Captive Portal + LDAP login (is it enabled in 2.2?)



  • Hi!
    We are testing pfsense to change our current firewall software, Kerio Control.
    We are trying to setup a Captive Portal in which our users can login with their Active Directory credentials.
    Also, I set up a group "InternetOK" at Domain Controller with users that should have access to the Captive Portal and created the same user group at pfSense with the privilege "User - Services - Captive portal login"

    We didn't have any trouble setting up LDAP login for WebConf in pfSense 2.1, but we found that this protocol wouldn't be possible until pfSense 2.2 (this message).
    Also in this bugtracker issue it says that "In Captive Portal we have native, ldap and radius authentication…".
    So, I upgrade the firmware to 2.2 SNAPSHOT (2.2-BETA (i386) built on Thu Nov 06 03:59:42 CST 2014 FreeBSD 10.1-RC4-p1) to test it. However, I cannot find a way to authenticate through Captive Portal via LDAP.
    Authentication options still says:
    "- No Authentication

    • Local User Manager / Vouchers
      Allow only users/groups with 'Captive portal login' privilege set
    • RADIUS Authentication
          Radius Protocol
            PAP
            CHAP_MD5
            MSCHAPv1
            MSCHAPv2"

    Do you know any way in which I can log in Captive Portal with LDAP (AD) credentials?





  • @heper:

    missed the stickie post?  https://forum.pfsense.org/index.php?topic=63791.0

    Hi!
    Thanks for your reply, but no, I did not miss it.
    It explains how to setup Captive Portal with RADIUS; I was looking for a way to authenticate with AD, directly. Just like the way in which you can login to webConfigurator with AD credentials, but for Captive Portal.

    As it says in this post (https://forum.pfsense.org/index.php?topic=60658.msg326709#msg326709), I was looking for a way to tie the User Manager to Captive Portal, since I already set up my AD as an auth server in the User Manager.

    Why can't I use RADIUS, you may ask. Because our Active Directory Server is Windows 2003 Standard. This means that I have a limit of 50 users (http://technet.microsoft.com/en-us/library/cc738432(v=ws.10).aspx), which is a limit that I may reach pretty soon.



  • i was not aware of the limitation of the 2k3 servers , i've only used 2k8r2 and newer for AD/radius authentication … that works flawlessly by the way.
    it does say

    with a maximum of 50 RADIUS clients

    would every user be counted as a radius-client ? it could mean that pfsense is 1 radius-client, and that you could have 49 other servers/services to contact your radius server.

    i know of no other way to get CP intergrated with AD … maybe someone else can confirm of deny other means of auth



  • RADIUS is fine. The limit is 50 RADIUS clients, not users. One firewall = one client. One firewall with a million users logged in = 1 client.



  • @heper:

    would every user be counted as a radius-client ? it could mean that pfsense is 1 radius-client, and that you could have 49 other servers/services to contact your radius server.

    @cmb:

    RADIUS is fine. The limit is 50 RADIUS clients, not users. One firewall = one client. One firewall with a million users logged in = 1 client.

    Thanks for your clarifications! I'll look into it.



  • Hi

    did this work out for you? if not another solution may be to connect AD to a freeradius and connect that to your captive portal.

    http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO