Feature #14093
closed
Captive Portal permits user to authenticate / log into wrong vlan ID selected in freeRadius
0%
Description
When two or more separate Captive Portals use freeRadius for authentication and a user in freeRadius exists with a VLANID matching only one of those Portals is set in freeRadius, Captive Portal will permit the user to log into any portal (VLAN ID) that authenticates using freeRadius. freeRadius will track and cumulate all time and data use against the one user but two or more user sessions will be active based separately on each of the Captive Portal settings, even if both Captive Portals are set to "last login", one session will be active on each freeRadius authenticated portal. freeRadius will send False responses to Captive Portal for both logins separately when accounting checks are completed by Captive Portal. I believe this requires Captive Portal to inspect the freeRadius VLANID accounting data prior to sending the authentication request or possibly attaching the VLANID to the request itself?
Updated by Jim Pingle about 1 year ago
- Status changed from New to Rejected
The solution here is to set each portal to use the RADIUS server in a different way, either with a different NAS Identifier in the portal settings, or something along those lines (maybe separate definitions that send a different NAS IP), and then filter that as you want on the RADIUS server.
tl;dr the authentication server should be making the authentication decisions, not the portal.