[SOLVED] Captive portal and RADIUS Authentication

nicola.ferrari

Hi everybody.
I'm new to the forum. I'm Italian so please sorry for my poor english.

I just set up a new PFSense 2.1.4.
I'm trying to use RADIUS Auth for the Captive portal.
Captive Portal with Local Auth is working fine.

I set up RADIUS Role on my Win2008R2 DC .
It's working. If I add the server in "User management -> Servers" and then try with "Diagnostics -> Authentication" I can see the authentication attempt in my Windows Event Viewer, and PFSense says "User authenticated succesfully"

But if I try to use RADIUS in Captive portal configuration:

• with PAP auth I get a red message in the captive portal page after authentication "Error sending request. No RADIUS server specified" and on the top of the page something such a PHP error:
  "Warning: invalid argument supplied for foreach in /usr/local/captiveportal/radius_authentication.inc line 87

• with MSCHAPv2 auth I get a blank page with the PHP error, plus information about memory allocation
  "Fatal error. Allowed memory size of 268435856 bytes exhausted (tried to allocate 4294967295 bytes) in /etc/inc/radius.inc line 446.

Where is my mistake?
Thanks!
Nick

nicola.ferrari

OK, now it's working with NDS Radius on Win2008R2 and radius settings
directly in Captive Portal.

I think the problem was simply a "too strong"/too long shared secret
with non standard characters such as @, commas and others…
maybe encoding problems??

Now I deleted some of that characters from the shared secret and
everything is working.
(anyway I'm using : \ / and others...)

My Win2008R2 RADIUS config for future reference if someone will need it:

- Added network access policy role with con servizio Network policy
server service.

- New radius client: pfSense - <ip_of_your_pfsense>, shared secret

- Connection request policy:
New -> pfSense
Conditions: IPv4 client address - 192.168.0.246

- Network policy:
New -> PFSense Captive Portal
Condition 1: Users group - DOMAIN\ADGroup
Condition 2: NAS Identifier - pfsense.localdomain (as you entered in
pfsense initial wizard)
Condition 3: NAS port type - Ethernet
Protocol: MSCHAPv2

In the "Network policy server" service properties, enter only RADIUS
standard port 1812 (connection) and 1813 (accounting), and delete any
other port.

Stop and restart the service.</ip_of_your_pfsense>

Captive portal side config:

Services -> Captive portal -> New

Enable Captive Portal
Authentication: RADIUS Autentication - MSCHAPv2
Primary RADIUS server: <your_win2008_ip>RADIUS NAS IP attribute: <your_pfsense_ip_on_the_lan_side>Shared Secret: same as on server</your_pfsense_ip_on_the_lan_side></your_win2008_ip> 

Cheers,
Nick

jultra

Hi,

I am experiencing the same issue right now on my captive portal radius authentication setup.

I am getting an error every time I try to re-login for the second time, first time produces an error. This is the error:

Fatal error: Allowed memory size of 268435456 bytes exhausted (tried to allocate 4294967295 bytes) in /etc/inc/radius.inc on line 446

I've tried to follow you "too long" secret key suggestion but it did not work for me. Anyway, maybe you have some other idea about what might be causing that error.