Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CaptivePortal in CARP mode and external RADIUS server

    Scheduled Pinned Locked Moved Captive Portal
    8 Posts 2 Posters 5.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dukecount
      last edited by

      Hi, I use pfSense 2.0.3 with an external freeRADIUS server and pfSense in CARP mode. I want to use the virtual CARP IP address to identify my NAS to freeRADIUS server. Into the Service page captiveportal the box "RADIUS NAS IP attribute" lists the virtual addresses. If I select the virtual address (CARP WAN – 63.xxx.xxx.100) instead of a physical interface address and save, I have:

      a) The selection box shows the first entry (for me LAN – 192.168.1.2) on the reloaded page but in the config.xml (backup configuration) the IP address is correct (63.xxx.xxx.100).

      b) The request to the FreeRADIUS server uses the physical IP address (63.xxx.xxx.101) as host IP NAS instead of the selected virtual address, but the file client.conf of FreeRADIUS must have the virtual address (63.xxx.xxx.100) otherwise if I use the physical address and occurs a failure of the primary server, the physical IP address changes with that of the backup server (63.xxx.xxx.102) so the FreeRADIUS server is no longer reachable.

      c) Other strange thing is that in the logs "radacct entry" server freeRAIDUS, the parameters "NAS-IP-Address" and "Called-Station-id" are correct and correspond to the virtual IP address (63.xxx.xxx.100) but "Client-IP-Address" matches with the physical IP address (63.xxx.xxx.101)

      In conclusion, the server FreeRADIUS must see the two firewalls pfSense with CARP, and then the CapitvePortal, through a single IP address (the virtual 63.xxx.xxx.100) to configure a single NAS client

      • Follow the data server
        pfSense MASTER:
        physical WAN IP address: 63.xxx.xxx.101
        Virtual IP Address WAN: 63.xxx.xxx.100
        physical LAN IP address: 192.168.1.2
        Virtual LAN IP address: 192.168.1.1
        CaptivePortal on LAN interface
        Primary RADIUS server IP address: 85.xxx.xxx.78

      pfSense BACKUP:
      physical WAN IP address: 63.xxx.xxx.102
      Virtual IP Address WAN: 63.xxx.xxx.100
      physical LAN IP address: 192.168.1.3
      Virtual LAN IP address: 192.168.1.1
      CaptivePortal on LAN interface
      Primary RADIUS server IP address: 85.xxx.xxx.78

      FreeRADIUS
      physical WAN IP address: 85.xxx.xxx.78
      client.conf (NAS IP address): 63.xxx.xxx.100

      Any ideas for this problem, thanks

      1 Reply Last reply Reply Quote 0
      • L
        lsense
        last edited by

        I didn't try your setup anyway..
        The "RADIUS NAS IP attribute" from pfSense CP sets the radius NAS-IP-Address attribute in Access-Request.
        freeRadius reads from clients.conf allowed clients but it checks IPs on the net, not radius attributes.

        a) n/a

        b) tcpdump on your radius server port 1812 and look for the ip containing you radius.. it should be your Virtual IP Address WAN: 63.xxx.xxx.100 in any case..and that's what clients.conf checks.

        c) no "Client-IP-Address" here.
           in Access-Request I have
               NAS-IP-Address = <configured wan="" address="">NAS-Identifier = "<configured pfsense="" hostname="">"
               Framed-IP-Address = <client ip="" address="">Called-Station-Id = "<configured wan="" address="">"
               Calling-Station-Id = "client MAC address"

        in Accounting-Request I have
               Calling-Station-Id = "00:22:69:95:e2:bc"
               Framed-IP-Address = <client ip="" address="">NAS-IP-Address = <configured wan="" address="">pfSense 2.0.2</configured></client></configured></client></configured></configured>

        1 Reply Last reply Reply Quote 0
        • D
          dukecount
          last edited by

          if in the clients.conf put the virtual IP address (62.xxx.xxx.100), freeRADIUS log (debug mode) shows the following error:

          Ignoring request to authentication address * port 1812 from unknown client 62.xxx.xxx.101 port 14447 Ready to process requests.

          This is because the configuration of the CP in "RADIUS NAS IP attribute" I selected the virtual address (WAN CARP - 63.xxx.xxx.100) but in reality is not used and the FreeRADIUS server sees only the physical address (WAN 63.xxx.xxx.101)

