Bug #8998
closed
All Captive Portal zones send only "CaptivePortal" as NAS Identifier
Added by Jim Pingle about 6 years ago.
Updated about 6 years ago.
Description
Before 2.4.4, each Captive Portal zone had a configurable NAS Identifier. With multiple zones, each instance could use a unique identifier for the RADIUS server to distinguish between them.
On 2.4.4, every zone sends only "CaptivePortal" as the NAS Identifier with no way to customize the value.
A few possible solutions here:
- Bring back the custom NAS Identifier field on Captive Portal settings -- Same as before
- Add a field to the RADIUS server options for NAS Identifier (user could add one server profile per zone to achieve the same effect)
- Automatically add the zone name to the current code so that each zone sends
CaptivePortal-<zone name> instead of only CaptivePortal
The last option is the easiest, but the first option would be the path of least resistance for upgrade users.
Another weight for the first Option: If i Restore a Backup from an old Version (also in case of update) the field is automaticly filled with the right identifier.
The last option would take the flexibility by choosing a name. In some cases also after the update the radius settings has to be chance too.
Option two is also okay - but create a lot of radius-servers with same entrys but different identifiers.
We also need to get a unique NASID. Please fix this bug. Any solution will suit.
The reason this field was removed was to standardize how RADIUS authentication was done in each pfSense module. OpenVPN and IPsec (other modules that use the User Manager as Auth servers) are using non-configurable string as NAS-Identifier.
CaptivePortal zones can be distinguished from each other on 2.4.4 using NAS-Port RADIUS attribute. NAS-Port will be equal to 2000 on the first zone, then 2002, 2004, 2006, etc...
That said, I understand the need for a per-zone NAS-Identifier. I made a pull request for the last suggested solution (because that's the easiest, but also the one that makes more sense in my humble opinion).
https://github.com/pfsense/pfsense/pull/3997
Please keep in mind that I am just a contributor and I'll let Netgate be the judge on which solution is the best.
It would be better for all installations to set the field for the nas-identifier back to the previous version. Otherwise all cp and radius-configs have to be changed.
- Status changed from New to Feedback
- Assignee set to Renato Botelho
- Status changed from Feedback to New
- Assignee changed from Renato Botelho to Jim Pingle
I'm OK with the PR as a new default but I still think we should allow the user to override the NAS ID as was possible previously, so this needs more work yet.
- Status changed from New to Feedback
- % Done changed from 0 to 100
I can confirm a positive feedback for the applied changes, but i don't know if we should replicate these changes to other services using NAS-Identifier or not.
NAS-Identifier is currently fixed to "xauthIPsec" for IPSec and "openVPN" for openVPN module. Should we change these two strings to xauthIPsec-{$vpn_name} and openVPN-{$vpn_name} for normalization purposes ?
- Status changed from Feedback to Resolved
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by