Captive Portal RADIUS MAC Authentication Improvement Idea



  • Hello, I posted a related topic in the 2.3-RC thread, found here: https://forum.pfsense.org/index.php?topic=107792.msg600432

    The Problem
    pfSense RADIUS MAC authentication currently only supports a static password sent with each RADIUS authentication request.

    In my environment, using Aruba ClearPass as the RADIUS server, these requests must contain the MAC address as the password.

    Research
    I looked at documentation for the same feature of three switch vendors (Cisco, Juniper, and HPE), and they all support sending the MAC address as both the username and the password.

    Cisco and Juniper do not support using a static password for these authentication requests, and HPE supports a static password with an additional configuration command (the default is to use the MAC as the password).

    Based on what I found, it seems reasonable to assume that those same vendors' RADIUS server offerings support the same methods as their switches.

    My proposal
    Bring the pfSense feature to parity with that of other vendors: continue supporting a static password, but allow for the use of the MAC address for the password too.

    In my original post, I suggested two options. I now believe Option 1 is the better of the two. It is simpler and easier to understand and code.

    The possible drawback that I can think of immediately is the case where someone has configured their own RADIUS server to authenticate MAC addresses with blank passwords.

    Option 1
    If the radmac_secret configuration option is not set (i.e. the MAC RADIUS Authentication Secret field was left blank), then send the MAC address as both username AND password in each RADIUS MAC Authentication request.

    I believe my patch, found at https://github.com/twilley/pfsense/commit/37738063034517cf2f7ec846122bf05d699d2dcf is still relevant.