Captive Portal/FreeRADIUS/WPA Enterprise/Segmenting Users

thermo

It's difficult to pinpoint what exactly the problem could be  but if it is just a case of the segmentation of users and guests interfaces then the first thing to look at would  Be the firewall rules on your lan and guest Interfaces. Are you using radius on pfsense or a different machine? I somehow doubt that the pfsense radius package allows the configuration of two virtual servers which you would need in your particular case though the package capabilities might have changed since I last saw it.
Need more information!

pfSenseRocks

Thanks for the reply. Sorry for not being a bit more articulate. The problem isn't isolating the users. The firewall does an awesome job of that. The problem is that User's credentials work on the Captive Portal & the WAPs on the Guest network and the Guest credentials work on the WAPs LAN. I want to configure captive portal and RADIUS such that Guest credentials don't authenticate on the LAN. Does that make more sense?

thermo

There are various ways to do it, in order of difficulty:

• Setup a second radius server, just to authenticate the guests
• Setup a (second) virtual server on your current freeradius instance, to authenticate just the guests. As I said previously, this might not be possible with the package editing capabilities of the Freeradius package on pfsense, but easier/possible to do if your radius server is on a linux machine somewhere else and you are comfortable editing the freeradius config files.
• Write & include a script which checks that guests (via a radius check attribute) are accessing the correct SSID during an access request, and reject if not.

pfSenseRocks

I have setup two RADIUS servers on two different interfaces (LAN 192.168.24.0/24 & GAN 192.168.235.0/24) but there doesn't seem to be a way to partitions users to specific interfaces.

• Write & include a script which checks that guests (via a radius check attribute) are accessing the correct SSID during an access request, and reject if not.

This sounds promising. Would you be able to point me to the relevant resources?

thermo

You haven't.  You have told the same radius instance to listen on two interfaces.  Now you need to tell radius to handle AAA differently for each interface (which might be impossible with pfsense radius package).
I'm no expert at freeradius unlang but if you have the time and effort google freeradius unlang.

Nachtfalke

Hi,
you should check this post:
http://forum.pfsense.org/index.php/topic,67801.0.html

You can add the "NAS-IP-Address == 192.168.10.1" attribute to every user which should only be accepted when accessing from NAS with IP 192.168.10.1 .

If there are several NAS with different IPs try this:
NAS-IP-Address =~ "10.1.18.1 | 10.8.18.1"

For this you need to change the freeradius.inc in some small parts which are explained in the thread I mentioned above.

Good luck!

pfSenseRocks

Thanks Nachtflake! I will try that tonight and let the thread know how it went.

pfSenseRocks

NAS-IP-Address =~ "192.168.24.1 | 192.168.24.201 | 192.168.24.202 | 192.168.24.203 | 192.168.24.204 | 192.168.235.1 | 192.168.235.201 | 192.168.235.202 | 192.168.235.203 | 192.168.235.204"

I added the above entry to the "Additional RADIUS Attributes (CHECK-ITEM)" field for each user. I even modified the explode char. The UI shows the above line verbatim. But, I get the following authentication errors.

Dec 3 20:22:17 radiusd[19876]: Login incorrect: [USER1] (from client sense.mydomain.guest port 2412 cli c4:85:08:xx:yy:zz)
Dec 3 20:21:55 radiusd[19876]: Login incorrect: [USER2] (from client sense.mydomain.guest port 2412 cli f0f1:xx:yy:zz)
Dec 3 20:21:46 radiusd[19876]: Login incorrect: [USER2] (from client sense.mydomain.guest port 2412 cli f0f1:xx:yy:zz)
Dec 3 20:21:34 radiusd[19876]: Login incorrect: [USER2] (from client sense.mydomain.guest port 2412 cli f0f1:xx:yy:zz)
Dec 3 20:19:48 radiusd[19876]: Login incorrect: [USER1] (from client wapb.mydomain.home port 36 cli 7054d2266527)
Dec 3 20:19:48 radiusd[19876]: Login incorrect: [USER1] (from client wapb.mydomain.home port 0 via TLS tunnel)
Dec 3 20:19:10 radiusd[19876]: Login incorrect: [USER1] (from client wapk.mydomain.home port 4 cli 34c803119d08)
Dec 3 20:19:10 radiusd[19876]: Login incorrect: [USER1] (from client wapk.mydomain.home port 0 via TLS tunnel)

Any hints on what might be going wrong? What other information would be helpful to diagnose the issue?

Thanks!

thermo

ssh into your pfsense & into the shell.

killall radiusd
/usr/local/sbin/radiusd -X

and watch the output.

Nachtfalke

@thermo:

ssh into your pfsense & into the shell.

killall radiusd
/usr/local/sbin/radiusd -X

and watch the output.

No need to kill the process just stop it on GUI.
radiusd -X  will run freeradius in debug mode and tells you everything.

In freeradius GUI you can enable the logging of good and bad authentications - passwords and usernames will be shown in pfsense syslog.

Further make sure that the switches and WLAN AP have the same shared secret as in freeradius NAS/Clients.

Make sure that your switches and APs send its correct NAS-IP to freeradizs and configured in Users.

Freeradius - View config could help you to find out if your Users file looks correct and represets all your paramwters.

The order in the users file is important. So if there is one user added twice the first match will win.