Can a RADIUS user be banned/disabled on pfsense



  • Hello all,

    I'm wondering if someone can help me with a scenario I'm trying to resolve.

    We have a pfSense server serving wired connections, with users authenticating via RADIUS from Active Directory.

    What I'm trying to find is if there is a way I can ban a particular user, or MAC address from logging in via captive portal.
    We sometimes need to disable users if their machine is causing problems, for instance if it broadcasting malware or using p2p file sharing.
    However we only want to disable them for pfSense and not RADIUS in general.

    Either disabling the users ability to login via captive portal, or preventing them from getting a DHCP would be ideal.

    If anyone can suggest a solution for this it would be greatly appreciated.



  • You could perhaps assign a VLAN information for a client/user and this VLAN is blocked by your firewall and no DHCP enabled on this interface.

    But for this you'll need a switch which can realize dynamic VLAN assignment and the port needs to be configured for that.

    Other way could be to only allow that client for specific times - in your case no times. This can be done from RADIUS, too.



  • @Nachtfalke:

    You could perhaps assign a VLAN information for a client/user and this VLAN is blocked by your firewall and no DHCP enabled on this interface.

    But for this you'll need a switch which can realize dynamic VLAN assignment and the port needs to be configured for that.

    Other way could be to only allow that client for specific times - in your case no times. This can be done from RADIUS, too.

    Unforunately neither of these options will really work for this scenario. This is a student accomodation environment and the network topology includes unmanaged switches, and the vlan management on the managed switches is on a per port basis (we can't be certain what port a user may be on so we cant switch the vlan).

    RADIUS authentication is in use for other systems, which we won't want to block for the user.

    An ideal solution, which I've used before with other systems is to set up a static DHCP lease against the MAC address, thats something ridiculous like 4.5.6.7 which would prevent the user connecting. But pfsense doesn't want to let me set any DHCP lease outside the LAN subnet range.



  • If the range ist 192.168.100.100 - 192.168.100.200 then assign static addresses to 192.168.100.201+ and create a firewall rule which blocks traffic for these source IP addresses.



  • @Nachtfalke:

    If the range ist 192.168.100.100 - 192.168.100.200 then assign static addresses to 192.168.100.201+ and create a firewall rule which blocks traffic for these source IP addresses.

    That's both obvious, and brilliant! I really should of thought of that  :-[

    Thanks for the suggestion.


Locked