Captive Portal RADIUS authentication doesn't work after upgrade to 2.3



  • Hi all,

    I just upgraded 2.2.6-RELEASE (amd64) to 2.3-RELEASE (amd64) (not optional packages are installed). Unfortunately, our Captive Portal ceased to work after the upgrade. The CP uses RADIUS auth with MSCHAPv2 to external production RADIUSes. The only change in this construct was the upgrade from 2.2.6 to 2.3. The setup of the CP is like this:

    
    Internet ---- Router ---- (wan) pfSense ---- (lan) ---- Guest network
                    |
                    |
                  RADIUS
    
    

    The CP runs on (lan). It worked for months without a problem, so I can rule out a general configuration problem.

    To narrow down the problem I ran a packet capture on (wan). Unfortunately there were no RADIUS packets visible during login attempts on the CP so I suspect that the login never triggered pfSense to run a RADIUS authentication. Also, a tcpdump on the RADIUS server showed that no RADIUS packets arrived from pfSense. Is this a known issue? All other aspects of the CP seem to work (addresses are assigned via DHCP, the HTTP catch-all works and a client is forwarded to the CP page). Do you have any suggestions how to narrow the problem down further? Firewall logs on pfSense didn't show any blocket RADIUS packets (and I don't see any reasons why there should be, it used to work on 2.2.6 and the ruleset wasn't modified). Any help would be highly appreciated. :)



  • I have talked to a colleague at another university, they have the exact same problem (CP with RADIUS auth doesn't work on pfSense 2.3 anymore). This seems to be a general bug. I've reserved a time window following Monday to test this again. I'd highly appreciate if anyone familiar with the CP/RADIUS construct could give us some advice what to look for. Thanks in advance for your help!



  • A thought: Have you tried removing any custom wifi login page you might have and just use the default? There may be a subtle change in the syntax/requirements in the login page which might not be obvious. I mention this only because I've seen a minor change of wording/requirements in the wifi login page instructions on the config page. If the default works, then there may be some change you may need to make to your custom page to get your RADIUS connection working.



  • Read this: https://forum.pfsense.org/index.php?topic=109829.0
    And please give feedback if it works for you or not.



  • muswellhillbilly: Yes, good idea. I'll try that.

    robi: I don't have any PHP includes on any of the CP pages (we don't use pre-authentication redirects or anything). We only have the simple HTML form for supplying username and password (as mentioned on the pfSense 2.3 CP configuration page). The only thing that we don't have (except for the voucher field, which we don't use anyhow) is the hidden form input

    It could well be that this is the cause of the problem because I don't recall that this hidden form input was needed in 2.2.6. I'll have a look at this and come back to you.



  • This was indeed the problem. The system log yielded an "/index.php: Submission to captiveportal with unknown parameter zone:" entry. After including the above hidden input, everything started to work. It's rather strange that the same portal worked under 2.2.6 without the hidden input. Oh well, it's nice that it's working now. Thanks for you hints. :)



  • Hi friend please elaborate your answer.am a beginner.Sorry for disturb you during your busy time



  • @bhelrajesh:

    Hi friend please elaborate your answer.am a beginner.Sorry for disturb you during your busy time

    Elaborate how? What don't you understand? The line "" was missing from the customised login page for the portal. Adding it solved the problem.



  • Hi friend am I not customize anything on the login page but i have error like this /index.php: Submission to captiveportal with unknown parameter zone



  • If you upgraded your firewall to 2.3, the suggestion was to amend the captive portal page with the 'missing' parameter mentioned in the previous posts. The parameters required are all listed on the captive portal config page. If you were using the standard CP page before you upgraded, then try loading a new page with all the required parameters included.



  • Hi friend good morning.Is there any good tutorial to configure a new installation Captive portal configuration.Please provide a link for that.



  • I would love to see that tutorial also. Thank you!



  • Apart from the Cative Portal https://doc.pfsense.org/index.php/Captive_Portal docs you don't really need that much documentation. The options available for the CP are self-explanatory. If you don't want to use the default CP templates for the web page, all you need to do is to write your own page and include the mandatory HTML form that is described in the configuration options. You then upload the page you created via the file upload option on the CP configuration page. The only thing you need to be aware of is that all uploaded files get the prefix "captiveportal-". If you include any files on your custom page, make sure to include this prefix. Using RADIUS as an external authentication mechanism works very well. You need to consult the docs of your RADIUS server on how to configure the authentication mechanism that you choose for your CP.

    If you need to use vouchers, please look at https://doc.pfsense.org/index.php/Captive_Portal_Vouchers.



  • If pictures are your thing, here's a tutorial video as well.

    Youtube Video



  • It is the redirection issue after successful login that is my concern. It doesn't redirect anymore after upgrading to 2.3.



  • Have you checked your DNS is working. Redirection won't happen if DNS isn't functioning.



  • DNS is functioning well. I just noticed though that here in 2.3, I had to go from DNS Resolver to DNS forwarder because I encountered issues in facebook lately which is relatively beneficial because in DNS Resolver, I can't make the OpenDNS work. I just cant make my CP redirect after authentication up until now.

    By the way, if I restore the "Portal page contents" to the default page, redirection works. Could there be issues about the code? I tried using only the sample form code below but still with no luck to make the redirection work.



  • @unixaccent:

    By the way, if I restore the "Portal page contents" to the default page, redirection works. Could there be issues about the code?

    Obviously, yes. Take the default config page code and amend it to work with your custom page. If neccessary change the code slightly as you go along and wait until the redirect stops working. That should help you narrow down the faulty code.



  • Honestly I don't know where to start. I am not a coder and at the moment I am looking at the /etc/inc/captiveportal.inc. I'd like to know if I am on a right path and if not, can you point me where to get the default page.

    Thank you muswellhillbilly.



  • The code in the example should work, assuming your DNS is configured correctly. Check that you can resolve hostnames correctly within the captive portal network before anything else. Redirection can't work if name resolutions doesn't work.

    When you create a new captive portal page, the file is placed in '/var/etc/captiveportal*.html'. This is the file you need to edit to tweak the code if you need to. The /etc/inc/captiveportal.inc file appears to create the default captive portal page automatically if no other customised page is present, judging from the code I've seen. However  you tweak your custom login page, you only have to ensure the lines mentioned in the example are present and your DNS is working to ensure redirection works.



  • Thank you muswellhillbilly. I'm grateful that you have pointed me to the right understanding especially to the notes about '/var/etc/captiveportal*.html' and  /etc/inc/captiveportal.inc. By relying also on your previous replies, I have isolated my issues. I noticed that manual logout page I have been using no longer works in 2.3. When I uploaded my customized login page, and set default on the error page and logout page, I was able to make the redirection successful.

    This would again be countless searching about how to implement a successful manual logout page in 2.3. I appreciate your help. I know it would be improper to ask in this thread about the manual logout page.  :)


Log in to reply