Captive Portal authenticating users as "unauthenticated" after their allowed time of session

leonardcapillon

Hello,

First post here, first of all a little background : we are using pfsense v2.4.5-RELEASE-p1 with (normally) up to date freeradius3, service_watchdog, squid and squidguard packages.

We are using the captive portal function with radmac freeradius authentication to allow our users 2 hours of daily internet session. We use personalised captive portal homepage and home made scripts to register our users to the radius server (using the package configuration calls). The scripts and the 2 hours daily were working fine on the previous pfsense version we were using (2.3.2-REALEASE)... So we assume that the scripts should still be ok

In normal behaviour, our user land on the portal and accept our terms and conditions and benefits from 2 hours of internet. On pfsense captive portal status, we can see our logged in users and his username is his unformatted mac (eg 001122334455). After the 2 hours, internet drops and the user land on a page stating that they have used all their session time for the day. On the captive portal logs we can see something like this :
{88D55705-5C68-4665-97D8-8BBF02C73B38}.png

The issue : With pfsense 2.4.5, in the logs, we see lot's of "unauthenticated" user mentionned with the mac, where with the previous version we were only seeing the correct username. Then when the user accepts the terms, the correct username appears in the captive portal status page, but after the 2 hours session (or when disconnected because of idle) in some case (not consistent) the user gets to continue surfing the web undefinitely without being redirected to the captive portal. The username then appears as "unauthenticated" in the captive portal status page :
{6FD672A0-AC9F-4442-BB4B-BBF0A27D7122}.png
{97D5F3EB-F307-4837-84A1-6DC3D5B25FEE}.png

The only difference I saw comparing the two configurations of the captive portal is this option that is enabled on the 2.3.2 and missing in the 2.4.5 configuration :
{B7D6BE3C-13F1-4493-AFB6-BF1D72BCB0D9}.png

Any help would be greatly appreciated. Thank you a lot in advance for your help, have a great weekend
Best regards,
Leonard

Gertjan

@leonardcapillon

I really want to help you, but I can't go back these version : they are 2, or 3 years old !!
Where did you got these version from ??

I'm using the captive portal myself, that is, our clients, using Freeradius and classic user/passwords.

In pfSense 2.6.0, most of the captive portal scripts was somewhat rewritten a bit, so ancient bugs don't exist any more.

There is one trick that worked back then, and is identical today.
Stop FreeRadius in the GUI :
Use Freeradius manually : enter SSH (or console), option 8 :

radiusd -X

Now you can see all the pfSense <=> FreeRadius communication.
I'm not sure if the info shown will give you an answer.

Your freeradius3 is also .... very old.

The thing is, when you decide to upgrade pfSense you can't update the packages neither, it is as if your system is 'frozen' in time with the issues of that moment. If you upgraded a packages, you have installed packages that are meant to run on a 'current' version (that is 2.6.0 now), and you use it old an earlier version. That's like running Windows 10 programs on Windows 7.

Issues that no one can see, as they all moved away to newer versions, with newer /other bugs and features.
I can't actually recall what was different between 2.3.2 and 2.4.5. I can't even remember much about 2.5.2, the version before 2.6.0.

leonardcapillon

@gertjan Thanks for the reply, I know this is a old version... We have a quite long qualification process

I have already tried the radiusd -X some time ago but it was so verbose that I didn't find anything usable. I will give it another go and continue searching for a fix

Thank you again !