@nogbadthebad said in Using RADIUS server but on which device?:

Out of interest how many access-points do you have ?

I have a total of 5 Cisco 1700 Series access points connected to the controller

@markedo hi , did you have luck resolving this ?

Interestingly I did all my testing with a Windows 10 and Windows 11 laptop until I was happy with my captive portal. I tested at each stage:

set up captive portal with defaults, no authentication. set up voucher roll and voucher authentication. add SSL certificate (I already use an ACME letsencrypt with pfsense so I added another URL to the SAN for the captive portal) set up radius customise the logon HTML and the "error" HTML

I was happy that this all worked - only the "edge browser" seems to have an oddity with captive portal (force redirect sorted that and I was going to force redirect to my "company landing page" anyway, chrome and firefox have no issue sending its captive portal check plus redirecting back. Now to test with other devices:

*Ipad worked fine.
*Android did not. Android was convinced that it was connected - it attempted a www.gstatic.com/generate_204 which apparently (according to the device) succeeded pre authentication! There was no traffic flow though (good). However I could not get the captive portal page to trigger on an android device, it was convinced that it needed to "sign in" but then would simply say that it was connected.

I spent quite a lot of time looking at firewall logs, device logs and trying to fathom why the android device was convinced it had a connectivity allowed and I was never shown the captive portal page, I checked everything from DNS (I use pfsense forwarder and there is only one "exception" which is a "disclaimer landing page" simple URL on a local webserver).

In the end I found that if I "disconnected all users" then this would work. After digging it seems that if I make a change to the pfsense portal settings I need to disconnect all users for my android device to see the captive portal. Most odd.

Android device is version 12. I have no idea what this will do to the people who have vouchers when I disconnect (radius auth will be irrelevant of course, they can re-sign in.

please see this post for way more information.

@stephenw10
The AWS side will likely propagate whatever you advertise to it, because I manage both ends and that's just how the virtual private gateway works in AWS.
I guess there might be a slight risk here, but hopefully AWS won't make a change that reject these routes.

Of course, ideally I hope that pfSense will allow the source to be configured in a future release of the OS. As far as I know, other firewall vendors are able to do so.

/Thomas

Vielen Dank @JeGr @mike69 . Wieder einiges dazu gelernt.. :)

Old topic but try this:

First you need to know the vendor code for PFSENSE which I found in https://github.com/pfsense/pfsense/blob/master/src/usr/share/doc/radius/dictionary.pfsense

VENDOR pfSense 13644 BEGIN-VENDOR pfSense ATTRIBUTE pfSense-Bandwidth-Max-Up 1 integer ATTRIBUTE pfSense-Bandwidth-Max-Down 2 integer ATTRIBUTE pfSense-Max-Total-Octets 3 integer END-VENDOR pfSense

Now you can go to your network policy in NPS for the captive portal. Go to:
SETTINGS, VENDOR SPECIFIC, ADD, "custom", "Vendor specific/Radius standard", ADD,ADD:

Enter Vendor Code = 13644 Yes it conforms configure Attribute -> 1 for pfSense-Bandwidth-Max-Up with decimal and you bandwidth

repeat for 2 = pfSense-Bandwidth-Max-Down

Untested but this should work in theory.

After playing around for a little while I made an interesting discovery that I have not been able to find an explanation to...

FreeRadius EAP Settings has a check box "Check Client Certificate CN" ("When enabled, the Common Name of the client certificate must match the username set in 'FreeRADIUS > Users'").

When using a certificate to authenticate, it seems to me that the certificate CN would NOT be checked against the Users database. Regardless of the users I have added, I always get error messages like below when I have that check box checked:

Nov 30 17:33:15 radiusd 1388 tls: Certificate CN (K14) does not match specified value (host/K14)! Nov 30 17:33:15 radiusd 1388 tls: TLS_accept: Error in error Nov 30 17:33:15 radiusd 1388 (4) Login incorrect (Failed retrieving values required to evaluate condition): [host/K14/<via Auth-Type = eap>] (from client SW21 port 2 cli xx-xx-xx-xx-xx-xx) host/K14 -

So far I have not been able to figure how to effectively enable the client cert. CN check.

I wonder if this is also some stupid beginner's mistake, or is this something else?

And where does this "host/" prefix come from? At least it seems to be independent of the 802.1X authentication mode in the client (User vs. computer authentication)...

When the check box is not checked, authentication with the certificate succeeds without any problems.

FWIW, Radius debug log reveals:

(2) files: users: Matched entry host/K14 at line 2 (2) [files] = ok

...so it seems that it indeed performs the check against user database where I have an entry "host/K14".

In case this will help any one else, I've figured this out....

Here is a link on how to find the logs for NPS...

https://social.technet.microsoft.com/Forums/windows/en-US/45aa3000-c32b-483b-8d6e-565b56b163fc/how-to-check-the-nps-logs-in-the-event-viewer?forum=winserverNAP

Basically there are text file logs in c:\Windows\System32\LogFiles\In* , or you can check in Event Viewer under Diagnostics -> Event Viewer -> Custom Views -> Server Roles -> Network Policy.

In my case, the problem users were set to "Deny Access" under the "Dial In" tab of the user properties in AD Users & Computers. Setting to Allow Access fixed it up.

If you don't see the "Dial In" tab, this may be of help :

https://support.microsoft.com/en-ca/help/975448/the-dial-in-tab-is-not-available-in-the-active-directory-users-and-com

For me, I had to be on the server to get that tab, not accessing Active Directory Users and Computers on another PC.

Hope this will help someone else.

Thanks, Derelict for pointing me in the right direction!