Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    New feature request option "pass users if radius fails"

    Scheduled Pinned Locked Moved Captive Portal
    4 Posts 4 Posters 778 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      Enrica_CH
      last edited by

      We use pfsense in two apartment buildings. We control our networks with pfsense (different vlan). All works fine and very stable. In the main building we have two pfsense in CARP mode (HA).

      Our guest access internet via Captive Portal. The authorization and accounting is done with a separate RADIUS server with a database and  Dolardius as managment gui.

      Even we have high availability (HA) with pfense we have the risk that RADIUS or the database (or the VPN from the other building) goes down. In this case all internet guest can't access with the message "RADIUS failure".

      Is it possible to extend Captive portal config page in the area RADIUS with an checkbox like "Pass users if RADIUS fails".

      This option should have the effect in /usr/local/captiveportal/index.php that if radius sends 3 (FAILURE) or radius isn't reachable user is handled like the option "Athentication none" would be checked. Plus there should be an email notification to administrator.

      Such an option could ensure short term internet access in case of failure. The alternative to replicate MySQL db with two masters is too complex.

      Thank you for checking it and putting it on the feature request list.

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        Hi,

        I do understand that the "in case of Radius down" you want to play it soft, and have the user access the net anyway.
        Understand that about every ISP on earth uses this rule: "radius down => user disconnected" ;)

        The bad news: What you are asking, imho (and I'm hope to be proven wrong), will never be a reach the state of "feature request".
        The good news: is rather easy to build some kind of tool that on the pfSense device that executes every 5 minutes or so to see if Radius is up.
        If not (Radius does not reply), it will create a simple zero byte file - called "the-test-file".
        When that small tool is working good, add right after here
        https://github.com/pfsense/pfsense/blob/master/etc/inc/captiveportal.inc#L1360
        an IF case like this:

        if (not file-exists("the-test-file"))
then 
   do what is in the function as before
else
  "grant user access as if user authentication wasn't needed".

        Some basic PHP and Radius knowledge is needed to implement it.

        No need to say that you could somewhat force your request by throwing in a bounty :)

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • GruensFroeschliG
          GruensFroeschli
          last edited by

          What is preventing you from having the radius server redundant?

          We do what we must, because we can.

          Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

          1 Reply Last reply Reply Quote 0
          • E
            EMWEE
            last edited by

            Creating master master replication is way easier then creating some RADIUS monitoring script.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.