Remote Authentication Dial-In User Service (RADIUS) provides a means of centralized authentication, authorization, and accounting for network users. To use RADIUS to authenticate captive portal users, you must have a RADIUS server. It is outside the scope of this book to explain how to configure a RADIUS server in depth, but the excellent GPL-licensed FreeRADIUS is available as a third-party package, and we will cover RADIUS captive portal configuration as one of the examples later in this chapter. Here, we will mention some of the more important RADIUS options on the Captive Portal Configuration page:
- The first option is RADIUS protocol. pfSense supports several protocols for sending and receiving data from the RADIUS server. Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), MS-CHAPv1, and MS-CHAPv2 are all supported.
- You can supply a Primary Authentication Source and Secondary Authentication Source, each of these having a Primary RADIUS Server and Secondary RADIUS Server. You can supply an IP address, port, and shared secret for each. Entering an IP address for each RADIUS server used is required. If the RADIUS port field is left blank, pfSense will use the default RADIUS port. Entering a RADIUS shared secret is not required, but it is recommended.
- The next section is Accounting. Enabling the sending of RADIUS accounting packets to the primary RADIUS server (which you can do by checking the RADIUS checkbox) enables you to set bandwidth and traffic limits with RADIUS. Accounting Port allows you to set the RADIUS accounting port; in most cases, you can use the default of 1813. Finally, Accounting updates controls how often updates are sent to RADIUS. No updates disables updates completely, while Stop/Start and Stop/Start (FreeRADIUS) will log accounting start and stop packets (when the client connects/disconnects). Interim can be used to log other client activity and to set traffic limits that can be tracked during active sessions.
- There are several options in the RADIUS Options section, which will now be considered:
- If the Reauthenticate connected users every minute option is enabled, pfSense will send access-requests to RADIUS for each user every minute. If an access-reject is received for any user on one of these requests, the user is disconnected from the captive portal immediately. There is also an option called RADIUS MAC Authentication. Checking this box will cause RADIUS to try to authenticate captive portal users by sending their MAC address as the username and the MAC authentication secret, specified in the next edit box, as the password.
- The RADIUS NAS IP attribute drop-down box should be set to the pfSense interface facing the network on which the captive portal is enabled. This information is sent from pfSense to the RADIUS server, so it will know where to where a user is trying to connect.
- The Session Timeout option, when enabled, will cause clients to be disconnected when the time specified in the RADIUS Session-Timeout attribute is reached.
- The Traffic quota option, when enabled, will cause clients to be disconnected when the amount of traffic specified in the pfSense-Max-Total-Octets attribute is reached, including both downloads and uploads.
- The Per-user bandwidth restrictions, when enabled, will cause clients' bandwidth to be limited to the values in the pfSense-Bandwidth-Max-Up and pfSense-Bandwidth-Max-Down (or comparable WISPr) attributes.
- The Type drop-down box allows you to set the type to either the default or to a Cisco type. The default is for the Calling-Station-ID to be set to the client's MAC address and the Called-Station-ID to be set to pfSense's WAN IP address. Changing the type to Cisco will cause these attributes to be set to the client's IP address and the client's MAC address, respectively.
- There are two more attributes related to accounting. Accounting style, if enabled, causes data counts for RADIUS accounting to be taken from the client's perspective, so that Acct-Input-Octets represent download and Acct-Output-Octets represent upload. Idle time accounting causes time spent idle to be included in the total session time, even if the client is disconnected for exceeding the idle timeout.
- The NAS Identifier field allows you to specify a NAS identifier to override the default value.
- The MAC address drop-down box allows you to change the MAC address format used in the RADIUS system. Default will place a colon every 8 bits; Single dash will place a dash in the middle, dividing the address into two 24-bit fields; IETF places a dash every 8 bits instead of a colon; Cisco places a period (dot) every 16 bits (3 16-bit fields); Unformatted results in a single, 48-bit address in hexadecimal format with no separators.