Radius server on third NIC



  • Hi,

    I have a pfsense box normally configured with WAN and LAN NICs.  LAN subnet is 192.168.33.0

    I want to enable the captive portal for WAN access but our w2003 server radius service is on another subnet 10.130.34.0  Whan I have installed a third NIC card in the pfsense box and given it an address in this subnet, what else do I need to do to be able to correctly connect the pfsense box to the radius server on this subnet?

    regards

    Tor





  • Yeah,

    This is the tutorial I'm using, however as I mentioned in OP the radius server is connected to a third NIC in my pfsense box.  Hence I need to create rule(s) which gives pfsense proper access to its radius server (and not more than that).  If someone can give me some hints on which rules to apply so the pfsense box can communicate to/from the radius server as if the latter was directly connected to the LAN subnet (as it is in the demo).

    My setup is like this:

    Internet
      |
    DHCP
      |
    WAN NIC (id=rl0)
      |
    pfsense box – OPT nic (id=xl1)  IP 10.130.0.35  <-> win2003 DC w/radius IP 10.130.0.5
      |
    LAN nic (id=xl0)
      |
    subnet 192.168.33.0 (with radius authenticated internet users)

    Thanks a lot if someone has a minute ..

    regards,  Tor



  • Radius communication happens between ports 1812, 1645 for authentication and 1813, 1646 for accounting by default (unless you change these values at your server). You should allow these ports at your OPT interface from source <radiusserver ip="">to destination any (try first with any, then tighten the rules after it's working). I'm not really sure why these rules should be needed as the pfSense is opening the connection to the radius server but give it a try.</radiusserver>



  • As a beginning I tried to apply a very general rule for the OPT interface (which I call 'RADIUS'):

    proto: * 
    source: RADIUS net
    port: *
    destination: *
    port: *
    gateway: *

    Shouldn't this give the same access to the pfsense config GUI (and to a radius server) from this network as if they were connected to the default LAN nic?

    What else do I need to do to have a third nic (called RADIUS) with the same rules and possibilities as the default LAN nic?

    Tor



  • action accept
    proto: tcp
    source: LAN net
    port: any
    destination: RADIUS net
    port: 1812-1813
    gateway: default


Log in to reply