91.79.58.21 > 192.168.5.11.46911: tcp 0
16:25:33.049019 IP 128.91.79.58.21 > 192.168.5.11.46911: tcp 0
16:25:33.049126 IP 192.168.5.11.46911 > 128.91.79.58.21: tcp 0
16:25:33.050014 IP 128.91.79.58.21 > 192.168.5.11.46913: tcp 0
16:25:33.050081 IP 192.168.5.11.46913 > 128.91.79.58.21: tcp 0
16:25:33.069336 IP 192.168.5.11.39631 > 192.168.5.1.8000: tcp 0
16:25:33.263029 IP 192.168.5.1.8000 > 192.168.5.11.39631: tcp 0
16:25:38.699328 IP 192.168.5.11.39633 > 192.168.5.1.8000: tcp 0
16:25:38.730389 IP 192.168.5.1.8000 > 192.168.5.11.39633: tcp 0
16:25:38.730501 IP 192.168.5.11.39633 > 192.168.5.1.8000: tcp 0
16:25:38.730693 IP 192.168.5.11.39633 > 192.168.5.1.8000: tcp 620
16:25:38.730713 IP 192.168.5.1.8000 > 192.168.5.11.39633: tcp 0
16:25:38.750390 IP 192.168.5.1 > 192.168.5.11: ICMP echo request, id 61555, seq 0, length 64
16:25:38.750492 IP 192.168.5.11 > 192.168.5.1: ICMP echo reply, id 61555, seq 0, length 64
16:25:38.814628 IP 192.168.5.1.34064 > 192.168.5.11.1812: UDP, length 128
16:25:41.803629 IP 192.168.5.1.34064 > 192.168.5.11.1812: UDP, length 128
16:25:44.814605 IP 192.168.5.1.8000 > 192.168.5.11.39633: tcp 1448
16:25:44.814952 IP 192.168.5.11.39633 > 192.168.5.1.8000: tcp 0
16:25:44.829794 IP 192.168.5.1.8000 > 192.168.5.11.39633: tcp 1347
16:25:44.830119 IP 192.168.5.11.39633 > 192.168.5.1.8000: tcp 0
16:25:44.844794 IP 192.168.5.1.8000 > 192.168.5.11.39633: tcp 5
16:25:44.844891 IP 192.168.5.11.39633 > 192.168.5.1.8000: tcp 0
16:25:44.845022 IP 192.168.5.11.39633 > 192.168.5.1.8000: tcp 0
16:25:44.850788 IP 192.168.5.1.8000 > 192.168.5.11.39633: tcp 0
16:25:44.850880 IP 192.168.5.11.39633 > 192.168.5.1.8000: tcp 0
16:25:45.321124 IP 192.168.5.11.39633 > 192.168.5.1.8000: tcp 0
16:25:45.339823 IP 192.168.5.1.8000 > 192.168.5.11.39633: tcp 0
16:25:46.170887 IP 192.168.5.11.60527 > 192.168.5.1.53: UDP, length 49
16:25:46.175882 IP 192.168.5.1.53 > 192.168.5.11.60527: UDP, length 83
16:25:46.176064 IP 192.168.5.11.48559 > 192.168.5.1.53: UDP, length 49
16:25:46.179883 IP 192.168.5.1.53 > 192.168.5.11.48559: UDP, length 339
16:25:46.180103 IP 192.168.5.11.40677 > 192.168.5.1.53: UDP, length 49
16:25:46.187885 IP 192.168.5.1.53 > 192.168.5.11.40677: UDP, length 339
16:25:46.188422 IP 192.168.5.11.42383 > 74.125.234.44.80: tcp 0
16:25:46.309902 IP 74.125.234.44.80 > 192.168.5.11.42383: tcp 0
16:25:46.310004 IP 192.168.5.11.42383 > 74.125.234.44.80: tcp 0
16:25:46.310258 IP 192.168.5.11.42383 > 74.125.234.44.80: tcp 1016
16:25:46.400899 IP 74.125.234.44.80 > 192.168.5.11.42383: tcp 0
16:25:46.401892 IP 74.125.234.44.80 > 192.168.5.11.42383: tcp 499
16:25:46.402072 IP 192.168.5.11.42383 > 74.125.234.44.80: tcp 0
16:25:46.402237 IP 192.168.5.11.42383 > 74.125.234.44.80: tcp 0
16:25:46.402951 IP 192.168.5.11.39635 > 192.168.5.1.8000: tcp 0
16:25:46.528915 IP 74.125.234.44.80 > 192.168.5.11.42383: tcp 0
16:25:46.529901 IP 74.125.234.44.80 > 192.168.5.11.42383: tcp 0
16:25:46.529994 IP 192.168.5.11.42383 > 74.125.234.44.80: tcp 0
16:25:46.544908 IP 192.168.5.1.8000 > 192.168.5.11.39635: tcp 0
