Bug #8998


All Captive Portal zones send only "CaptivePortal" as NAS Identifier

Added by Jim Pingle almost 6 years ago. Updated over 5 years ago.

Captive Portal
Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:


Before 2.4.4, each Captive Portal zone had a configurable NAS Identifier. With multiple zones, each instance could use a unique identifier for the RADIUS server to distinguish between them.
On 2.4.4, every zone sends only "CaptivePortal" as the NAS Identifier with no way to customize the value.

A few possible solutions here:

  • Bring back the custom NAS Identifier field on Captive Portal settings -- Same as before
  • Add a field to the RADIUS server options for NAS Identifier (user could add one server profile per zone to achieve the same effect)
  • Automatically add the zone name to the current code so that each zone sends CaptivePortal-<zone name> instead of only CaptivePortal

The last option is the easiest, but the first option would be the path of least resistance for upgrade users.

Actions #1

Updated by Hostmaster BI almost 6 years ago

Another weight for the first Option: If i Restore a Backup from an old Version (also in case of update) the field is automaticly filled with the right identifier.

The last option would take the flexibility by choosing a name. In some cases also after the update the radius settings has to be chance too.

Option two is also okay - but create a lot of radius-servers with same entrys but different identifiers.

Actions #2

Updated by WiFi SYS almost 6 years ago

We also need to get a unique NASID. Please fix this bug. Any solution will suit.

Actions #3

Updated by A FL almost 6 years ago

The reason this field was removed was to standardize how RADIUS authentication was done in each pfSense module. OpenVPN and IPsec (other modules that use the User Manager as Auth servers) are using non-configurable string as NAS-Identifier.

CaptivePortal zones can be distinguished from each other on 2.4.4 using NAS-Port RADIUS attribute. NAS-Port will be equal to 2000 on the first zone, then 2002, 2004, 2006, etc...

That said, I understand the need for a per-zone NAS-Identifier. I made a pull request for the last suggested solution (because that's the easiest, but also the one that makes more sense in my humble opinion).

Please keep in mind that I am just a contributor and I'll let Netgate be the judge on which solution is the best.

Actions #4

Updated by Hostmaster BI almost 6 years ago

It would be better for all installations to set the field for the nas-identifier back to the previous version. Otherwise all cp and radius-configs have to be changed.

Actions #5

Updated by Renato Botelho almost 6 years ago

  • Status changed from New to Feedback
  • Assignee set to Renato Botelho

PR merged

Actions #6

Updated by Jim Pingle almost 6 years ago

  • Status changed from Feedback to New
  • Assignee changed from Renato Botelho to Jim Pingle

I'm OK with the PR as a new default but I still think we should allow the user to override the NAS ID as was possible previously, so this needs more work yet.

Actions #7

Updated by Jim Pingle almost 6 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #8

Updated by A FL over 5 years ago

I can confirm a positive feedback for the applied changes, but i don't know if we should replicate these changes to other services using NAS-Identifier or not.

NAS-Identifier is currently fixed to "xauthIPsec" for IPSec and "openVPN" for openVPN module. Should we change these two strings to xauthIPsec-{$vpn_name} and openVPN-{$vpn_name} for normalization purposes ?

Actions #9

Updated by Renato Botelho over 5 years ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF