This document provides an overview and update on the pfSense captive portal and RADIUS integration. Key points include: reviewing basic captive portal functionality; introducing new features like pass-through credits and pre-auth redirects; explaining RADIUS concepts and the FreeRADIUS package; and demonstrating advanced RADIUS configurations for time/data limits, dual authentication sources, and MAC authentication. The document aims to expand on topics from previous hangouts and showcase powerful customization options for wireless access control.

1. Advanced Captive Portal
pfSense 2.3/2.4
June 2017 Hangout
Jim Pingle

2. About this Hangout
● Project News
● Brief Captive Portal Review
● Pass-Through Credits
● Pass-Through MAC Auto
Entry
● Pre-Auth Redirect
● Advanced Voucher Topics
● FreeRADIUS Package Basics
● RADIUS Time Limits
● RADIUS Data Limits
● RADIUS Primary and
Secondary Sources
● RADIUS MAC Authentication
● RADIUS Reply Attributes

3. Project News
●
OpenVPN update, patch ASAP
– https://www.netgate.com/blog/important-update-for-openvpn.html
●
2.3.4-p1-RELEASE Coming Soon
– Security/Errata fixes (XSS, Stack Clash, OpenVPN update)
– Will be released once FreeBSD completes fixes for Stack Clash and they are merged and tested
●
Netgate Global Support
– New support structure, moving away from incidents to a per-device support model
– 24x7, several SLA and contact method options
– https://www.netgate.com/blog/announcing-netgate-global-support.html
●
pfSense Brand Refresh
– New logos for both pfSense and Netgate to more closely align the two
– https://www.netgate.com/blog/pfsense-brand-refresh.html
●
pfSense article in FreeBSD Journal
●
BSDCan was earlier this month
●
Minnowboard Turbot Dual-E models shipping now, on Amazon and Netgate store pages
●
New book featuring pfSense: Building Virtual Machine Labs: A Hands-On Guide, by Tony V Robinson
– Available also as an add-on item when ordering certain hardware models from the Netgate store

4. Captive Portal Review
● Captive Portal prevents user traffic from exiting the local network until the user authenticates using the
portal login page
● The portal captures HTTP/HTTPS requests and redirects unauthenticated users to the Captive Portal
login page
● Captive Portals are often used to present users with a ToS or User Agreement, etc
● Operates primarily at Layer 2, checks the user’s MAC address and/or IP address
● Zones define different portals, and each zone can have one or more interfaces
● Bypass lists for sources/destinations based on MAC or IP address to skip auth
● Can use local auth, RADIUS, vouchers, or no auth at all
● Once a user is authenticated, their traffic flows based on regular firewall rules, as if the portal were not
there
● See last month’s hangout for details, prerequisites, basic setup, etc.

5. Pass-Through Credits
●
Pass-Through Credits allow a user to “login” to the portal a number of times without prompting for a password.
●
Combined with hard timeouts, this can effectively allow configurations such as “3 hours of access, then require a
login”
●
Pass-Through Credits Per MAC Address:
– The number of times the MAC can pass through the portal login process per “waiting period” without redirecting to the portal
login page
●
Waiting period to restore pass-through credits:
– A time, specified in hours, after which pass-through credits reset
– Example: “24” would be per day
– Starts counting after the first pass-through
– Must be a non-zero number if pass-through credits are enabled
●
Reset waiting period
– When enabled, attempting to access the portal again resets the user’s waiting period start time, making them wait longer for
access
– Useful to curtail abusers

6. Pass-Through MAC Auto Entry
● Useful for user self-registration style setups
– Allows the portal admin to force a login just once, without requiring a login each and every time
– Useful for networks that do not change often, but still require authenticating each device
– Another potential use cases is WISP networks where knowing which user has a MAC is important,
but repeated logins would be undesirable
● Cannot be combined with RADIUS MAC Authentication
● Will not show a logout pop-up or page
● To remove a user, manually remove them from the MAC tab, or setup a script to POST
the proper parameters
● “… with username” option
– The username is stored along with the MAC address in the pass-through entry

7. Pre-Auth Redirect
● Forces users to a page outside the firewall before the portal login screen
● Flow is:
– User attempts to load page, user is redirected to the portal page
– Portal page sees that the user is trying to reach some other site, sends them to the pre-auth URL instead
– User clicks link on pre-auth page
– Portal page sees the link it expects coming from the pre-auth page
– User receives the portal login page
– User logs in, and is redirected back to the pre-auth URL
● Outside page links back to portal URL
● If the site is remote, you must add it and any assets it needs as a bypass (host or IP address)
● Requires a special block of PHP at the start of the login page
– In the book, also will be in the example page posted with this hangout
● Upload custom page, set URL to landing page in Pre-Auth Redirect box
● In the supplied example, the landing page must also include itself as the final redirect URL so users return to that same
landing page after login
– The code could be adjusted for other cases

8. Advanced Vouchers - Bits
● Voucher bits must add up to less than the key size, which by default is 64
– Default values add up to only 31
– Default is:
● 16 roll bits (2^16-1 or 65535 rolls)
●
10 ticket bits (2^10-1 or 1023 tickets per roll)
– When adjusting numbers, reduce one to increase another
– More tickets in a roll:
● Decrease roll bits, increase ticket bits
– More rolls with less tickets
● Decrease ticket bits, increase roll bits

9. Advanced Vouchers – Code Sizes
● Simpler voucher codes
– Change character set to only include a limited set of characters (e.g. uppercase letters)
– This will make codes longer, as it needs more bits of entropy
● Shorter voucher codes
– Either a more complex character set… OR
– Generate a shorter key and adjust bits to fit new size
● Shorter key means less randomness, which means vouchers could be more predictable/crackable, less
secure!
● openssl genrsa 31 > /tmp/private.key
● openssl rsa -pubout -outform PEM < /tmp/private.key > /tmp/public.key
● Edit/open/download /tmp/private.key and /tmp/public.key and copy to appropriate fields in the GUI
● Reduce roll/ticket/checksum bits to fit under the new size

10. RADIUS Basics
● Next sections are specific to RADIUS and require a RADIUS server
● RADIUS is a system that provides Authentication, Authorization,
and Accounting (AAA)
● FreeRADIUS package on pfSense can fill this role for most
installations, but more complicated setups would benefit from a
dedicated external RADIUS server that ties into other systems
(accounts, billing, payment cards, 2FA, etc)
● Active Directory can also be accessed via RADIUS using NPS

11. FreeRADIUS Package
● Examples in later slides will be shown specifically using the pfSense FreeRADIUS 3.x
package, for simplicity
● The same features are usable in other RADIUS servers, but YMMV
● Install the FreeRADIUS 3.x package from System > Package Manager
● Visit Services > FreeRADIUS, EAP tab, pick SSL CA and Server Cert. Make one first if you
don’t have one, or leave it on “auto”
● Interfaces Tab: Add two instances, one for Authentication on 1812, one for Accounting on 1813
● NAS/Clients Tab: Add at least one entry for localhost (127.0.0.1), set shortname (usually
firewall hostname), shared secret, others can be left blank/default
● Users: Salt to taste (wait until covered on later slides)
● Add entry under System > User Manager and test from Diagnostics > Authentication

12. Captive Portal RADIUS Auth
● Set Authentication to RADIUS Authentication
●
Set RADIUS Protocol to MSCHAPv2
● Set Primary RADIUS Server…
– IP Address: 127.0.0.1 (or other RADIUS server)
– RADIUS Port: 1812
– Shared Secret: Password set for this NAS entry in RADIUS
● Accounting…
– Check enable
– Accounting Port: 1813
– Accounting Updates: Stop/Start (FreeRADIUS)
● RADIUS Options: Will vary depending on what features are required, see later slides

13. RADIUS Time Limits
● In addition to settings mentioned previously…
● Check Captive Portal RADIUS Option for Reauthenticate connected users every minute
● Services > FreeRADIUS, Settings tab, check Disable Acct_Unique
● FreeRADIUS User entries are limited based on a set amount of time within a period using the
Time Configuration section
● Set Amount of Time to a number, in minutes, of the duration the user is allowed to be logged
in
● Set the Time Period after which the user’s Amount of Time resets
– Daily resets at midnight every day
– Weekly resets at midnight on Sunday
– Monthly resets at midnight the first day of each month
– Forever never resets until the database files are removed/reset manually

14. RADIUS Data Limits
● Basic setup the same as Time Limits on last slide (Disable Acct_Unique in
FreeRADIUS, set to Reauth every minute, etc)
● In FreeRADIUS Users, set values in the Traffic and Bandwidth section
● Set the Amount of Download and Upload Traffic, in Megabytes, to control
how much a user can transfer, total upload and download, within the alotted
Time Period
● Set the Time Period to when the counters should reset (see previous slide)
● It does only check once per minute, so depending on circuit speed they
could exceed the limit significantly in under a minute

15. RADIUS Pri & Sec Sources
● Not a backup! This is a second, separate, source for
authentication
● Two authentication sources, needs two different login fields
on the page
● Primary source uses auth_user / auth_pass fields
● Secondary source uses auth_user2 / auth_pass2 fields
● Can be used for different sources, such as Primary = AD,
Secondary = External card number+pin provider

16. RADIUS MAC Authentication
● Automatically sends the MAC address of a client to RADIUS with a standard password to check if it’s OK before
presenting a login page
● If it fails, the user is given the normal portal login screen
● