Enabling MIM causes Authentication Error for voucher based logins in Captive Portal

EDaleH

On a system that is configured with multiple VLan based Captive Portals, those that are set to "use an authentication backend" and vouchers enabled, can no longer login to Captive Portal, giving a "could not connect to authentication server" error. Disable MIM on that system and they can log in again. Prior connections continue to work fine as long as a login/authentication is not required. pfSense and Captive Portal are using an SSL certificate with Kea DHCP patched as per https://redmine.pfsense.org/issues/15321 to support RFC8910 (DHCP option 114)

The MIM and Captive Portal were both on the MIM controller in this configuration with 2 remote systems configured for MIM.

stephenw10

Hmm, that patch should not be required for most devices to detect a CP.

I assume here clients are still redirected to login they just cannot?

Are you able to authenticate against the auth server for other use? In Diag > Auth?
Or are you just using local vouchers there?

Steve

EDaleH

@stephenw10

@stephenw10 said in Enabling MIM causes Authentication Error for voucher based logins in Captive Portal:

Hmm, that patch should not be required for most devices to detect a CP.

As of iOS14 Apple introduced DHCP option 114 as described in RFC8910. iOS will not permit http traffic at all, only https traffic is permitted and thus the captive portal is not triggered, instead an error related to https being required pops up. Quite simply put, iPhones can not log into the captive portal without using DHCP option 114. That option is now supported natively in Kea but not in the current pfSense GUI, thus the patch. This has NOTHING to do with the issue of 24.11 Beta authentication error when MIM is on. I mention it only for the purpose of documenting the setup I tested it on.

@stephenw10 said in Enabling MIM causes Authentication Error for voucher based logins in Captive Portal:

Are you able to authenticate against the auth server for other use? In Diag > Auth?
Or are you just using local vouchers there?

My setup uses local user database, vouchers and FreeRadius authentication across 8 VLan based Captive Portals I did not test local user authentication through Captive Portal and FreeRadius authentication continues to work once MIM is on. The GUI uses the SSL certificate for webconfigurator and it too continues to work fine. To me this appears to be a direct relationship between voucher authentication and setting MIM on. It was 100% repeatable across 3 installs so far.
RE: Diagnostics, Authenticate
Once MIM is turned on, local user database and freeRadius both continue to authenticate under Diagnostics, Authenticate. Only voucher authentication fails and the only place to test that is at the login screen for the specific Captive Portal. No need to even reload the login page with the authentication error displayed, simply turn off MIM and it immediately accepts the voucher.

stephenw10

Hmm, so far unable to replicate.

Do you have MIM setup to a remote controller or just have the daemon enabled?

Do you see that error on the login page? In the logs? Both?

EDaleH

@stephenw10

@stephenw10 said in Enabling MIM causes Authentication Error for voucher based logins in Captive Portal:

Do you see that error on the login page? In the logs? Both?

On the login page; I will check the logs. I will also add a captive portal with voucher authentication on one of the guest/other 24.11 Beta installs to see if I can duplicate it on an absolutely base install. I have the setup running today on the lab bench and will do a minimal config test this afternoon and give you the results and log info from the current master system.

The setup is 3 XG-7100-1U systems, the master is restored with a copy of our production setup for an RV site. 8 VLans/Captive Portals, the error is present independent of whether the two guest/slaves are turned on or not. It only shows up when you toggle MIM on, on the master. We run a custom captiveportal.inc but I have duplicated this error with the default captiveportal.inc as well.

Nov 11 10:33:08 logportalauth 21857 Zone: vlan30 - Voucher login good for 2614 min.: 7DvMWuKpp2s, f8:95:ea:09:ba:59, 192.168.30.2
Nov 11 10:33:08 logportalauth 21857 Zone: vlan30 - CONCURRENT LOGIN - REUSING OLD SESSION: 7DvMWuKpp2s, f8:95:ea:09:ba:59, 192.168.30.2

MIM Log: Nov 11 10:30:09 pfnet-controller 32816 Done shutting down main

Nov 11 10:29:55 logportalauth 21857 Zone: vlan30 - FAILURE: , f8:95:ea:09:ba:59, 192.168.30.2, Error : could not connect to authentication server.

MIM Log: Nov 11 10:25:14 pfnet-controller 32816 Controller ready

stephenw10

So you are testing with multiple CPs setup in each instance?

One potential issue here could be the ports in use. When you have multiple CP instances the ports used escalate. It's possible it's hitting the default MIM ports (8443/8080). Try enabling MIM on alternate ports.

EDaleH

@stephenw10 said in Enabling MIM causes Authentication Error for voucher based logins in Captive Portal:

It's possible it's hitting the default MIM ports (8443/8080).

8 Portals. each using even for http, odd for https so they will use ports from :8002 through :8017, no conflict there.

I took one of the minimal setups and reconfigured it as a controller and added only one captive portal to it. It continued to work with voucher authentication, independent of MIM being enabled or not. This suggests some other aspect of the more complex Production installation may be involved in addition to the MIM itself.

I then did a full reinstall from the bootable installer and restored our production setup onto it. I did not configure MIM but I simply enabled and disabled it. The behaviour was identical to what I experienced initially, with MIM enabled, I get an authentication error.

