@Gertjan So I used both tcpdump and radsniff to look at packet traces, but I can't see any issues. In both cases (working and non-working) the radius server sends back an Access-Accept message with the same set of fields.

Hey, In here I've decribed my work on this topic :)
https://forum.netgate.com/topic/189447/openvpn-ssl-tls-user-auth-over-ldap/3

@LamaZ This looks to have been going on for many years glad it made it. Secure Time!! Quizzes, Tests, Exams, etc all are now a bit more secure.

@LamaZ thank you for the code and figuring this out, I learned my first GitHub pull and fork also with this.

@nogbadthebad said in Using RADIUS server but on which device?:

Out of interest how many access-points do you have ?

I have a total of 5 Cisco 1700 Series access points connected to the controller

@undrblack

Without knowing the details :
When you remove the 'virtual' part, that is : running pfSense with 3 real networking interfaces, bare bone, your issue will be gone. I can imagine the vitual interfaces / switch can be set up many ways, some of them could be wrong ?
See also Virtualization ! if you have a Windows 10 (Pro) orMS SErver : use the build in Hyper-V : I've one running iwth Hyper-V, and it works fine. There is a detailed step by step setup guide in the doc.
When a client connects to the Wifi, can you see the DHCP server log 'lease' attribution on the right interface ? What was the IP/mask/gateway/DNS received on the client ? That info should correspond to with the pfSense portal NIC.
pfSEnse doesn't handle the the AP <=> Client radio (wifi) connection.
if the AP is an AP and router, the pfSense portal only sees the IP and MAC of the router, not the IP and MAC of the clients. Ones a first client is logged in, all the others will pass without seeing a login screen.

I found my issue: the group membership attribute should be "memberOf" instead of member as posted by OP.

Boas,
Tenho o mesmo problema, alguém tem alguma dica ?

I would reboot the pfSense and when it completed, then reboot/repowered your CenturyLink modem. You'll then obtain an IP address for WAN.

If you just want a count, you can use the script that is there for RRD:

/usr/local/bin/php-cgi -q /usr/local/bin/captiveportal_gather_stats.php '<zone name>' 'loggedin'

/usr/local/bin/php-cgi -q /usr/local/bin/captiveportal_gather_stats.php '<zone name>' 'concurrent'

@jmurr
Посмотрите тут
Обратите внимание на раздел Extended Query
Возможно , это то что Вам нужно
https://docs.netgate.com/pfsense/en/latest/usermanager/ldap-troubleshooting.html

Glad you have it working now. ☺

-Rico

@juanmaximoti Como conseguiu liberar?

In case this will help any one else, I've figured this out....

Here is a link on how to find the logs for NPS...

https://social.technet.microsoft.com/Forums/windows/en-US/45aa3000-c32b-483b-8d6e-565b56b163fc/how-to-check-the-nps-logs-in-the-event-viewer?forum=winserverNAP

Basically there are text file logs in c:\Windows\System32\LogFiles\In* , or you can check in Event Viewer under Diagnostics -> Event Viewer -> Custom Views -> Server Roles -> Network Policy.

In my case, the problem users were set to "Deny Access" under the "Dial In" tab of the user properties in AD Users & Computers. Setting to Allow Access fixed it up.

If you don't see the "Dial In" tab, this may be of help :

https://support.microsoft.com/en-ca/help/975448/the-dial-in-tab-is-not-available-in-the-active-directory-users-and-com

For me, I had to be on the server to get that tab, not accessing Active Directory Users and Computers on another PC.

Hope this will help someone else.

Thanks, Derelict for pointing me in the right direction!