Captiveportal - ubuntu as radius server and for MySQL, pfsense as captive portal

asura · Dec 24, 2012, 9:43 AM

hi fren ..will anyone help me with my project

i have ubuntu server install with freeradius and mySQL.
together with it i installed virtual box for pfsense as a captive portal

ubuntu server as a radius server with IP 192.168.1.90
pfsense inside virtualbox with WAN up 192.168.1.99 and LAN ip 192.168.3.11
my laptop(192.168.3.9) as a client connected to AP with ip 192.168.3.1

here my configuration :-
1- file /etc/freeradius/sql.conf
readclients = yes

2- file /etc/freeradius/sql.conf
server = "localhost"
login = "root"
password = "xxxxxx"
radius_db = "radius"

3- file /etc/freeradius/radiusd.conf by uncommenting the following line
$INCLUDE sql.conf

4- Enable SQL configuration in the default enabled site /etc/freeradius/sites-available/default

5- create radius database and insert schema.sql and nas.sql into database
MySQL> INSERT INTO nas VALUES (NULL , '192.168.1.99', 'wifi.system', 'other', NULL , 'testing123', NULL , NULL , 'RADIUS Client'
);

6- file /etc/freeradius/clients.conf
client 192.168.1.99 { (my pfsense box ip)
secret = testing123 (is this something u put into shared secret in pfsense captive portal configuration?)
shortname = wifi.system (i juz put anything in here, how can i figure exact shortname for my mechine?)
nastype= other }

before i proceed to step 6 ..i juz excute sql command and insert those value into NAS table.
after failed to login via pfsense captive portal. I proceed to step 6 and delete NAS table.
but ..same thing happen. unable to authenticate to radius server.

any help please..thanks in advance

thermo · Dec 24, 2012, 10:27 AM

Start radius with "radiusd -X" to see debugging output!
I don't see in your steps where you configured a valid user. (user <> nas/client)
See the documentation for radtest, this will help you narrow down where your configuration is failing.

asura · Dec 24, 2012, 2:59 PM

thanks for ur reply.
I debug with 'freeradius -X'
there i can see msg authentication failed from 192.168.1.99 …..

Using 'radtest test 12345678 localhost 1812 testing123' and its was successfully accepted with message 'access-accepted'

user 'test' with password '12345678' are stored in mysql database.

asura · Dec 25, 2012, 8:26 AM

somehow i successfully authenticate and able to login with 'test' pass '12345678'

new problem come out. Captive portal pages does no come out automatically.
i need to type in '192.168.3.11:8000' on browser to view my captive portal page.

after successfully login with 'test' id ..still i cannot access to google.com. page not found.

im lost here.. anyone got any idea?

thermo · Dec 25, 2012, 9:45 AM

Glad you got the auth. working.
The CP should work ok, except that there is a bug in the captive portal redirect where the first "/" character is removed from the URL and you get a page not found. You can get around this by forcing a redirect to google.com (or any other site) for all successful logins, rather than the page the user requested.

asura · Dec 25, 2012, 11:40 AM

thanks ..
Normally whatever site u try to access. Whatever u type into web browser address bar. Its will point back to captive portal page and asked for username and password.

Thats kind of thing does not happen to my pfsense box. Whatever site i try to access its keep showing me page not found. My captive portal page does not show up as its suppose to be.

Any idea?

Nachtfalke · Dec 25, 2012, 2:40 PM

First:
The DNS server of your hosts must be the pfsense CP interface IP address.

Second:
CP will only appear if your host is brwosing to a http address. httpS will not be recognized and CP will not appear. So if a user wants to auth he needs to browse to a http page.

Third:
If you want to redirect a user to another page, type in the complete URL like http://www.google.com

asura · Dec 25, 2012, 3:07 PM

@Nachtfalke:

First:
The DNS server of your hosts must be the pfsense CP interface IP address.

pfsense box LAN ip is set as dhcp. So i juz connect to my laptop without problem. Or u mean something else?

Nachtfalke · Dec 26, 2012, 11:22 AM

The DNS of the clients is pfsense ? Do not use any other DNS. That is important that CP can work.

asura · Dec 27, 2012, 2:18 AM

here my diagram ..for better understanding

The DNS of the clients is pfsense ?