At this time I do not need MIM and the fact our Production setup does not work with it is valuable information but not something we need to fix. We simply need to not enable MIM and we are working perfectly under 24.11 Oct 31 Beta and that was the original intent of the lab test of 24.11 Beta in the first place. I am sorry but I can't explain why we are getting the error only that we are. I will continue to test this with future releases but can't afford the time to go any further at the moment.

stephenw10

Ok that's good info.

Are you running the radius accounting mods on that when it fails?

EDaleH

@stephenw10 -
I am not sure what you refer to as radius accounting mods but we do use mods for captive portal (all in captiveportal.inc) that include freeRadius authentication and the re-authenticate every minute override to use the accounting interval instead (10 minutes). It is easy to cease to use them, simply put the original captiveportal.inc that came with 24.11 Beta back and reboot.

All of my testing has been done with the original captiveportal.inc that shipped with 24.11 Beta except for a couple of times where I put the modified captiveportal.inc in to see if anything changed. It did not make any difference.

All of the captive portal pages are also customized for login, error and logout. We use logout as an information dashboard that shows remaining time and data for that account i.e. the venue url for RFC8910, DHCP Option 114.. During my testing, I set the test portal back to the defaults for the full set of login, error, and logout as well. In every case it made no difference.

It will be very difficult to isolate this but now that I know the MIM controller doesn't have to be setup first, just turned on, I will toggle it on and off regularly and hopefully get more info for you.

stephenw10

Ok, we will continue trying to replicate it here. Let us know if you manage to narrow it down any further.

EDaleH

@stephenw10
One thing that was interesting, I switched the authentication server from freeRadius to Local user and the error changed from unable to reach ... to invalid. That setting should not matter for vouchers and although the error changed, the symptoms remained identical.

stephenw10

Mmm, initially it 'felt' to me like it's somehow treating the vouchers as a remote auth server. Hard to see how enabling MIM could make any difference though...

EDaleH

@stephenw10
Agreed, especially given the bare system controller test did not display the same symptoms. I have now rebuilt and reproduced the symptoms 4 times. I have a 4 Vlan Captive Portal installation at another site that I can throw onto the lab machine and do the same test. I will try to do that today. That setup has no customization.

rlinnemann

@EDaleH do you need to have multiple VLANs with CPs or can you reproduce this with a singe VLAN with a CP?

stephenw10

Mmm also when you hit this does it fail in the same way for all CP instances?

EDaleH

@rlinnemann said in Enabling MIM causes Authentication Error for voucher based logins in Captive Portal:

can you reproduce this with a singe VLAN with a CP?

@stephenw10 said in Enabling MIM causes Authentication Error for voucher based logins in Captive Portal:

does it fail in the same way for all CP instances

OK, on the 8 CP system restore to lab server test, so far it is the only setup that is failing consistently. Both Local Users and vouchers fail on all Captive Portals that are configured for vouchers. FreeRadius authenticated CPs continue to work fine. I have eliminated the SSL certificate (https vrs http), removed my custom CP code, reset CP login/error/logout code to defaults and the issue with failed authentication did not change. It fails on all voucher enabled CPs when MIM is enabled and works fine when it is disabled. Unfortunately I don't have a CP on that system that is just Local user authentication but I will try to isolate that when I get a chance.

I have been unable to reproduce the problem with a new install with single CP and I just bench tested a different site restore that had 4 CPs and VLans, it worked fine too.

I am running out of corners to look in but I will give more thought to what is different between my two restored site tests as they are reasonably similar.

stephenw10

Ah OK. Well the fact it only fails on systems with multiple CPs seems like a good clue.

EDaleH

@stephenw10

@stephenw10 said in Enabling MIM causes Authentication Error for voucher based logins in Captive Portal:

Ah OK. Well the fact it only fails on systems with multiple CPs seems like a good clue

Perhaps but the clue that worked for me was that the 4 portal restore test that worked fine was on a Plus 24.03 and the 8 portal restore that was causing all the trouble was on a CE 2.7.2 system. So.... I rebuilt the 8 portal lab test and instead of installing 24.11 Beta directly, I installed 24.03, restored the CE 2.7.2 8 portal backup onto it, tested it, then upgraded to 24.11 Beta and it worked just fine, no authentication errors.

Now I was happy but wanted to be sure I found a way to reproduce it as this was a brand new backup of that 8 portal production system. So... I did a fresh install of 24.11 Beta and restored the identical backup onto it and tested it. Voila!, authentication errors when MIM is enabled.

So Advice to everyone, go through 24.03 before you go to 24.11 Beta.

For you Stephen, the cause is hiding in the restore of the config file from a 2.7.2 directly to a 24.11 beta. I guess you can solve it with the traditional slap on the hand and a firm "so, don't do that"?

rlinnemann

@EDaleH I'm glad it sounds like you've worked around it, but my spidey sense is still tingling here. Can you supply a redacted as necessary config that creates the problem on restore?

stephenw10

Just to confirm when you restored the config into 24.11 was that the full config via the webgui? In other words was the config upgrade script run against it?