Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can a RADIUS user be banned/disabled on pfsense

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 2 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      phil_w
      last edited by

      Hello all,

      I'm wondering if someone can help me with a scenario I'm trying to resolve.

      We have a pfSense server serving wired connections, with users authenticating via RADIUS from Active Directory.

      What I'm trying to find is if there is a way I can ban a particular user, or MAC address from logging in via captive portal.
      We sometimes need to disable users if their machine is causing problems, for instance if it broadcasting malware or using p2p file sharing.
      However we only want to disable them for pfSense and not RADIUS in general.

      Either disabling the users ability to login via captive portal, or preventing them from getting a DHCP would be ideal.

      If anyone can suggest a solution for this it would be greatly appreciated.

      1 Reply Last reply Reply Quote 0
      • N
        Nachtfalke
        last edited by

        You could perhaps assign a VLAN information for a client/user and this VLAN is blocked by your firewall and no DHCP enabled on this interface.

        But for this you'll need a switch which can realize dynamic VLAN assignment and the port needs to be configured for that.

        Other way could be to only allow that client for specific times - in your case no times. This can be done from RADIUS, too.

        1 Reply Last reply Reply Quote 0
        • P
          phil_w
          last edited by

          @Nachtfalke:

          You could perhaps assign a VLAN information for a client/user and this VLAN is blocked by your firewall and no DHCP enabled on this interface.

          But for this you'll need a switch which can realize dynamic VLAN assignment and the port needs to be configured for that.

          Other way could be to only allow that client for specific times - in your case no times. This can be done from RADIUS, too.

          Unforunately neither of these options will really work for this scenario. This is a student accomodation environment and the network topology includes unmanaged switches, and the vlan management on the managed switches is on a per port basis (we can't be certain what port a user may be on so we cant switch the vlan).

          RADIUS authentication is in use for other systems, which we won't want to block for the user.

          An ideal solution, which I've used before with other systems is to set up a static DHCP lease against the MAC address, thats something ridiculous like 4.5.6.7 which would prevent the user connecting. But pfsense doesn't want to let me set any DHCP lease outside the LAN subnet range.

          1 Reply Last reply Reply Quote 0
          • N
            Nachtfalke
            last edited by

            If the range ist 192.168.100.100 - 192.168.100.200 then assign static addresses to 192.168.100.201+ and create a firewall rule which blocks traffic for these source IP addresses.

            1 Reply Last reply Reply Quote 0
            • P
              phil_w
              last edited by

              @Nachtfalke:

              If the range ist 192.168.100.100 - 192.168.100.200 then assign static addresses to 192.168.100.201+ and create a firewall rule which blocks traffic for these source IP addresses.

              That's both obvious, and brilliant! I really should of thought of that  :-[

              Thanks for the suggestion.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.