16:25:46.545141 IP 192.168.5.11.39635 > 192.168.5.1.8000: tcp 0
16:25:46.545318 IP 192.168.5.11.39635 > 192.168.5.1.8000: tcp 554
16:25:46.575443 IP 192.168.5.1 > 192.168.5.11: ICMP echo request, id 24208, seq 0, length 64
16:25:46.575557 IP 192.168.5.11 > 192.168.5.1: ICMP echo reply, id 24208, seq 0, length 64
16:25:46.757923 IP 192.168.5.1.8000 > 192.168.5.11.39635: tcp 0
16:25:46.818927 IP 192.168.5.1.8000 > 192.168.5.11.39635: tcp 1448
16:25:46.819389 IP 192.168.5.11.39635 > 192.168.5.1.8000: tcp 0
16:25:47.151947 IP 192.168.5.1.8000 > 192.168.5.11.39635: tcp 1330
16:25:47.152390 IP 192.168.5.11.39635 > 192.168.5.1.8000: tcp 0
16:25:47.528974 IP 192.168.5.1.8000 > 192.168.5.11.39635: tcp 0Still having the same problem and descperately need it solved.. thanks in advance
-
There you go, here are your access requests.
16:25:26.446909 IP 192.168.5.1.26905 > 192.168.5.11.1812: UDP, length 128
16:25:29.449781 IP 192.168.5.1.26905 > 192.168.5.11.1812: UDP, length 128Note there is nothing in response, so check your RADIUS server's logs.
-
Thanks for that, ill have to try and work out how to find this in the radius server logs and report back. When i am on the radius server i can authenticate so i know its working.. The radius server has no firewall installed so i have to assume there is something wrong with pfSense with this..
-
The radius server has no firewall installed so i have to assume there is something wrong with pfSense with this..
I don't know specifics of your radius server, but some servers have configuration files that can specify access restrictions (e.g. "only talk with clients from these IP addresses").
-
I don't know specifics of your radius server, but some servers have configuration files that can specify access restrictions (e.g. "only talk with clients from these IP addresses").
This. The problem is without question on the RADIUS server, and this is the most likely cause, most all won't answer requests over the network without properly defining the host and its secret.
-
Interesting.. i will have to take a look at this.. I am though defining the host, port and secret in the settings for the RADIUS server uthentication on the captive portal.
SO it possibly has a setting in the RADIUS conf that will not allow authentication from another machine?
-
Every RADIUS server has to have its clients defined in its config.
-
Ok, so by client you are not talking about users right? you mean as in the ip address of the pfsense box has to be defined in the radiusd.conf?
-
Yes, the firewall is the RADIUS client.
-
Can someone tell me how to add the client to radius conf?
Not sure how this is done and i dont want to break something..
-
Depends on what RADIUS server you're using. Generally a better question for the RADIUS server's forum or list, though some here may know the particular server you're using.
-
No worries, i worked it out.. Authentication is now working to my FreeRADIUS server through captive portal.
On a side note, does anyone know of any good software that i can use for billing?