After updating to version 2.4.4 "RADIUS MAC Authentication Failed."

fmohcine26 · Sep 29, 2018, 2:49 PM

After updating to version 2.4.4
Unable to authenticate to the captive portal, instead of the authentication page this error message appears "RADIUS MAC Authentication Failed."

free4 · Oct 1, 2018, 6:53 PM

Go to the settings of your captive portal, change authentication method to "use an authentication backend" if you don't want to use Radius MAC authentication.

fmohcine26 · Oct 1, 2018, 7:50 PM

freeradius is already set up and working properly before updating
I do not know the origin of this error in MAC Radius authentication

Enrica_CH · Oct 5, 2018, 12:41 PM

@free4 That's correct but you can use RADIUS with user/password ("use an authentication backend") either MAC authentification.

Until version 2.4.3 it was possible to have both parallel. First pfense sent MAC+secret to RADIUS. If MAC authentication failed then pfense opened the cp page and sent user/password. If both failed then user got an error message.

We uses both methods parallel because "normal" users authenficate with u/p while special users are registered in RADIUS with MAC id.

Is it possible to reintegrate option RADIUS MAC auth again?

kychou · Oct 5, 2018, 11:43 PM

I have the same problem. We need RADIUS MAC auth and user/password parallel.

free4 · Oct 10, 2018, 10:37 AM

@Erik_CH i made a pull request about this : https://github.com/pfsense/pfsense/pull/4000

jane.doe2 · Oct 29, 2018, 2:20 PM

The fall back seems not to respect the setting Use custom captive portal page as it always shows the default login page (default template).

Tested on 2.4.5.a.20181025.0115.

michaeleino · Nov 10, 2018, 8:24 PM

this feature is really how we operate the captive portal...
loosing it without mentioning it in the main release notes is really totally disappointing our expectation.. also we have no rollback option, as netgate isno longer hosting the old version :/ either no packages were available for older versions!!

generally after upgrading to 2.4.4 we got a lot of troubles, and makes the firewall unusable for more than 24hour with no luck to recover all what is working as it was..

really disappointing, we are gonna think not to rely on pfsense anymore !!

I have applied the patch to 2.4.4, but the login page is broken/corrupted showing random latin characters.
also the 2.4.5 released 09-11-2018 have the same behavior :(

ANY WORKAROUND HERE to get this to work again !?

free4 · Nov 13, 2018, 8:35 AM

@michaeleino go to your captive portal settings, and check "Login page fallback" option.

if the setting doesn't exist reinstall 2.4.4 from a fresh, new image (the ISO has been updated on pfsense website, it now contain the feature you are asking for)

michaeleino · Nov 13, 2018, 9:42 PM

@free4 thanks a lot for your response, do you mean "2.4.4" or the daily snapshot ?
I can see the 2.4.4 image date is 20-septemper.. is that correct ?

meanwhile, I was downgraded to 2.3.4 via a snapshot / and tried to day to perform a normal upgrade via the GUI.. everything goes fine, but there is no option for login fall back.

Do I still need to perform a fresh install?

michaeleino · Nov 14, 2018, 9:26 AM

@free4
I have tried the latest 2.4.4 image to a fresh install, and it doesn't have this feature, do I miss anything ?

Gertjan · Nov 14, 2018, 10:28 AM

@michaeleino said in After updating to version 2.4.4 "RADIUS MAC Authentication Failed.":

I have applied the patch to 2.4.4, but the login page is broken/corrupted showing random latin characters.

The default, build in login page ?

free4 · Nov 14, 2018, 10:37 AM

@michaeleino oops....you are right

the feature has been added in 2.4.4 on 9 October ( https://github.com/pfsense/pfsense/commit/bb90e3c57bec5ad24df5f9fdd51d9eadbf3792df ) but the latest ISO is from 20th September

I thought that Netgate was re-generating 2.4.4 ISO every time a commit is performed on the associated github branch ? is Netgate having issue with their build system?

Well, sorry for my bad advice then.

then what you could do is install "patch" package, and manually install this patch :

url/commit ID : https://github.com/pfsense/pfsense/commit/bb90e3c57bec5ad24df5f9fdd51d9eadbf3792df.diff

path strip count : 2
base directory : /
ignore whitespace : checked or not checked are both ok

michaeleino · Nov 14, 2018, 11:17 AM

@Gertjan, yes it was the default -- may be I have applied the patch incorrectly.

@free4 they shouldn't push a new image without changing the version release.. I think it is on purpose :)

I have applied the patch using the system patch and it looks working on a fresh install, will apply this in a night action.. and will get back if there are issues.

not sure, the logo image is missing due to not logged-in yet or it is missing.. not a big issue.

Thanks a lot for the help.

maritoja · Nov 15, 2018, 1:42 AM

I am with the same problem, could it be solved is there any other way to do what we need? Mac and user in parallel? apart from that I had to add the mac users directly to the captive portal otherwise it gave me problems, the users were disconnected quite unstable the radius was put on. tanks a lot.

free4 · Nov 15, 2018, 7:13 AM

@maritoja please check my previous reply.

and btw, I can confirm that the captive portal is working well using RADIUS server, as long as you don't re-configure it all the time (there is currently an issue when re-configuring a captivportal while users are currently connected. see https://redmine.pfsense.org/issues/8616 )

jane.doe2 · Nov 26, 2018, 3:05 PM

Ok, I can confirm this works, if we set our login.php (Portal page contents) to the error.php (Auth error page contents)`.

But how to show a custom error page (Auth error page contents) then in case the user enters a faulty password on the fallback login page?

RADIUS -> Custom login.php -> Password wrong?

Gertjan · Nov 26, 2018, 3:01 PM

@jane-doe2 said in After updating to version 2.4.4 "RADIUS MAC Authentication Failed.":

RADIUS -> Custom login.php -> Password wrong ?

Try it out for yourself.
If auth error, the error page will be shown. It's basically the same page as the login page, with one "error text place holder" added.

jane.doe2 · Nov 26, 2018, 3:03 PM

@gertjan said in After updating to version 2.4.4 "RADIUS MAC Authentication Failed.":

It's basically the same page as the login page, with one "error text place holder" added.

Ok, thank you for the response, this sounds good :)

Therefore the Portal page contents can be left empty for this scenario?

Gertjan · Nov 26, 2018, 3:13 PM

@jane-doe2 said in After updating to version 2.4.4 "RADIUS MAC Authentication Failed.":

Therefore the Portal page contents can be left empty for this scenario?

Left to "default"that is - the default error page is not empty - it's a login page with an extra line that reflects the error that occurred during a previous login attempt.