Bug #8998
closed
All Captive Portal zones send only "CaptivePortal" as NAS Identifier
100%
Description
Before 2.4.4, each Captive Portal zone had a configurable NAS Identifier. With multiple zones, each instance could use a unique identifier for the RADIUS server to distinguish between them.
On 2.4.4, every zone sends only "CaptivePortal" as the NAS Identifier with no way to customize the value.
A few possible solutions here:
- Bring back the custom NAS Identifier field on Captive Portal settings -- Same as before
- Add a field to the RADIUS server options for NAS Identifier (user could add one server profile per zone to achieve the same effect)
- Automatically add the zone name to the current code so that each zone sends
CaptivePortal-<zone name>instead of onlyCaptivePortal
The last option is the easiest, but the first option would be the path of least resistance for upgrade users.
Updated by Hostmaster BI over 5 years ago
Another weight for the first Option: If i Restore a Backup from an old Version (also in case of update) the field is automaticly filled with the right identifier.
The last option would take the flexibility by choosing a name. In some cases also after the update the radius settings has to be chance too.
Option two is also okay - but create a lot of radius-servers with same entrys but different identifiers.
Updated by WiFi SYS over 5 years ago
We also need to get a unique NASID. Please fix this bug. Any solution will suit.
Updated by A FL over 5 years ago
The reason this field was removed was to standardize how RADIUS authentication was done in each pfSense module. OpenVPN and IPsec (other modules that use the User Manager as Auth servers) are using non-configurable string as NAS-Identifier.
CaptivePortal zones can be distinguished from each other on 2.4.4 using NAS-Port RADIUS attribute. NAS-Port will be equal to 2000 on the first zone, then 2002, 2004, 2006, etc...
That said, I understand the need for a per-zone NAS-Identifier. I made a pull request for the last suggested solution (because that's the easiest, but also the one that makes more sense in my humble opinion).
https://github.com/pfsense/pfsense/pull/3997
Please keep in mind that I am just a contributor and I'll let Netgate be the judge on which solution is the best.
Updated by Hostmaster BI over 5 years ago
It would be better for all installations to set the field for the nas-identifier back to the previous version. Otherwise all cp and radius-configs have to be changed.
Updated by Renato Botelho over 5 years ago
- Status changed from New to Feedback
- Assignee set to Renato Botelho
PR merged
Updated by Jim Pingle over 5 years ago
- Status changed from Feedback to New
- Assignee changed from Renato Botelho to Jim Pingle
I'm OK with the PR as a new default but I still think we should allow the user to override the NAS ID as was possible previously, so this needs more work yet.
Updated by Jim Pingle over 5 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset b1cc8f3143f7253bb3acdcdf8c18f9effaf3bce5.
Updated by A FL over 5 years ago
I can confirm a positive feedback for the applied changes, but i don't know if we should replicate these changes to other services using NAS-Identifier or not.
NAS-Identifier is currently fixed to "xauthIPsec" for IPSec and "openVPN" for openVPN module. Should we change these two strings to xauthIPsec-{$vpn_name} and openVPN-{$vpn_name} for normalization purposes ?
Updated by Renato Botelho over 5 years ago
- Status changed from Feedback to Resolved