          If clients.conf use the physical IP address (62.xxx.xxx.101), the client (192.168.1.104) is connected correctly and in freeradius log (debug mode) there are no errors and shows:

          rad_recv: Access-Request packet from host 62.xxx.xxx.101 port 6592, id=137, length=138
                  NAS-IP-Address = 62.xxx.xxx.100
                  NAS-Identifier = "pfsense.localdomain"
                  User-Name = "4045"
                  User-Password = "8xtp9p"
                  Service-Type = Login-User
                  NAS-Port-Type = Ethernet
                  NAS-Port = 10
                  Framed-IP-Address = 192.168.1.104
                  Called-Station-Id = "62.xxx.xxx.100"
                  Calling-Station-Id = "00:0f:b0:xx:xx:83"

          rad_recv: Accounting-Request packet from host 62.xxx.xxx.101 port 19162, id=77, length=150
                  NAS-IP-Address = 62.xxx.xxx.100
                  NAS-Identifier = "pfsense.localdomain"
                  User-Name = "4045"
                  Acct-Status-Type = Start
                  Acct-Authentic = RADIUS
                  Service-Type = Login-User
                  NAS-Port-Type = Ethernet
                  NAS-Port = 10
                  Acct-Session-Id = "d68e7414e1b03eba"
                  Framed-IP-Address = 192.168.1.104
                  Called-Station-Id = "62.xxx.xxx.100"
                  Calling-Station-Id = "00:0f:b0:xx:xx:83"

          but the problem remains because if I use the physical address (63.xxx.xxx.101) and occurs a failure of the primary server, the physical IP address changes with that of the backup server (63.xxx.xxx.102) so the FreeRADIUS server is no longer reachable.

          I could work around the problem by adding into file clients.conf also the physical IP address of the backup server (62.xxx.xxx.102) but clients connected will go down and this to me is not a failover system with CaptivePortal.

          1 Reply Last reply Reply Quote 0
          • L
            lsense
            last edited by

            @duke:

            I selected the virtual address (WAN CARP - 63.xxx.xxx.100) but in reality is not used and the FreeRADIUS server sees only the physical address (WAN 63.xxx.xxx.101)

            that's bad. FreeRADIUS should see the WAN CARP address on the network I guess. Also as far as I know NAS-IP-Address is not even considered regarding clients.conf checks.  Which WAN address do you see on freeradius server if you ping it from pfSense: CARP or ph ?

            @duke:

            I could work around the problem by adding into file clients.conf also the physical IP address of the backup server (62.xxx.xxx.102) but clients connected will go down and this to me is not a failover system with CaptivePortal.

            it's not clear to me why clients will be disconnected. Ones you successfully authenticated you don't need radius anymore. And even if you set "auth polling" every minute the will auth (with the other ph address) anyway.

            1 Reply Last reply Reply Quote 0
            • L
              lsense
              last edited by

              I was wrong, freeRadius sees the physical address (WAN 63.xxx.xxx.101) because if you look at the routing table you'll see something like:

              
              # netstat -rn -f inet
              ..
              Wan-subnet       link#1             U           0      812    WAN-PH-Interface
              WAN-VIP-Addr    link#8             UH          0        0    WAN-VIP-Interface
              ..
              
              

              so wan subnet is seen through the phisical interface.

              edit: use NAT 1:1 with "External IP"=WAN-VIP-Addr and "Internal IP"=WAN-PH-Addr

              1 Reply Last reply Reply Quote 0
              • D
                dukecount
                last edited by

                if I ping it from pfSense LAN interface: freeradius see the virtual IP address (62.xxx.xxx.100)
                if I ping it from pfSense WAN interface: freeradius sees the physical IP address (62.xxx.xxx.101)

                if I use 1:1 NAT then ping across the WAN interface of pfSense, arrives at the server freeradius with the virtual IP address (62.xxx.xxx.100). it is correctly.
                So I set clients.conf with the virtual IP address and the CaptivePortale works but now I have strange problems with CARP in pfSesne server backup :-(
                Specifically gateways are always down because IP monitor can not be reached, I think that the synchronization of the new NAT configuration on the backup server has created problems of routing.

                The 1:1 NAT configuration should be different as below but the synchronization keeps the same:

                in the pfSense MASTER: "External IP"=(62.xxx.xxx.100) and "Internal IP"(62.xxx.xxx.101)
                in the pfSense BACKUP: "External IP"=(62.xxx.xxx.100) and "Internal IP"(62.xxx.xxx.102)

                now I try to do test

                1 Reply Last reply Reply Quote 0
                • L
                  lsense
                  last edited by

                  for 1:1 NAT use your WAN-PH alias, not the numeric IP.

                  anyway this is no more related to the Captive Portal, it should be in CARP/VIPs or NAT sections.

                  1 Reply Last reply Reply Quote 0
                  • D
                    dukecount
                    last edited by

                    for 1:1 NAT configuration I tried to use as a type Internal IP = WAN address, I do not have an alias for this value (only "single host IP" or "WAN address") but I still have the same problem on the server pfSesne backup (GW unreachable "Offline").

                    It looks like a bug in pfSense synchronization between the primary and backup configuration CARP / VIPs or 1:1 NAT

                    Everything works if I use "NAT Outbound" with:

                    Interface = WAN
                    Protocol = UDP
                    Source Type = Network
                    Source Address = 62.xxx.xxx.96/28
                    Destination = any
                    Translation = 62.xxx.xxx.100 (CARP WAN)

                    I run other tests

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.