• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Radius server on third NIC

Scheduled Pinned Locked Moved Captive Portal
6 Posts 3 Posters 4.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    bushtor
    last edited by Apr 3, 2006, 6:41 AM

    Hi,

    I have a pfsense box normally configured with WAN and LAN NICs.  LAN subnet is 192.168.33.0

    I want to enable the captive portal for WAN access but our w2003 server radius service is on another subnet 10.130.34.0  Whan I have installed a third NIC card in the pfsense box and given it an address in this subnet, what else do I need to do to be able to correctly connect the pfsense box to the radius server on this subnet?

    regards

    Tor

    1 Reply Last reply Reply Quote 0
    • H
      hoba
      last edited by Apr 3, 2006, 7:30 AM

      http://pfsense.com/mirror.php?section=tutorials/cp_config/radius_win2k3.htm

      1 Reply Last reply Reply Quote 0
      • B
        bushtor
        last edited by Apr 3, 2006, 11:33 AM

        Yeah,

        This is the tutorial I'm using, however as I mentioned in OP the radius server is connected to a third NIC in my pfsense box.  Hence I need to create rule(s) which gives pfsense proper access to its radius server (and not more than that).  If someone can give me some hints on which rules to apply so the pfsense box can communicate to/from the radius server as if the latter was directly connected to the LAN subnet (as it is in the demo).

        My setup is like this:

        Internet
          |
        DHCP
          |
        WAN NIC (id=rl0)
          |
        pfsense box – OPT nic (id=xl1)  IP 10.130.0.35  <-> win2003 DC w/radius IP 10.130.0.5
          |
        LAN nic (id=xl0)
          |
        subnet 192.168.33.0 (with radius authenticated internet users)

        Thanks a lot if someone has a minute ..

        regards,  Tor

        1 Reply Last reply Reply Quote 0
        • H
          hoba
          last edited by Apr 4, 2006, 8:15 AM

          Radius communication happens between ports 1812, 1645 for authentication and 1813, 1646 for accounting by default (unless you change these values at your server). You should allow these ports at your OPT interface from source <radiusserver ip="">to destination any (try first with any, then tighten the rules after it's working). I'm not really sure why these rules should be needed as the pfSense is opening the connection to the radius server but give it a try.</radiusserver>

          1 Reply Last reply Reply Quote 0
          • B
            bushtor
            last edited by Apr 10, 2006, 1:06 PM

            As a beginning I tried to apply a very general rule for the OPT interface (which I call 'RADIUS'):

            proto: * 
            source: RADIUS net
            port: *
            destination: *
            port: *
            gateway: *

            Shouldn't this give the same access to the pfsense config GUI (and to a radius server) from this network as if they were connected to the default LAN nic?

            What else do I need to do to have a third nic (called RADIUS) with the same rules and possibilities as the default LAN nic?

            Tor

            1 Reply Last reply Reply Quote 0
            • J
              jeroen234
              last edited by Apr 15, 2006, 7:43 AM Apr 15, 2006, 7:40 AM

              action accept
              proto: tcp
              source: LAN net
              port: any
              destination: RADIUS net
              port: 1812-1813
              gateway: default

              1 Reply Last reply Reply Quote 0
              1 out of 6
              • First post
                1/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received