CP Mac Authentication Table - It's over 9000!

  • I run some large wifi networks where the mac auth table grows to over 9000 entries - which pretty much kills the firewall if not kept in check.  This has been a known issue for a while and the fix seems a little ways out still.  Is there a way to get a copy of the script mentioned @ https://redmine.pfsense.org/issues/3932?  I'd much rather just trim the older entries rather than try to implement a local sql server on the firewall.


  • Or does anyone else have any other recommendations, thoughts on how to navigate this issue for the time being?

  • LAYER 8 Netgate

    If you use vouchers they will get pruned when the voucher expires as long as you use Enable Pass-through MAC automatic addition with username. The voucher code will be the username so there is something for the pruner to key on when the voucher expires.

    I would think that would carry over to username/password logins but I have never tried that.

    Not sure why you're using MAC passthroughs or how you have it implemented.

  • We are authenticating users against a radius server that connects to AD - as 99% of our users have accounts.  The rest we assign vouchers on a per-case basis.

    We have enabled "Enable Pass-through MAC automatic additions" and "Enable Pass-through MAC automatic addition with username" so they only have to authenticate once and then we have their username associated with their device.  The issue arises when we have more than 9000 separate device/username pairs in the db.  I know there are some php files that may help in pruning the mac auth table, just not sure which ones they are and what parameters to pass to them.

    In the past, I've just been deleting the mac auth table once a year (just before fall semester - we are a University) and then everyone has to re-authenticate.  But with the growing number of devices everyone has, we are easily exceeding 9000 records within a year.

Log in to reply