Project

General

Profile

Bug #9131

Captive Portal Radius Accounting "unauthenticated"

Added by Federico Fiordoliva over 2 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Very High
Category:
Captive Portal
Target version:
Start date:
11/17/2018
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.4.4
Affected Architecture:
amd64

Description

Hi,
when setup a Radius Mac auth, pfSense send to external freeradius the value "unauthenticated" as User-Name in Accounting request. The authentication process works great.
those are my log.

FREERADIUS LOGS
----------------------
Received Access-Request Id 212 from xx.xx.xx.xx:44647 to xx.xx.xx.xx:1812 length 168
Service-Type = Login-User
User-Name = "e8:e0:b7:09:46:68"
User-Password = "XXXXXXX"
NAS-IP-Address = 192.168.180.253
NAS-Identifier = "CaptivePortal"
Calling-Station-Id = "e8:e0:b7:09:46:68"
Called-Station-Id = "00:0d:b9:4c:c8:a8:pfsense.xxx.it"
NAS-Port-Type = Ethernet
NAS-Port = 2000
Framed-IP-Address = 172.16.103.50
session-state: No State attribute
----------------------
sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'e8:e0:b7:09:46:68' ORDER BY id
sql: User found in radcheck table
sql: Conditional check items matched, merging assignment check items
sql: Auth-Type := Accept
----------------------
Sent Access-Accept Id 212 from xx.xx.xx.xx:1812 to xx.xx.xx.xx:44647 length 0
----------------------
Received Accounting-Request Id 138 from xx.xx.xx.xx:36559 to xx.xx.xx.xx:1813 length 178
Service-Type = Login-User
User-Name = "unauthenticated"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
NAS-IP-Address = 192.168.180.253
NAS-Identifier = "CaptivePortal"
NAS-Port-Type = Ethernet
NAS-Port = 2000
Acct-Session-Id = "3a382fbe5849ad00"
Framed-IP-Address = 172.16.103.50
Calling-Station-Id = "e8:e0:b7:09:46:68"
Called-Station-Id = "00:0d:b9:4c:c8:a8:pfsense.xxx.it"
-------------------------
Debug: literal --> ', (SELECT groupname FROM radusergroup WHERE username='
Debug: attribute --> SQL-User-Name
-------------------------
My comment:
SQL-User-Name will never be my mac-user.....
-------------------------
sql: rlm_sql_mysql: ERROR 1048 (Column 'groupname' cannot be null): 23000
sql: SQL query returned: query invalid
} # accounting = invalid
Not sending reply to client.
Finished request
-------------------------

PFSENSE LOGS
-------------------------
Nov 17 10:05:09 logportalauth 65937 Zone: test - MACHINE LOGIN: unauthenticated, e8:e0:b7:09:46:68, 172.16.103.50
Nov 17 10:05:24 logportalauth 65937 Zone: test - RADIUS ACCOUNTING FAILED : No valid RADIUS responses received
-------------------------

Thanks
Federico

captive-test.png (25.3 KB) captive-test.png authentication as user unauthenticated Federico Fiordoliva, 11/17/2018 03:16 AM

Associated revisions

Revision f790565a (diff)
Added by A FL over 2 years ago

Send MAC address as username if radmac is used for connecting an user
Ticket #9131

Revision 617f0a4c (diff)
Added by A FL over 2 years ago

Send MAC address as username if radmac is used for connecting an user
Ticket #9131

(cherry picked from commit f790565a7514662b1fe97fc7c79b56838597965c)

History

#1 Updated by A FL over 2 years ago

Hello,

Thank you for reporting this issue!

I just submitted a pull request fixing it ( https://github.com/pfsense/pfsense/pull/4015 ). Not sure when it will be merged, though.

If you really need this feature now, you could use the patch package and install this pull request as patch (see https://www.netgate.com/docs/pfsense/development/system-patches.html for details)

Alternatively, you could also update your FreeRadius config. MAC Addresses of connected users are still transmitted in Accounting Requests using Calling-Station-Id attribute, you could update the SQL request done by the RADIUS config accordingly. I mean, in mods-config/sql/main/mysql/queries.conf you should have a query looking like:

SELECT groupname FROM radusergroup WHERE username ='%{SQL-User-Name}' ORDER BY priority

you could replace %{SQL-User-Name} by %{Calling-Station-ID}

#2 Updated by Renato Botelho over 2 years ago

  • Assignee set to Renato Botelho
  • Target version set to 2.4.4-p1

PR merged. Thanks!

#3 Updated by Renato Botelho over 2 years ago

  • Status changed from New to Feedback

#4 Updated by Federico Fiordoliva over 2 years ago

Thanks!!
The patch works great.

Federico

#5 Updated by Renato Botelho over 2 years ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF