WDS bridging with captive portal and freeradius

  • Hi,
    I have pfSense box with ver-2.1.3-RELEASE-(amd64). using captive portal with FreeRadius server.  on the LAN side a basic AccessPoint is connected with open access so anyone can connect and reach the captive portal page. each connecting device(MAC) is authenticated based on a userid/password combination.  the system can be used in the following two manner:

    (a) each device/MAC connects to portal, provides the userid/password and use the Internet. simple. each of them gets a different IP, and 1mbps connection.
    (b) a combination of an AP(in client-mode) connected to a Router on WAN-side and then multiple devices/MACs are connected to the LAN-side of router.  so the MAC of router's WAN-interface is considered as a single client in pfSense captive-portal+RADIUS and gets an IP and 1mbps connection.  and so multiple clients on the router's LAN-side share the 1mbps connection.

    now the problem.  recently i tried using a basic router (TP-Link TP-WR740N to be exact) to extend the signal of my AP.  this router has an option of WDS-bridging.  so the tp-link router connects with the primary AP (with open-access) and also creates its own SSID on its LAN-side for multiple clients to access it.  at first this seems to the case as in (b) described above.  but when clients connect through this router each clients get its own IP and 1mbps connection, but the MAC in calling-station-id in RADIUS access-request packet is the same (the MAC of tp-link WAN-interface).  so as a result, with only one userid/password multiple clients can get their own 1mbps and IP-address. the captive portal prompts each client for userid/password but allows them to get pass through it using the same credentials since the MAC been presented to RADIUS is same.

    two questions arise from this behaviour:

    1. why doesn't pfSense see the router as a single client? since the MAC is same and if that MAC already has a valid session in portal why each client is presented with a captive-portal page for credentials.
    2. if each client is considered separately then why does pfSense present the same MAC in calling-station-id for each RADIUS access-request packet ??


  • am not sure if this behavior is a bug or its normal, the way it should be with WDS bridging.
    should i be posting it in bug repository ?


Log in to reply