CP using remote RADIUS server prevents Wireless AP's connecting to RADIUS

  • I have many Access Points on the internal networks which are configured to perform 802.1x RADIUS authentication for clients to connect. The radius server is remote on an external network. When users connect their authentication packets are routed via the PFSense box and to the remote RADIUS server. This works and is a good config.

    When i enable the Captive Portal and configure RADIUS authentication for clients (using the same remote server) this causes the packets from the Access Points to be blocked (or caught) by the PFSense box rather than traversing to the remote network.

    I enabled an exclusion for the AP's in the Allowed IP addresses (inputting the AP addresses) and when i disabled/re-enabled the Captive Portal, this worked but is quickly broken again.

    But once a client has been connected and disconnects, they are not able to connect to the AP's again. In fact the only way to fix the issue is to stop and restart the Captive Portal process. This again only provides temporary connectivity until a client disconnects and the issue starts again.

    can anyone please advise, i suspect that this is either a bug or there is a workaround. any help is much appreciated, ive been up for 2 days trying to solve this one  ;)

    many thanks in advance

  • Did you try adding the mac adresses of the APs? Haven't seen this before. Anything strange in the systemlogs that might explain the behaviour?

  • thanks for the response.

    i disabled the CP function and found that adding the access points ip addresses to the allowed IP addresses first and saving before then enabling the captive portal (with all the radius server config stuff) seemed to fix this.

    the captive portal is working now in conjunction with the radius auth, so this enables the users to logon to the wireless network using their RADIUS credentials, then when using web browser , i can capture them (for the purposes of redirection to a portal site) and they can use same credentials there.

  • Thanks, this should be fixed now.