Adding X amount of Mac Addresses in Captive Portal whitelist (csv etc.)

PRNOHFT

Hi all,

I tried searching for a way to add X amount of users to whitelist (1188 users to be precise) onto the captive portal allowed mac address but adding one by one would take a while. Is there a way for us to import a list? I have the XML with me and looking at the backup configs I can see the users that I added in (I only added about 8?). Is there a template that I can follow?

tomj

I am also looking for some type of an automated method where I can have a remote Linux server directly add/modify/delete mac address in the Captive Portal Mac Pass-Through in PfSense using a SSH CLI.  I am pretty good with automated telnet/ssh scripts using expect, but I have no idea how to use an automated web interface using a program something like WGET or CURL.

I have about 1,000 clients and use CP with Radius checks to an external FreeRadius server.  Although it works, it has it's problems.  Sometimes a MAC will be in my Radius users file but CP will not authenticate the MAC.  However, the CP MAC pass-through appears to always work.

I think I started seeing this problem somewhere around PfSense 2.1.5 where Captive Portal checking to an external Radius server started breaking and not authenticating all MAC address.

PRNOHFT

OK I might have found a way but it is;
1.) tedious
2.) time consuming-ish
3.) i don't like it

Save a backup.xml of pfsense (Diagnostics - Backup/Restore) and use an XML Editor (I'm using editix XML editor. its FREE~).
Look for the function that is <passthrumac></passthrumac>. You should see an example if you have one mac address in the config.
In an Excel file, add 3 columns. action in one column,  mac in the second and descr in the third.
For the action column. Just type pass for all the users that you want (i think you can set it to deny as well?).
The 'mac' column has to be in aa:bb:cc:dd:ee:ff format.
the descr column can be anything because its description.
Once you're ready, use an online CSV to XML converter (or if you have one handy. I don't. I use http://www.luxonsoftware.com/converter/csvtoxml)
Keep the settings to default.

Here is the tough part.
In Editix, Ctrl + F your way to replace
<descr>to to ]]></descr>
<table1>to <passthrumac></passthrumac></table1> to

Ensure that when you press Ctrl + F, the options have Case Sensitive and Regular Expressions checked. (this is using Editix XML Editor)

Once you've done that you should see that the config is similar or CLOSE to what PFSense had. Copy all of the contents and save the XML.
Restore it.

Pray to gods of open source it works.

And you're done!
Total time I took is around 30 mins for my first time.

PRNOHFT

Alright I tried this method but it seems that some devices do not go through Mac Authentication despite the mac address is inside the allowed MAC. Anyone can help / explain?

Thanks.

I'm running ESXi + Pfsense w/ FreeRADIUS btw.

serlogo53

@tomj hi. How do you add Mac adresi in cli? Can you help me?

Gertjan

@serlogo53
After more then 6 years, pfSense still doesn't have a API or 'cli' access to all it's settings.
pfSense is web based.

It can be done, of course, as the GUI is after all just good old plain PHP.

If you are using and can work with FreeRadius : https://wiki.freeradius.org/guide/mac-auth#plain-mac-auth

But ..... check out /usr/local/etc/raddb/sites-enabled/default, line 24 :

##### AUTHORIZE FOR PLAIN MAC-AUTH IS DISABLED #####

which means you have to modify the FreeRadius pfSense packet source files yourself .....