Captive Portal - Allow Internet Access if Radius Unavailable
-
A checkbox for the captive portal that allows all users thru with specific bandwidth limitations if the radius server is unreachable.
Example, a few occasions over the years I have had a issue with my radius server and customers can't access the Internet, on those occasions I would love to give away free Internet as opposed to having angry customers :)
Please provide an estimated cost, if you think you can do this?
Thanks,
Erin -
I've been thinking of some scenarios where this has been needed in the past and thought it would be a nice addition to pfsense's captive portal capabilities.
If salmonbaytech is fine with the following, I'll put £50 towards the bounty.
Under Services/Captive Portal page
Amend the existing "Authentication" section where it reads, "No Authentication" "Local User Manager / Vouchers" "RADIUS Authentication"Add a drop down box beside each method of authentication, add the options within the drop down box to include "disabled" "1" "2" "3".
The option "disabled" would obviously disable authentication for that method, options "1" to "3" would be priority of authentication, similar in a way to how tiers work in failover gateway groups.
Specific bandwidth limitations can already be set in the captive portal page under "Per-user bandwidth restriction", so this isnt a requirement for me.
-
I don't see how priorities would work in practice. Local accounts and RADIUS users are not in sync, so if RADIUS fails (and local auth has the next priority) you would suddenly need a different account or a voucher code? Also when should there be a priority that's lower than the first local method (e.g. no auth after local auth)?
As radius can override the default "Per-user bandwidth restriction" setting per user, that could indeed be used as a fallback value.
-
I think this needs to be simple,
Currently
User sends request->Captive Portal->Radius response->Authorized (Allowed to access internet) or Not Authorized (Redirected to CP Page)Better
User sends request->Captive Portal->Radius response (Same logic as above)
User sends request->Captive Portal->Radius no response (Allow user thru at with "Per-user bandwidth restriction" or a new setting of limits defined on the page)I see this as 1-3 options added to the CP Page
Checkbox: enabled radius default allow on failuire
(optional) two textboxes: Upload/Download bandwidthRadius goes down at 2am, but the Internet still works. I can wait till the morning and my customers don't hate me :)
-
I don't see how priorities would work in practice. Local accounts and RADIUS users are not in sync, so if RADIUS fails (and local auth has the next priority) you would suddenly need a different account or a voucher code?
Yes you are right, the logic was to have predefined local users or vouchers as a backup in case of radius failure, the end users would be given their regular radius login as well as a backup local auth login when an account is initially setup for them. Maybe a bit like how some ISP's give their users a dialup account in case their ADSL goes down.
Its not a perfect way of doing things I agree but it can save headache when youre trying to solve the issues and at the same time having to deal with a lot of complaint calls.
Also when should there be a priority that's lower than the first local method (e.g. no auth after local auth)?
I'm sorry I dont understand the question fully but here are a few examples gui side of things.
–--example-----
No Authentication [disabled]
Local User Manager / Vouchers [1]
RADIUS Authentication [2]–--example-----
No Authentication [2]
Local User Manager / Vouchers [disabled]
RADIUS Authentication [1]–--example--------
No Authentication [2]
Local User Manager / Vouchers [1]
RADIUS Authentication [disabled]I would guess maybe some javascript magic to make sure the "options" are selected correctly, i.e you dont want user error - say for example they chose priority [1] for two authentication methods, or had all methods set to [disabled].
Suggestions are welcome and apologies if its felt Ive hijacked the bounty.
-
Abdsalem, what you want is not what I'm looking for at all. I think it's silly to create two auth systems to maintain users in.
Assuming I have 100% internet connectivity and PFSense has 100% uptime, using captive portal to manage my users ties my uptime to the radius server. My radius server has more of a 98-99% uptime, during that 1-2% radius downtime, just let everyone thru. I would rather have happy customers and eat a little bandwidth then have an internet connection go unused :)
I would rather spend some money on a checkbox (allow users when radius unreachable), then setup a second radius server to improve my uptime.
-
The simplest solution is to replace the following code snippet in "usr/local/captiveportal/index.php"
if ($auth_list['auth_val'] == 1) { captiveportal_logportalauth($user,$clientmac,$clientip,"ERROR",$auth_list['error']); portal_reply_page($redirurl, $type, $auth_list['error'] ? $auth_list['error'] : $errormsg); }with
if ($auth_list['auth_val'] == 1) { captiveportal_logportalauth("unauthenticated",$clientmac,$clientip,"RADIUS ERROR - ACCEPT"); portal_allow($clientip, $clientmac, "unauthenticated"); }When I have time I will add a checkbox in the CaptivePortal settings and also look further into the possible RADIUS errors to make sure auth is only skipped when the server does not respond.
-
Abdsalem, what you want is not what I'm looking for at all. I think it's silly to create two auth systems to maintain users in.
Assuming I have 100% internet connectivity and PFSense has 100% uptime, using captive portal to manage my users ties my uptime to the radius server. My radius server has more of a 98-99% uptime, during that 1-2% radius downtime, just let everyone thru. I would rather have happy customers and eat a little bandwidth then have an internet connection go unused :)
I would rather spend some money on a checkbox (allow users when radius unreachable), then setup a second radius server to improve my uptime.
Let me know if you're still looking for this; I've had a look over the relevant code and should be able to take care of this with a couple hours' work and some testing. Does $150 sound reasonable?
-
Why not just host your own radius server? Software is like $150 and hosting is like $29 per month at
Linode.com. Vendor will even do initial setup for free on the server! That way you can use the secondary radius option in CP! You could probably get away with a simple linux OS at Amazon!Ok. Do not use Linode.com
My CC expired and I never received a notification from them via email. All of a sudden I logged in and because my billing was behind by 22 days they deleted my Linux VM's. No recovery possible. Beware. I would not recommend using Linode!