CaptivePortal in CARP mode and external RADIUS server



  • Hi, I use pfSense 2.0.3 with an external freeRADIUS server and pfSense in CARP mode. I want to use the virtual CARP IP address to identify my NAS to freeRADIUS server. Into the Service page captiveportal the box "RADIUS NAS IP attribute" lists the virtual addresses. If I select the virtual address (CARP WAN – 63.xxx.xxx.100) instead of a physical interface address and save, I have:

    a) The selection box shows the first entry (for me LAN – 192.168.1.2) on the reloaded page but in the config.xml (backup configuration) the IP address is correct (63.xxx.xxx.100).

    b) The request to the FreeRADIUS server uses the physical IP address (63.xxx.xxx.101) as host IP NAS instead of the selected virtual address, but the file client.conf of FreeRADIUS must have the virtual address (63.xxx.xxx.100) otherwise if I use the physical address and occurs a failure of the primary server, the physical IP address changes with that of the backup server (63.xxx.xxx.102) so the FreeRADIUS server is no longer reachable.

    c) Other strange thing is that in the logs "radacct entry" server freeRAIDUS, the parameters "NAS-IP-Address" and "Called-Station-id" are correct and correspond to the virtual IP address (63.xxx.xxx.100) but "Client-IP-Address" matches with the physical IP address (63.xxx.xxx.101)

    In conclusion, the server FreeRADIUS must see the two firewalls pfSense with CARP, and then the CapitvePortal, through a single IP address (the virtual 63.xxx.xxx.100) to configure a single NAS client

    • Follow the data server
      pfSense MASTER:
      physical WAN IP address: 63.xxx.xxx.101
      Virtual IP Address WAN: 63.xxx.xxx.100
      physical LAN IP address: 192.168.1.2
      Virtual LAN IP address: 192.168.1.1
      CaptivePortal on LAN interface
      Primary RADIUS server IP address: 85.xxx.xxx.78

    pfSense BACKUP:
    physical WAN IP address: 63.xxx.xxx.102
    Virtual IP Address WAN: 63.xxx.xxx.100
    physical LAN IP address: 192.168.1.3
    Virtual LAN IP address: 192.168.1.1
    CaptivePortal on LAN interface
    Primary RADIUS server IP address: 85.xxx.xxx.78

    FreeRADIUS
    physical WAN IP address: 85.xxx.xxx.78
    client.conf (NAS IP address): 63.xxx.xxx.100

    Any ideas for this problem, thanks



  • I didn't try your setup anyway..
    The "RADIUS NAS IP attribute" from pfSense CP sets the radius NAS-IP-Address attribute in Access-Request.
    freeRadius reads from clients.conf allowed clients but it checks IPs on the net, not radius attributes.

    a) n/a

    b) tcpdump on your radius server port 1812 and look for the ip containing you radius.. it should be your Virtual IP Address WAN: 63.xxx.xxx.100 in any case..and that's what clients.conf checks.

    c) no "Client-IP-Address" here.
       in Access-Request I have
           NAS-IP-Address = <configured wan="" address="">NAS-Identifier = "<configured pfsense="" hostname="">"
           Framed-IP-Address = <client ip="" address="">Called-Station-Id = "<configured wan="" address="">"
           Calling-Station-Id = "client MAC address"

    in Accounting-Request I have
           Calling-Station-Id = "00:22:69:95:e2:bc"
           Framed-IP-Address = <client ip="" address="">NAS-IP-Address = <configured wan="" address="">pfSense 2.0.2</configured></client></configured></client></configured></configured>



  • if in the clients.conf put the virtual IP address (62.xxx.xxx.100), freeRADIUS log (debug mode) shows the following error:

    Ignoring request to authentication address * port 1812 from unknown client 62.xxx.xxx.101 port 14447 Ready to process requests.

    This is because the configuration of the CP in "RADIUS NAS IP attribute" I selected the virtual address (WAN CARP - 63.xxx.xxx.100) but in reality is not used and the FreeRADIUS server sees only the physical address (WAN 63.xxx.xxx.101)