YES ..clients DNS is CP ip address.

i tried to access http://192.168.1.90/phpmyadmin ..CP did show up. its work!!
BUT, whenever i login into CP. Once again my browser show me 'page not found'
'ping time out' form my laptop(192.168.3.10) to Radius Server(192.168.1.90) ..

however, each time i tried to access google page or other website on internet.
CP did not come out ..and browser show me 'page not found' instantly.

im lost here ..something to do with firewall rules or pfsense CP configuration?

Nachtfalke · Dec 27, 2012, 11:50 AM

Hi,

on firewall you must allow HTTP (80) traffic, DNS (53), and port 8000 which is the Captiveportal. Best would be if you first create an "allow any to any" rule on the CP interface to make sure that your firewall is not the reason for your problems. If all is working you can try to play with firewall rules.

Further you should remember:
CP is only showing up if you connect to an http web-page. httpS webpages cannot be redirected by CP as far as I know. If I am not wrong - google is using httpS in some cases ? Please try with another webpage which is for sure just using http. This should make the CP portal come up.

asura · Dec 28, 2012, 2:01 AM

thanks for ur time and advice

once i tried set firewall to * * * * , i alllowed any to any. As u said i did "allow any to any" rule.
nothing change, i got same problem. Then i disable all rules at my LAN(CP) ..nothing good happen.

i will try this ..whish me luck guys :

on firewall you must allow HTTP (80) traffic, DNS (53), and port 8000 which is the Captiveportal

asura · Dec 28, 2012, 7:29 AM

after disable CP. I got no problem surfing the internet with my laptop.
whenever i enable CP. CP page come out and asking for username and password.

however ..
after successfully login to CP. My browser show me 'can't connect to server'.
again, i can not access any website on the internet.

from pfsense box i successfully ping to router, radius server and internet.

could be connection from pfsense to radius server having some problem?
or my radius server need some more configuration to allow user access to internet?
or WAN firewall rules need to do some rules?

Nachtfalke · Dec 28, 2012, 10:56 AM

That's a really strange behaviour I think.

The RADIUS problem:

On CP you have to set RADIUS as authentication and the RADIUS IP address, the RADIUS port for authentication (1812) and the shared secret. And then a littel below on the CP page there is something like "NAS identifier", this should be probably set to your WAN IP address of pfsense. That is the minimum you have to do if I remember correct.
On RADIUS you have to add the client/NAS, which is your pfsense CP, with the same shared secret. RADIUS auth listening on port 1812 and of course add a user with username and password. To make sure that RADIUS is getting the access-request from CP and is sending back an access-accept to CP you should run freeradius in debug mode. This can be done with:

radiusd -X

You should see the auth request from CP and the accept/reject from RADIUS. And you should see the IP address to where the RADIUS is sending it.

While writing this text I am thinking about a possible problem if you have running NAT on pfsense WAN interface. Not sure if this could cause problems.

Another possibility could be that you try the freeradius2 package for pfsense. You can install it on pfsense using the package manager. And this freeradius server on pfsense can be connected to MySQL and PostgreSQL database.
Or you are able to put you external RADIUS server into the LAN. (For testing, if NAT is the problem).

Perhaps this documentation can help you a little bit with your RADIUS server:
http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#Check_if_your_configuration_works

And at least you could try to use CP with the "Local User database" which is in SYSTEM –> User Manager on pfsense. And then try to authenticate with a client and test if you can browse the web so that you can say at the end: My client is ok, firewall is ok, CP is ok, but connection between RADIUS and CP is not working properly.

Good luck! :-)

asura · Dec 29, 2012, 2:03 PM

yup ..its strange ..thanks for ur suggestion. i will do as u suggest me.
if anything come out ..i will post it here. wish me luck guys.

khan · Dec 31, 2012, 4:45 PM

What is your captive portal page content ?

the form should be like this

here "action="$PORTAL_ACTION$">" is important.

thermo · Jan 2, 2013, 12:54 PM

Your WAN is on private IP space, do you have allow Private Net/bogons on the WAN interface?
Looking at the radius debugging output would have shown that there was no connection to the radius server.