Captive portal RADIUS server questions

  • Hi,

    we are currently investigating using a captive portal at all locations however to make deployment easier we want to use one central radius server.
    Would it work if I use a radius server that is only accessible through an IPSEC VPN connection?

    To make sure that at least our technicians can use the network even when the central radius server is not reachable is it possible to use both, local user management and a radius server?
    I think currently that doesn't work, but before I post a bounty, I would like to know how much work it would be and how much it would cost me.

    While at it, is there a good reason why it is only possible to enter IP addresses as the radius server and not DNS names? Personally I would prefer DNS names for everything as they are so much easier to remember.


  • To use a remote Radius server that gies through an IPSEC tunnel you need to add a fake static route (like remote subnet of radius-server through gateway own lan IP). This works with syslog, dns and other stuff running directly on the pfSense too.

    For redundancy I would install a local freeradius server and let the cp use the remote central radius as first radius server and the local fallback freeradius as second one (you can enter 2 radius server at the cp settings).

  • Thanks for your reply. I will do that with the fake static route.

    I think a second radius server will not do everything I need.

    I forgot to mention in my initial post that I would like to somewhere store and manage local users that are not stored on our central server. We have a central server with all company internal users that should be able to log in through the captive portal thant should work fine.
    But if somebody at site A wants to add an external user "hoba" to access the network, where would that user be added?

    I don't want hoba to be added to the central server, and if hoba is added to the local radius server at site A it would only work when the central server is down.

    So I guess I need two ways to authenticate users at the same time or I need to rethink about how design the network…


  • Ah, now I got you. The second authenticationserver should not provide a fallback with the same usersettings in case the first one is down but have different users. So the authentication should work like first check central server, if user not found/authenticated check if user present in second server. I'm afraid, this is not doable atm. Not sure if such a feature can be added easily as we try to keep as much in sync with m0n0wall regarding the captive portal feature to port their code over if they add new features.

  • Thanks for the clarification.

    Maybe I should look into radius servers instead of pfsense. Maybe it is possible to get a radius server to pull parts of its database from a central server while using a local database at the same time…


Log in to reply