Feature #14119
openCorrect or fully implement, in Captive Portal authentication routines, the Tunnel attributes related to the freeRadius VLAN ID setting
0%
Description
This may be either a bug or the completion of a partially implemented feature to support freeRadius users.
The captive portal authentication routines do not respect the VLAN ID setting in freeRadius, resulting in any freeRadius user being able to log into any Captive Portal that uses that freeRadius server for authentication. I assume the existence of the VLAN ID variable in freeRadius was intended to support Captive Portal authentication validation for a specified Captive Portal (i.e. VLan) and it does not do so because the required Tunnel variables are not passed through to the authentication routine. Specifically, as an example:
/* --NEW CODE --------Constant Definitions added here for now ------------------ */
define("RADIUS_TUNNEL_TYPE", 64 );
define("RADIUS_TUNNEL_MEDIUM_TYPE", 65 );
define("RADIUS_TUNNEL_PRIVATE_GROUP_ID", 81 );
/* ----------------------------------------------------------------------------- */
I suggest (while acknowledging the 4096 byte accounting packet limit) that this information needs to be included in accounting packets and incorporated into the $attrivutes array for evaluation by the captiveportal.inc routine:
/* Authenticate users using Authentication Backend */
function captiveportal_authenticate_user(&$login = '', &$password = '', $clientmac = '', $clientip = '', $pipeno = 'null', $context = 'first') {
which calls the authenticate_user( function and/or the Radius.php public function getAttributes().
Once incorporated into the $attributes (or session, etc arrays) it will be possible to test for a match in the captiveportal_authenticate_user( function against either the existing NAS-Identifier (32) value or even to add the "RADIUS_TUNNEL_PRIVATE_GROUP_ID", 81 value to a new cell for VLAN ID in the Captive Portal GUI to match the syntax used in the freeRadius GUI and properly associate it with that tunnel.
During the authentication check any time after line 1295 in captiveportal.inc you would then be able to check this attribute against that set in the Captive Portal NAS-Identifier (simplest solution as it already exists) or the new Captive Portal GUI variable for VLAN ID in the Captive Portal GUI, resulting in the freeRadius user being rejected if attempting to log into a Captive Portal other than the one identified by the VLAN ID tunnel in the freeRadius user definition.
This is required to properly support multiple captive portals authenticating with the same, single freeRadius server. Although it may be possible to achieve this through more complex implementations, clearly this is the simplest way to properly support multiple Captive Portals authentication against a single machine, single instance of freeRadius and is already partially implemented in pfSense.