Captive Portal Radius authentication via Cisco ACS not working with NAR (SOLVED)



  • Hey everyone,

    I can authenticate users via radius to my Cisco ACS server. However, once I apply a NAR (network access restriction) I cannot restrict the traffic.  I believe what PFsense is sending to my ACS server is not being recognized by it.  I believe Cisco ACS is looking for a certain Caller-station-id and is not receiving it.  I have tried using the "Cisco" method of radius by selecting the Cisco drop down box on the captive portal setup page.  I also checked the disable MAC authentication box but I still cannot restrict users using the NAR's.

    I am having a similar problem as this person:
    http://forum.pfsense.org/index.php/topic,1924.msg11018.html#msg11018

    I have tried what he did to make it work but I am not getting anywhere.  Has anyone setup radius authentication to a Cisco ACS server?

    I have been trying to figure this out for a few days now and I have checked the Pfsense and Monowall forums but no luck.  Any help you can provide is appreciated!!!

    thanks in advance,
    mv202

    +++++++++++++++++ UPDATE +++++++++++++++++++++++++++++

    I was able to solve this by adding the WAN IP of the firewall to the AAA list of clients in Cisco ACS.  I guess the WAN IP is a value sent to the Cisco ACS server from PFsense for part of the authentication.  So, I added the Lan IP and the WAN Ip to the CISCO ACS server and I setup my NARs based on the WAN IP and not on the LAN ip.  The LAN IP is where the Radius request is coming from so it needs to be setup as a AAA client on ACS but the WAN IP is what PFsense is sending as it's "NAS IP Address Attribute (4)"  and the CISCO ACS is using that value to permit or deny access via the NAR's.  Now it is working as expected.  If anyone else has this issue send me a message and I will try to explain how I am setup and offer some assistance.

    -MV202


Log in to reply