New feature request option "pass users if radius fails"



  • We use pfsense in two apartment buildings. We control our networks with pfsense (different vlan). All works fine and very stable. In the main building we have two pfsense in CARP mode (HA).

    Our guest access internet via Captive Portal. The authorization and accounting is done with a separate RADIUS server with a database and  Dolardius as managment gui.

    Even we have high availability (HA) with pfense we have the risk that RADIUS or the database (or the VPN from the other building) goes down. In this case all internet guest can't access with the message "RADIUS failure".

    Is it possible to extend Captive portal config page in the area RADIUS with an checkbox like "Pass users if RADIUS fails".

    This option should have the effect in /usr/local/captiveportal/index.php that if radius sends 3 (FAILURE) or radius isn't reachable user is handled like the option "Athentication none" would be checked. Plus there should be an email notification to administrator.

    Such an option could ensure short term internet access in case of failure. The alternative to replicate MySQL db with two masters is too complex.

    Thank you for checking it and putting it on the feature request list.



  • Hi,

    I do understand that the "in case of Radius down" you want to play it soft, and have the user access the net anyway.
    Understand that about every ISP on earth uses this rule: "radius down => user disconnected" ;)

    The bad news: What you are asking, imho (and I'm hope to be proven wrong), will never be a reach the state of "feature request".
    The good news: is rather easy to build some kind of tool that on the pfSense device that executes every 5 minutes or so to see if Radius is up.
    If not (Radius does not reply), it will create a simple zero byte file - called "the-test-file".
    When that small tool is working good, add right after here
    https://github.com/pfsense/pfsense/blob/master/etc/inc/captiveportal.inc#L1360
    an IF case like this:

    if (not file-exists("the-test-file"))
    then 
       do what is in the function as before
    else
      "grant user access as if user authentication wasn't needed".
    

    Some basic PHP and Radius knowledge is needed to implement it.

    No need to say that you could somewhat force your request by throwing in a bounty :)



  • What is preventing you from having the radius server redundant?



  • Creating master master replication is way easier then creating some RADIUS monitoring script.


Log in to reply