Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captiveportal - ubuntu as radius server and for MySQL, pfsense as captive portal

    Scheduled Pinned Locked Moved Captive Portal
    17 Posts 4 Posters 14.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      asura
      last edited by

      hi fren ..will anyone help me with my project

      i have ubuntu server install with freeradius and mySQL.
      together with it i installed virtual box for pfsense as a captive portal

      ubuntu server as a radius server with IP 192.168.1.90
      pfsense inside virtualbox with WAN up 192.168.1.99 and LAN ip 192.168.3.11
      my laptop(192.168.3.9) as a client connected to AP with ip 192.168.3.1

      here my configuration :-
      1- file /etc/freeradius/sql.conf
      readclients = yes

      2- file /etc/freeradius/sql.conf
      server = "localhost"
      login = "root"
      password = "xxxxxx"
      radius_db = "radius"

      3- file /etc/freeradius/radiusd.conf by uncommenting the following line
      $INCLUDE sql.conf

      4- Enable SQL configuration in the default enabled site /etc/freeradius/sites-available/default

      5- create radius database and insert schema.sql and nas.sql into database
      MySQL> INSERT INTO  nas VALUES (NULL ,  '192.168.1.99',  'wifi.system',  'other', NULL ,  'testing123', NULL , NULL ,  'RADIUS Client'
      );

      6- file /etc/freeradius/clients.conf
      client 192.168.1.99 { (my pfsense box ip)
             secret = testing123 (is this something u put into shared secret in pfsense captive portal configuration?)
             shortname = wifi.system (i juz put anything in here, how can i figure exact shortname for my mechine?)
             nastype= other
      }

      before i proceed to step 6 ..i juz excute sql command and insert those value into NAS table.
      after failed to login via pfsense captive portal. I proceed to step 6 and delete NAS table.
      but ..same thing happen. unable to authenticate to radius server.

      any help please..thanks in advance

      1 Reply Last reply Reply Quote 0
      • T
        thermo
        last edited by

        • Start radius with "radiusd -X" to see debugging output!
        • I don't see in your steps where you configured a valid user. (user <> nas/client)
        • See the documentation for radtest, this will help you narrow down where your configuration is failing.
        1 Reply Last reply Reply Quote 0
        • A
          asura
          last edited by

          thanks for ur reply.
          I debug with 'freeradius -X'
          there i can see msg authentication failed from 192.168.1.99 …..

          Using 'radtest test 12345678 localhost 1812 testing123' and its was successfully accepted with message 'access-accepted'

          user 'test' with password '12345678' are stored in mysql database.

          1 Reply Last reply Reply Quote 0
          • A
            asura
            last edited by

            somehow i successfully authenticate and able to login with 'test' pass '12345678'

            new problem come out. Captive portal pages does no come out automatically.
            i need to type in '192.168.3.11:8000' on browser to view my captive portal page.

            after successfully login with 'test' id ..still i cannot access to google.com. page not found.

            im lost here.. anyone got any idea?

            1 Reply Last reply Reply Quote 0
            • T
              thermo
              last edited by

              Glad you got the auth. working.
              The CP should work ok, except that there is a bug in the captive portal redirect where the first "/" character is removed from the URL and you get a page not found. You can get around this by forcing a redirect to google.com (or any other site) for all successful logins, rather than the page the user requested.

              1 Reply Last reply Reply Quote 0
              • A
                asura
                last edited by

                thanks ..
                Normally whatever site u try to access. Whatever u type into web browser address bar. Its will point back to captive portal page and asked for username and password.

                Thats kind of thing does not happen to my pfsense box. Whatever site i try to access its keep showing me page not found. My captive portal page does not show up as its suppose to be.

                Any idea?

                1 Reply Last reply Reply Quote 0
                • N
                  Nachtfalke
                  last edited by

                  First:
                  The DNS server of your hosts must be the pfsense CP interface IP address.

                  Second:
                  CP will only appear if your host is brwosing to a http address. httpS will not be recognized and CP will not appear. So if a user wants to auth he needs to browse to a http page.

                  Third:
                  If you want to redirect a user to another page, type in the complete URL like http://www.google.com

                  1 Reply Last reply Reply Quote 0
                  • A
                    asura
                    last edited by

                    @Nachtfalke:

                    First:
                    The DNS server of your hosts must be the pfsense CP interface IP address.

                    pfsense box LAN ip is set as dhcp. So i juz connect to my laptop without problem. Or u mean something else?

                    1 Reply Last reply Reply Quote 0
                    • N
                      Nachtfalke
                      last edited by

                      The DNS of the clients is pfsense ? Do not use any other DNS. That is important that CP can work.

                      1 Reply Last reply Reply Quote 0
                      • A
                        asura
                        last edited by

                        here my diagram ..for better understanding

                        The DNS of the clients is pfsense ?