    If clients.conf use the physical IP address (62.xxx.xxx.101), the client (192.168.1.104) is connected correctly and in freeradius log (debug mode) there are no errors and shows:

    rad_recv: Access-Request packet from host 62.xxx.xxx.101 port 6592, id=137, length=138
            NAS-IP-Address = 62.xxx.xxx.100
            NAS-Identifier = "pfsense.localdomain"
            User-Name = "4045"
            User-Password = "8xtp9p"
            Service-Type = Login-User
            NAS-Port-Type = Ethernet
            NAS-Port = 10
            Framed-IP-Address = 192.168.1.104
            Called-Station-Id = "62.xxx.xxx.100"
            Calling-Station-Id = "00:0f:b0:xx:xx:83"

    rad_recv: Accounting-Request packet from host 62.xxx.xxx.101 port 19162, id=77, length=150
            NAS-IP-Address = 62.xxx.xxx.100
            NAS-Identifier = "pfsense.localdomain"
            User-Name = "4045"
            Acct-Status-Type = Start
            Acct-Authentic = RADIUS
            Service-Type = Login-User
            NAS-Port-Type = Ethernet
            NAS-Port = 10
            Acct-Session-Id = "d68e7414e1b03eba"
            Framed-IP-Address = 192.168.1.104
            Called-Station-Id = "62.xxx.xxx.100"
            Calling-Station-Id = "00:0f:b0:xx:xx:83"

    but the problem remains because if I use the physical address (63.xxx.xxx.101) and occurs a failure of the primary server, the physical IP address changes with that of the backup server (63.xxx.xxx.102) so the FreeRADIUS server is no longer reachable.

    I could work around the problem by adding into file clients.conf also the physical IP address of the backup server (62.xxx.xxx.102) but clients connected will go down and this to me is not a failover system with CaptivePortal.



  • @duke:

    I selected the virtual address (WAN CARP - 63.xxx.xxx.100) but in reality is not used and the FreeRADIUS server sees only the physical address (WAN 63.xxx.xxx.101)

    that's bad. FreeRADIUS should see the WAN CARP address on the network I guess. Also as far as I know NAS-IP-Address is not even considered regarding clients.conf checks.  Which WAN address do you see on freeradius server if you ping it from pfSense: CARP or ph ?

    @duke:

    I could work around the problem by adding into file clients.conf also the physical IP address of the backup server (62.xxx.xxx.102) but clients connected will go down and this to me is not a failover system with CaptivePortal.

    it's not clear to me why clients will be disconnected. Ones you successfully authenticated you don't need radius anymore. And even if you set "auth polling" every minute the will auth (with the other ph address) anyway.



  • I was wrong, freeRadius sees the physical address (WAN 63.xxx.xxx.101) because if you look at the routing table you'll see something like:

    
    # netstat -rn -f inet
    ..
    Wan-subnet       link#1             U           0      812    WAN-PH-Interface
    WAN-VIP-Addr    link#8             UH          0        0    WAN-VIP-Interface
    ..
    
    

    so wan subnet is seen through the phisical interface.

    edit: use NAT 1:1 with "External IP"=WAN-VIP-Addr and "Internal IP"=WAN-PH-Addr



  • if I ping it from pfSense LAN interface: freeradius see the virtual IP address (62.xxx.xxx.100)
    if I ping it from pfSense WAN interface: freeradius sees the physical IP address (62.xxx.xxx.101)

    if I use 1:1 NAT then ping across the WAN interface of pfSense, arrives at the server freeradius with the virtual IP address (62.xxx.xxx.100). it is correctly.
    So I set clients.conf with the virtual IP address and the CaptivePortale works but now I have strange problems with CARP in pfSesne server backup :-(
    Specifically gateways are always down because IP monitor can not be reached, I think that the synchronization of the new NAT configuration on the backup server has created problems of routing.

    The 1:1 NAT configuration should be different as below but the synchronization keeps the same:

    in the pfSense MASTER: "External IP"=(62.xxx.xxx.100) and "Internal IP"(62.xxx.xxx.101)
    in the pfSense BACKUP: "External IP"=(62.xxx.xxx.100) and "Internal IP"(62.xxx.xxx.102)

    now I try to do test



  • for 1:1 NAT use your WAN-PH alias, not the numeric IP.

    anyway this is no more related to the Captive Portal, it should be in CARP/VIPs or NAT sections.



  • for 1:1 NAT configuration I tried to use as a type Internal IP = WAN address, I do not have an alias for this value (only "single host IP" or "WAN address") but I still have the same problem on the server pfSesne backup (GW unreachable "Offline").

    It looks like a bug in pfSense synchronization between the primary and backup configuration CARP / VIPs or 1:1 NAT

    Everything works if I use "NAT Outbound" with:

    Interface = WAN
    Protocol = UDP
    Source Type = Network
    Source Address = 62.xxx.xxx.96/28
    Destination = any
    Translation = 62.xxx.xxx.100 (CARP WAN)

    I run other tests


Log in to reply