Radius MAC Auth works but Android sends advice that there is no Internet


  • Hi, I'm having a disturbing issue that I don't know how to solve. MAC auth to a external radius server is working, but for I have seen it only works when you open a browser. So, step by step on my testing results:

    I validate to Captive Portal with an user and password (external Captive Portal). That works fine
    I kill captive portal session and then no Internet connection appear on my android device.
    I try to open a browser and nothing happen but I have Internet again

    This same issue happens many timens to regular client (without killing their captive portal session). This gave to our customer the fealing that WiFi network doesn't work fine. Any one knows how to solve it?

    I'm working with pfsense 2.2.6

    Thank you in advance


  • This:
    @msemidan:

    …. then no Internet connection appear on my android device.

    and
    @msemidan:

    but I have Internet again

    can you detail your issue ?

    This is complicated:
    @msemidan:

    I'm working with pfsense 2.2.6

    => no one will remember what issues where possible with ancient versions.
    pfSense is work in progress. To progress, most of us will only use the latest version.


  • Hi, sorry for the delay in my reply.

    I'll try to explain it with more detail.

    I have a open WiFi network with Captive portal auth + radius mac auth. Authenticated users have an strange issue that is causing me a lots of problems. For example:

    I'm using my android device, surfing web sites without any problem and then, I leave my phone for fifteen minutes in my desk without touching it. When I try to use my phone again It appear on my phone the message that my WiFi network requires validation (remember that I have Mac Auth). At this moment, Internet connection is not working for me. So, I open a browser again, and without doing any thing else I have Internet connection again.

    Looking in to the code it appear that MAC validation is only trigger when pfsense listen an event on port 80. I don't really know why It's done this way but is not working properly.

    Does anyone have an idea how to solve this?

    I know that 2.2.6 is an older version but I can't update right know. Does anyone know if new versions fix this problem?

    Regards,


  • It's easy to prove that this iesn't a pfSEnse issue.

    Go here :
    https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting and read and try listing your ipfw rules and what is in the tables.
    Now, connect your android thing.
    Check the rules and tables again, and note them all down.
    Take a 15 minutes break.
    Check the rules and tables again, and compare : NO differences should be found, for pfSense all is still the same ***.
    Do you find any differences ?
    If so, tell us about it.

    Btw : people how still use 2.2.6 do not exist anymore (or, at least, they do not communicate here, otherwise they would have left 2.2.6).
    This means that : no one recalls what bugs existed back then.

    *** what are your soft and hard time out values ?
    How many IP's / users are logged in ?
    How many available in the DHCP pool ?


  • Hi.

    I finally get to move to version 2.3.2 but I have the same problem. I'll try to explain again with new test I have done.

    First of all I have a 1 minute idle time for captive users

    I Connect and log to captive portal successfully and then turn off wifi on my device.
    Wait for two minutes -> User dissapear from my captive portal users list
    Turn wifi on again. I get message on my device that I need to validate on my Wifi network -> I should have Internet at this point because I'm using mac authentication, but is not the case.
    I open a Browser -> It appear that open a browser launch MAC validation on Pfsense and I can finally have Internet access.

    Any idea how can I solve this problem? This is an annoying behaviour

    Thank you in advance


  • @msemidan:

    First of all I have a 1 minute idle time for captive users

    A bit low for testing.

    @msemidan:

    I Connect and log to captive portal successfully and then turn off wifi on my device.
    Wait for two minutes -> User dissapear from my captive portal users list

    When authenticated, were they (the MAC's) present here :
    Services / Captive Portal / ZONE / MACs
    ?

    I do not use Radius authorization - I'm using the Local User Manager, but :
    Imagine this :
    An IP packet comes in.
    The originate MAC is subtracted and send over using some API to the remote Radius server.
    Who decides if it can pass through, or not
    Radius send its decision back.
    pfSense portal behaves accordingly.
    For every packet ?

    The captive portal doesn't work like that. The connection would be far to slow …..
    You should use :
    " Pass-through MAC Auto Entry " (see Captive portal settings page)
    but, in that case :
    When enabled, a MAC passthrough entry is automatically added after the user has successfully authenticated. Users of that MAC address will never have to authenticate again. To remove the passthrough MAC entry either log in and remove it manually from the MAC tab or send a POST from another system. If this is enabled, RADIUS MAC authentication cannot be used. Also, the logout window will not be shown.

    When you check
    " Pass-through MAC Auto Entry "
    even after the expire time, hard or soft, you could connect because your MAC is on the "ok, go through" firewall list.
    If it isn't, well, yes, you have to authenticity.

    Authenticating "on the fly" can't be done - isn't implemented.

    Btw : I could (and hope !) to be wrong. Again, never used a Radius server before. I get my "knowledge from reading the code" ;)


  • Hi. First of all thanks for your responde

    I used 1 minute idle time just as an example, but I have done much more testing with differents time and same result.

    When authenticated MAC is not present on Captive Portal / ZONE /MACs because I'm not ussing MAC passthrough.

    I'm asking to see if anyone have found a way to get it working because it become a problem for us. I have worked with other WiFi system (much more complex) like Aruba and I have never have this problem with MAC auth and Radius server.

    We don't want to use MAC passthrough because we lost, for example, accounting information.

    Regards,