Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captive Portal Radius authentication via Cisco ACS not working with NAR (SOLVED)

    Captive Portal
    1
    1
    4.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mv202
      last edited by

      Hey everyone,

      I can authenticate users via radius to my Cisco ACS server. However, once I apply a NAR (network access restriction) I cannot restrict the traffic.  I believe what PFsense is sending to my ACS server is not being recognized by it.  I believe Cisco ACS is looking for a certain Caller-station-id and is not receiving it.  I have tried using the "Cisco" method of radius by selecting the Cisco drop down box on the captive portal setup page.  I also checked the disable MAC authentication box but I still cannot restrict users using the NAR's.

      I am having a similar problem as this person:
      http://forum.pfsense.org/index.php/topic,1924.msg11018.html#msg11018

      I have tried what he did to make it work but I am not getting anywhere.  Has anyone setup radius authentication to a Cisco ACS server?

      I have been trying to figure this out for a few days now and I have checked the Pfsense and Monowall forums but no luck.  Any help you can provide is appreciated!!!

      thanks in advance,
      mv202

      +++++++++++++++++ UPDATE +++++++++++++++++++++++++++++

      I was able to solve this by adding the WAN IP of the firewall to the AAA list of clients in Cisco ACS.  I guess the WAN IP is a value sent to the Cisco ACS server from PFsense for part of the authentication.  So, I added the Lan IP and the WAN Ip to the CISCO ACS server and I setup my NARs based on the WAN IP and not on the LAN ip.  The LAN IP is where the Radius request is coming from so it needs to be setup as a AAA client on ACS but the WAN IP is what PFsense is sending as it's "NAS IP Address Attribute (4)"  and the CISCO ACS is using that value to permit or deny access via the NAR's.  Now it is working as expected.  If anyone else has this issue send me a message and I will try to explain how I am setup and offer some assistance.

      -MV202

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.