Captive Portal RADIUS MAC Authentication

  • Maybe this is more of a feature/improvement/idea than a bug, so please let me know if there's a more correct place for me to post this. I wrote a patch is against the 2.3-Beta, so that's why I'm posting here.

    When MAC RADIUS Authentication is enabled, the MAC RADIUS Authentication Secret is used as the password attribute sent with every RADIUS MAC Authentication request. Some RADIUS servers expect the MAC address to be used as the username and password for MAC authentication (e.g., Aruba Clearpass). Currently there's no way to allow this, so I'd like to propose a couple of options.


    Option 1
    If the radmac_secret configuration option is not set (i.e. the MAC RADIUS Authentication Secret field was left blank), then send the MAC address as both username AND password in each RADIUS MAC Authentication request.

    I've written a patch, which is available here:

    I have tested this with my own system, and it seems to behave correctly.

    Option 2
    Keep the current behavior in case of a blank MAC RADIUS Authentication Secret field (looks like it sends a blank password), allow a keyword (e.g., %CLIENTMAC%) to be used in the field to cause the behavior to occur. There's a similar behavior in the custom DDNS configuration, where inserting %IP% into the Update URL field causes the monitored interface's IP to be sent as part of the URL. The differences between this option and Option 1 above are pretty minor:

    The following line from Option 1:```
    if (!isset($radmac_secret)) {
    /* use the clientmac as the password */
    $radmac_secret = mac_format($clientmac);

    Would become something like this:```
    	if (strpos($radmac_secret, "%CLIENTMAC%") !== false) {
    		$radmac_secret = str_replace("%CLIENTMAC%", mac_format($clientmac), $config['captiveportal'][$cpzone]['radmac_secret']);

    Obviously help text would need to mention the special keyword and it's affect on RADIUS MAC Authentication. something like this should be good:```
    ))->setHelp('Choose the value for the User-Password attribute sent in each RADIUS MAC Authentication request. ' . '
    'If you wish for the Client's MAC address to be included in the request, put %CLIENTMAC% in its place.');

    This option seems like it would be more easily extended, if there was future desire to use other keywords in this field. I don't know of any real-world examples of other keywords that might be desired though, so I haven't tested this option on my system.

  • Rebel Alliance Developer Netgate

    That would be a feature request, though it isn't something we'd probably bring into 2.3 at this point (feature locked, in beta, almost RC, no new features right now)

    Getting that right would be a bit tricky, gut instinct tells me I'm not too crazy about using a keyword/macro there, but yet another checkbox isn't great either. And changing it to a drop-down would have its own awkward wording challenges.

  • Thanks for the response.

    I'll maintain and use the patch I wrote for now, since I need the feature immediately.

    Where would be the best place for further discussion of this feature request? Please excuse my ignorance, I'm trying to become more involved in the project after 6+ years of using and loving pfSense. Love what you're all doing with 2.3, it's looking pretty awesome!

  • Rebel Alliance Developer Netgate

    The development board here is a good place to start, eventually a feature request ticket may be made in redmine set to "future" once the details have been worked out.

Log in to reply