                        YES ..clients DNS is CP ip address.

                        i tried to access http://192.168.1.90/phpmyadmin ..CP did show up. its work!!
                        BUT, whenever i login into CP. Once again my browser show me 'page not found'
                        'ping time out' form my laptop(192.168.3.10) to Radius Server(192.168.1.90) ..

                        however, each time i tried to access google page or other website on internet.
                        CP did not come out ..and browser show me 'page not found' instantly.

                        im lost here ..something to do with firewall rules or pfsense CP configuration?

                        1 Reply Last reply Reply Quote 0
                        • N
                          Nachtfalke
                          last edited by

                          Hi,

                          on firewall you must allow HTTP (80) traffic, DNS (53), and port 8000 which is the Captiveportal. Best would be if you first create an "allow any to any" rule on the CP interface to make sure that your firewall is not the reason for your problems. If all is working you can try to play with firewall rules.

                          Further you should remember:
                          CP is only showing up if you connect to an http web-page. httpS webpages cannot be redirected by CP as far as I know. If I am not wrong - google is using httpS in some cases ? Please try with another webpage which is for sure just using http. This should make the CP portal come up.

                          1 Reply Last reply Reply Quote 0
                          • A
                            asura
                            last edited by

                            thanks for ur time and advice

                            once i tried set firewall to * * * * , i alllowed any to any. As u said i did "allow any to any" rule.
                            nothing change, i got same problem. Then i disable all rules at my LAN(CP) ..nothing good happen.

                            i will try this ..whish me luck guys :

                            on firewall you must allow HTTP (80) traffic, DNS (53), and port 8000 which is the Captiveportal

                            1 Reply Last reply Reply Quote 0
                            • A
                              asura
                              last edited by

                              after disable CP. I got no problem surfing the internet with my laptop.
                              whenever i enable CP. CP page come out and asking for username and password.

                              however  ..
                              after successfully login to CP. My browser show me 'can't connect to server'.
                              again, i can not access any website on the internet.

                              from pfsense box i successfully ping to router, radius server and internet.

                              could be connection from pfsense to radius server having some problem?
                              or my radius server need some more configuration to allow user access to internet?
                              or WAN firewall rules need to do some rules?

                              1 Reply Last reply Reply Quote 0
                              • N
                                Nachtfalke
                                last edited by

                                That's a really strange behaviour I think.

                                The RADIUS problem:

                                • On CP you have to set RADIUS as authentication and the RADIUS IP address, the RADIUS port for authentication (1812) and the shared secret. And then a littel below on the CP page there is something like "NAS identifier", this should be probably set to your WAN IP address of pfsense. That is the minimum you have to do if I remember correct.

                                • On RADIUS you have to add the client/NAS, which is your pfsense CP, with the same shared secret. RADIUS auth listening on port 1812 and of course add a user with username and password. To make sure that RADIUS is getting the access-request from CP and is sending back an access-accept to CP you should run freeradius in debug mode. This can be done with:

                                radiusd -X
                                

                                You should see the auth request from CP and the accept/reject from RADIUS. And you should see the IP address to where the RADIUS is sending it.

                                While writing this text I am thinking about a possible problem if you have running NAT on pfsense WAN interface. Not sure if this could cause problems.

                                Another possibility could be that you try the freeradius2 package for pfsense. You can install it on pfsense using the package manager. And this freeradius server on pfsense can be connected to MySQL and PostgreSQL database.
                                Or you are able to put you external RADIUS server into the LAN. (For testing, if NAT is the problem).

                                Perhaps this documentation can help you a little bit with your RADIUS server:
                                http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#Check_if_your_configuration_works

                                And at least you could try to use CP with the "Local User database" which is in SYSTEM –> User Manager on pfsense. And then try to authenticate with a client and test if you can browse the web so that you can say at the end: My client is ok, firewall is ok, CP is ok, but connection between RADIUS and CP is not working properly.

                                Good luck! :-)

                                1 Reply Last reply Reply Quote 0
                                • A
                                  asura
                                  last edited by

                                  yup ..its strange ..thanks for ur suggestion. i will do as u suggest me.
                                  if anything come out ..i will post it here. wish me luck guys.

                                  1 Reply Last reply Reply Quote 0
                                  • K
                                    khan
                                    last edited by

                                    What is your captive portal page content ?

                                    the form should be like this

                                    here "action="$PORTAL_ACTION$">" is important.

                                    1 Reply Last reply Reply Quote 0
                                    • T
                                      thermo
                                      last edited by

                                      Your WAN is on private IP space, do you have allow Private Net/bogons on the WAN interface?
                                      Looking at the radius debugging output would have shown that there was no connection to the radius server.

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.