Project

General

Profile

Bug #8998

All Captive Portal zones send only "CaptivePortal" as NAS Identifier

Added by Jim Pingle almost 2 years ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Captive Portal
Target version:
Start date:
10/03/2018
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.4.4
Affected Architecture:

Description

Before 2.4.4, each Captive Portal zone had a configurable NAS Identifier. With multiple zones, each instance could use a unique identifier for the RADIUS server to distinguish between them.
On 2.4.4, every zone sends only "CaptivePortal" as the NAS Identifier with no way to customize the value.

A few possible solutions here:

  • Bring back the custom NAS Identifier field on Captive Portal settings -- Same as before
  • Add a field to the RADIUS server options for NAS Identifier (user could add one server profile per zone to achieve the same effect)
  • Automatically add the zone name to the current code so that each zone sends CaptivePortal-<zone name> instead of only CaptivePortal

The last option is the easiest, but the first option would be the path of least resistance for upgrade users.

Associated revisions

Revision b1cc8f31 (diff)
Added by Jim Pingle over 1 year ago

Restore the RADIUS NAS ID option to Captive Portal. Fixes #8998

Keeps the default of using CaptivePortal-<zonename> when not set,
otherwise uses the value supplied by the user as with older versions.

Revision b1862963 (diff)
Added by Jim Pingle over 1 year ago

Restore the RADIUS NAS ID option to Captive Portal. Fixes #8998

Keeps the default of using CaptivePortal-<zonename> when not set,
otherwise uses the value supplied by the user as with older versions.

(cherry picked from commit b1cc8f3143f7253bb3acdcdf8c18f9effaf3bce5)

History

#1 Updated by Hostmaster BI almost 2 years ago

Another weight for the first Option: If i Restore a Backup from an old Version (also in case of update) the field is automaticly filled with the right identifier.

The last option would take the flexibility by choosing a name. In some cases also after the update the radius settings has to be chance too.

Option two is also okay - but create a lot of radius-servers with same entrys but different identifiers.

#2 Updated by WiFi SYS almost 2 years ago

We also need to get a unique NASID. Please fix this bug. Any solution will suit.

#3 Updated by A FL almost 2 years ago

The reason this field was removed was to standardize how RADIUS authentication was done in each pfSense module. OpenVPN and IPsec (other modules that use the User Manager as Auth servers) are using non-configurable string as NAS-Identifier.

CaptivePortal zones can be distinguished from each other on 2.4.4 using NAS-Port RADIUS attribute. NAS-Port will be equal to 2000 on the first zone, then 2002, 2004, 2006, etc...

That said, I understand the need for a per-zone NAS-Identifier. I made a pull request for the last suggested solution (because that's the easiest, but also the one that makes more sense in my humble opinion).
https://github.com/pfsense/pfsense/pull/3997

Please keep in mind that I am just a contributor and I'll let Netgate be the judge on which solution is the best.

#4 Updated by Hostmaster BI almost 2 years ago

It would be better for all installations to set the field for the nas-identifier back to the previous version. Otherwise all cp and radius-configs have to be changed.

#5 Updated by Renato Botelho over 1 year ago

  • Status changed from New to Feedback
  • Assignee set to Renato Botelho

PR merged

#6 Updated by Jim Pingle over 1 year ago

  • Status changed from Feedback to New
  • Assignee changed from Renato Botelho to Jim Pingle

I'm OK with the PR as a new default but I still think we should allow the user to override the NAS ID as was possible previously, so this needs more work yet.

#7 Updated by Jim Pingle over 1 year ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#8 Updated by A FL over 1 year ago

I can confirm a positive feedback for the applied changes, but i don't know if we should replicate these changes to other services using NAS-Identifier or not.

NAS-Identifier is currently fixed to "xauthIPsec" for IPSec and "openVPN" for openVPN module. Should we change these two strings to xauthIPsec-{$vpn_name} and openVPN-{$vpn_name} for normalization purposes ?

#9 Updated by Renato Botelho over 1 year ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF