Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captive portale with FreeRadius joined with Google Workspace

    Captive Portal
    2
    2
    61
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      leonida368
      last edited by

      Hello everyone. for some of our client schools, we implemented a captive portal joined with Google Workspace some time ago that works well.
      The problem with this configuration is that the captive portal authentication sessions remain only in ram memory so if pfsense is turned off, the customer devices must authenticate again.
      This may be ok in scenarios that require a daily captive portal, but it is not ok in scenarios where the device must be registered only once (obviously with the captive portal) and then not need to register it again (for example for personal devices of teachers)
      in this latest scenario a radius server (ex. FreeRadius) must be implemented that store the authentications in a db.
      Can you give me some advice on how to do this configuration?

      1 Reply Last reply Reply Quote 0
      • E
        EDaleH
        last edited by

        @leonida368 said in Captive portale with FreeRadius joined with Google Workspace:

        Can you give me some advice on how to do this configuration?

        There are a lot of variables there, version of pfSense or Plus, duration of power outage, etc.

        Basically, all versions of pfSense support the "Preserve Connected Users across Reboot" option so if you don't have that checked off under Services, Captive Portal, then select the portal itself.
        526aaae2-7ec0-46c9-accb-b4f89ee5ae33-image.png

        There is also the duration of the lease and settings for idle and hard timeouts:
        60091acf-a826-4df5-aa4b-13a21b1431d1-image.png

        If you are following the DHCP instructions, your hard timeout will be less than the lease duration but many users of ISC DHCP do not respect that requirement as it allocates the oldest IP next so, depending upon the number of different connections vrs size of lease pool, the IP may remain available for reassignment to the same mac address for days, weeks or even months. This fact lets the DHCP Lease expire and when the device returns with the same mac address, it will get the same IP, thus the fact you set the hard timeout in CP longer than the lease duration is not a problem as when the device returns, it gets the same IP and is still authenticated.

        In the Kea DHCP server, the duration of lease retention for assignment to the same mac address is very short, a second or so. In order to address this concern, they support "lease affinity" but just as you mentioned for the default CP authentications, it is lost on a reboot. There is a ticket to change that but it is well into the future.

        Redmine 15854 and Redmine 15934 may interest you in regard to this.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.