Captive Portal with RADIUS and NPS no authentication possible

fbmm · Sep 4, 2023, 7:00 AM

Hi everyone,

I've come to a point where I don't know how to proceed. The setting:

pfSense with Captive Portal
NPS on a Windows Server 2019 on the same network

Everything has been configured following this guide: https://docs.netgate.com/pfsense/en/latest/recipes/radius-windows.html#thirdparty-radius-windows-server

When I test authentication in the Captive Portal or in Diagnostics -> Authentication, it will result in either of these options

"Authentication failed."
nginx 502 Bad gateway
System log: "php-fpm 16019 /index.php: Error during RADIUS authentication : Operation timed out"

The funny thing is: when I check NPS logs, authentication is logged as successful and access is granted to the user. pfSense tries to authenticate three times in a row, with 5 seconds in between the attempts.

Any ideas why authentication on pfSense will result in a Timeout when authentication actually seems to be successful?

Thanks very much for your ideas.

Edit: from the nginx logs:
2023/08/30 11:25:43 [error] 62296#100352: *466 upstream prematurely closed connection while reading response header from upstream, client: 192.168.40.204, server: , request: "POST /index.php?zone=wlan_gast HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.socket:", host: "192.168.40.1:8002", referrer: "http://192.168.40.1:8002/index.php?zone=wlan_gast"

Gertjan · Sep 4, 2023, 7:00 AM

@fbmm said in Captive Portal with RADIUS and NPS no authentication possible:

2023/08/30 11:25:43 [error] 62296#100352: *466 upstream prematurely closed connection while reading response header from upstream, client: 192.168.40.204, server: , request: "POST /index.php?zone=wlan_gast HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.socket:", host: "192.168.40.1:8002", referrer: "http://192.168.40.1:8002/index.php?zone=wlan_gast"

The 192.168.40.1 is the captive portal interface address - and 192.168.40.204 is the captive portal client ?
You are using the default build in captive portal login page ?

To test :
Stop this one :

and open an SSH or console connection. Use option 8.
Execute radius in debug mode :

radiusd -X

Now, you'll see a lot of info.

yanqian · Nov 10, 2023, 6:37 AM

@fbmm I also failed to use NPS as radius server before, discussed in this thread, but hadn't found solution at that time:
https://forum.netgate.com/topic/149744/windows-radius-server

You may search the forum, and refer to other working NPS related posts.

yanqian · Nov 10, 2023, 6:43 AM

Update:
I tried to use NPS on server 2016 as RADIUS server just now, it works.
Pfsense version is 2.7.0, RADIUS MS-CHAPv2 .