Wifi MAC authentication



  • Hi
    I have just installed Pfsense and free radius. Can anyone tell me if it is possible for me to configure pfsense / free radius to achieve the following.

    I have a number of Hardware Firewall Routers at different locations around the country. I want to offer "Guest wifi" i want users to connect the the guest SSID and then see a splash screen with the option to login with facebook, google, twitter etc.
    Once they login their MAC address of their device will be saved on pfsence database so if that user goes to another site and connects to another router they will not have to login again. Is this possible?

    If it is can anyone tell me how i go about configuring this with pfsence / free radius.

    Thanks
    Hiran



  • Where is pfSense in relation to all those firewall/routers? If there are any routers between the access points and pfSense, you'll never see the MAC addresses.



  • Hi

    the setup is like this.

    Site A: has a Draytek Wireless Router with guest SSID and option to enter "external auth server IP" here i i have entered the pfsense IP which is at another site behind another router. the Draytek wireless Router is effectively acting as a AP.

    Site B: Draytek router with pfsence server behind it. When a wifi device from site A connects to its guest ssid, that Draytek router should talk to the pfsence server at site B and then MAC auth should take place.

    Will this work. i cant seem to get it working.?



  • Again : where is pfSense here ?
    pfSense is not a destination for : "external auth server IP". What does thios "external auth server IP" means ?
    Your Draytek routers/AP should talk to a, for example, FreeRadius server.
    This "external auth server IP" could be a FreeRadius server - and this FreeRadius server could be hosted by a "pfSense" setup.



  • Hi I have attached screenshots of the Draytek "external auth".
    ![alt text](0_1539358601985_2018-10-12 16_35_36-emisnet-hiran Vigor2862 Series.png image url)
    ![alt text](0_1539358617035_2018-10-12 16_34_39-emisnet-hiran Vigor2862 Series.png image url)
    ![alt text](image url)



  • The image confirms : set up and have it talk to a (Free)Radius server.



  • Looks like you'd be better off with a cloud-controlled wifi system such as Meraki, Ruckus, or Cloudtrax. I don't think pfSense is meant for that kind of stuff. It's a firewall/router with additional features you can punch in. For cost and simplicity I'd go with Cloudtrax. If you want features you can look at one of the higher end products.



  • Hi Im not looking for a licencing service at there will be around 2000 AP's. is cloudtrax free? unlimited AP's? thanks.



  • @hiranuk

    In any case you would need to purchase the APs but yes, the licensing of Cloudtrax is free. The A42 and A62 APs (which only differ in theoretical speed and capacity) are both very good. Range isn't the best but they are designed for capacity, not distance. I figure 25 users per antennae. The A42 (4 antennae) handle about 100 users and the A62 (6 antennae) handles about 150. They quote more but those are my safe figures. Whether or not it is a good fit for your environment you would need to determine. They don't have the feature set of the bigger guys but as a place to offer free wifi with wireless isolation and gateway limiting, it works well. Could save you from having to put in a bunch of extra security as well as each AP can have its own DHCP server on it. They have managed switches as well but I haven't used them.

    Due to the size I'd consider others as well given the scope of the outage it would cause and how quickly you'd want to get back up. You may want to invest in something with fast support in case there is an issue and I don't know if they offer that. We have several hundred across our clients and rarely have an issue. Most of the time, oddly enough, is due to roofers detaching them when they work and leaving them wherever they want. 2000 in one shot I'm not so sure about the scope of the scaling.



  • @hiranuk said in Wifi MAC authentication:

    behind another router.

    As I said if there are any routers in between the access points and pfSense, you will never see the original MACs. MAC addresses are only valid on the local link. The Ethernet frames, which carry the IP packet have the MAC addresses. When those frames reach a router, the IP packet un-encapsulated and forwarded via a new Ethernet frame and the original frame is discarded. All you'll see at pfSense is the MAC address of the last router the packet passed through.