Project

General

Profile

Actions

Bug #8998

closed

All Captive Portal zones send only "CaptivePortal" as NAS Identifier

Added by Jim Pingle about 6 years ago. Updated about 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Captive Portal
Target version:
Start date:
10/03/2018
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.4
Affected Architecture:

Description

Before 2.4.4, each Captive Portal zone had a configurable NAS Identifier. With multiple zones, each instance could use a unique identifier for the RADIUS server to distinguish between them.
On 2.4.4, every zone sends only "CaptivePortal" as the NAS Identifier with no way to customize the value.

A few possible solutions here:

  • Bring back the custom NAS Identifier field on Captive Portal settings -- Same as before
  • Add a field to the RADIUS server options for NAS Identifier (user could add one server profile per zone to achieve the same effect)
  • Automatically add the zone name to the current code so that each zone sends CaptivePortal-<zone name> instead of only CaptivePortal

The last option is the easiest, but the first option would be the path of least resistance for upgrade users.

Actions #1

Updated by Hostmaster BI about 6 years ago

Another weight for the first Option: If i Restore a Backup from an old Version (also in case of update) the field is automaticly filled with the right identifier.

The last option would take the flexibility by choosing a name. In some cases also after the update the radius settings has to be chance too.

Option two is also okay - but create a lot of radius-servers with same entrys but different identifiers.

Actions #2

Updated by WiFi SYS about 6 years ago

We also need to get a unique NASID. Please fix this bug. Any solution will suit.

Actions #3

Updated by A FL about 6 years ago

The reason this field was removed was to standardize how RADIUS authentication was done in each pfSense module. OpenVPN and IPsec (other modules that use the User Manager as Auth servers) are using non-configurable string as NAS-Identifier.

CaptivePortal zones can be distinguished from each other on 2.4.4 using NAS-Port RADIUS attribute. NAS-Port will be equal to 2000 on the first zone, then 2002, 2004, 2006, etc...

That said, I understand the need for a per-zone NAS-Identifier. I made a pull request for the last suggested solution (because that's the easiest, but also the one that makes more sense in my humble opinion).
https://github.com/pfsense/pfsense/pull/3997

Please keep in mind that I am just a contributor and I'll let Netgate be the judge on which solution is the best.

Actions #4

Updated by Hostmaster BI about 6 years ago

It would be better for all installations to set the field for the nas-identifier back to the previous version. Otherwise all cp and radius-configs have to be changed.

Actions #5

Updated by Renato Botelho about 6 years ago

  • Status changed from New to Feedback
  • Assignee set to Renato Botelho

PR merged

Actions #6

Updated by Jim Pingle about 6 years ago

  • Status changed from Feedback to New
  • Assignee changed from Renato Botelho to Jim Pingle

I'm OK with the PR as a new default but I still think we should allow the user to override the NAS ID as was possible previously, so this needs more work yet.

Actions #7

Updated by Jim Pingle about 6 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #8

Updated by A FL about 6 years ago

I can confirm a positive feedback for the applied changes, but i don't know if we should replicate these changes to other services using NAS-Identifier or not.

NAS-Identifier is currently fixed to "xauthIPsec" for IPSec and "openVPN" for openVPN module. Should we change these two strings to xauthIPsec-{$vpn_name} and openVPN-{$vpn_name} for normalization purposes ?

Actions #9

Updated by Renato Botelho about 6 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF