Captive Portal/FreeRADIUS/WPA Enterprise/Segmenting Users



  • Hello, I am trying to partition the users of my network into ones who can log in directly to the network and ones who can only login through the captive portal.
    Here are the details of my configuration:
    Network
    a. em0: WAN
    b. re0: LAN (Local Area Network)
    c. re1: GAN (Guest Area Network/Captive Portal)
    Captive portal on GAN (re1)
    a. RADIUS Authentication/MSCHAPv2
    b. Re-authenticate connected users every minute
    FreeRADIUS
    a. Provides authentication for WAPs connected to LAN interface using EAP-PEAP, MSCHAPv2
    b. Provides authentication for WAPs connected to GAN via captive portal
    c. FreeRADIUS users (A, B, C & Guest)
    WAPs hard wired to LAN and GAN

    Problem statement:
    • Users A, B, C & Guest can connect to the LAN (and its WAPs)
    • Users A, B, C & Guest can connect to the GAN (and its WAPs)

    Desired solution:
    • Only users A, B, C can connect to the LAN (and its WAPs)
    • Users A, B, C & Guest can connect to the GAN (and its WAPs)

    I don’t have the faintest clue for how to accomplish this. Any advice, suggestions and pointers to references is much appreciated.



  • It's difficult to pinpoint what exactly the problem could be  but if it is just a case of the segmentation of users and guests interfaces then the first thing to look at would  Be the firewall rules on your lan and guest Interfaces. Are you using radius on pfsense or a different machine? I somehow doubt that the pfsense radius package allows the configuration of two virtual servers which you would need in your particular case though the package capabilities might have changed since I last saw it.
    Need more information!



  • Thanks for the reply. Sorry for not being a bit more articulate. The problem isn't isolating the users. The firewall does an awesome job of that. The problem is that User's credentials work on the Captive Portal & the WAPs on the Guest network and the Guest credentials work on the WAPs LAN. I want to configure captive portal and RADIUS such that Guest credentials don't authenticate on the LAN. Does that make more sense?



  • There are various ways to do it, in order of difficulty:

    • Setup a second radius server, just to authenticate the guests
    • Setup a (second) virtual server on your current freeradius instance, to authenticate just the guests. As I said previously, this might not be possible with the package editing capabilities of the Freeradius package on pfsense, but easier/possible to do if your radius server is on a linux machine somewhere else and you are comfortable editing the freeradius config files.
    • Write & include a script which checks that guests (via a radius check attribute) are accessing the correct SSID during an access request, and reject if not.


  • I have setup two RADIUS servers on two different interfaces (LAN 192.168.24.0/24 & GAN 192.168.235.0/24) but there doesn't seem to be a way to partitions users to specific interfaces.

    • Write & include a script which checks that guests (via a radius check attribute) are accessing the correct SSID during an access request, and reject if not.

    This sounds promising. Would you be able to point me to the relevant resources?




  • You haven't.  You have told the same radius instance to listen on two interfaces.  Now you need to tell radius to handle AAA differently for each interface (which might be impossible with pfsense radius package).
    I'm no expert at freeradius unlang but if you have the time and effort google freeradius unlang.



  • Hi,
    you should check this post:
    http://forum.pfsense.org/index.php/topic,67801.0.html

    You can add the "NAS-IP-Address == 192.168.10.1" attribute to every user which should only be accepted when accessing from NAS with IP 192.168.10.1 .

    If there are several NAS with different IPs try this:
    NAS-IP-Address =~ "10.1.18.1 | 10.8.18.1"

    For this you need to change the freeradius.inc in some small parts which are explained in the thread I mentioned above.

    Good luck!



  • Thanks Nachtflake! I will try that tonight and let the thread know how it went.



  • NAS-IP-Address =~ "192.168.24.1 | 192.168.24.201 | 192.168.24.202 | 192.168.24.203 | 192.168.24.204 | 192.168.235.1 | 192.168.235.201 | 192.168.235.202 | 192.168.235.203 | 192.168.235.204"
    

    I added the above entry to the "Additional RADIUS Attributes (CHECK-ITEM)" field for each user. I even modified the explode char. The UI shows the above line verbatim. But, I get the following authentication errors.

    Dec 3 20:22:17 radiusd[19876]: Login incorrect: [USER1] (from client sense.mydomain.guest port 2412 cli c4:85:08:xx:yy:zz)
    Dec 3 20:21:55 radiusd[19876]: Login incorrect: [USER2] (from client sense.mydomain.guest port 2412 cli f0🇩🇪f1:xx:yy:zz)
    Dec 3 20:21:46 radiusd[19876]: Login incorrect: [USER2] (from client sense.mydomain.guest port 2412 cli f0🇩🇪f1:xx:yy:zz)
    Dec 3 20:21:34 radiusd[19876]: Login incorrect: [USER2] (from client sense.mydomain.guest port 2412 cli f0🇩🇪f1:xx:yy:zz)
    Dec 3 20:19:48 radiusd[19876]: Login incorrect: [USER1] (from client wapb.mydomain.home port 36 cli 7054d2266527)
    Dec 3 20:19:48 radiusd[19876]: Login incorrect: [USER1] (from client wapb.mydomain.home port 0 via TLS tunnel)
    Dec 3 20:19:10 radiusd[19876]: Login incorrect: [USER1] (from client wapk.mydomain.home port 4 cli 34c803119d08)
    Dec 3 20:19:10 radiusd[19876]: Login incorrect: [USER1] (from client wapk.mydomain.home port 0 via TLS tunnel)

    Any hints on what might be going wrong? What other information would be helpful to diagnose the issue?

    Thanks!



  • ssh into your pfsense & into the shell.

    killall radiusd
    /usr/local/sbin/radiusd -X
    
    

    and watch the output.



  • @thermo:

    ssh into your pfsense & into the shell.

    killall radiusd
    /usr/local/sbin/radiusd -X
    
    

    and watch the output.

    No need to kill the process just stop it on GUI.
    radiusd -X  will run freeradius in debug mode and tells you everything.

    In freeradius GUI you can enable the logging of good and bad authentications - passwords and usernames will be shown in pfsense syslog.

    Further make sure that the switches and WLAN AP have the same shared secret as in freeradius NAS/Clients.

    Make sure that your switches and APs send its correct NAS-IP to freeradizs and configured in Users.

    Freeradius - View config could help you to find out if your Users file looks correct and represets all your paramwters.

    The order in the users file is important. So if there is one user added twice the first match will win.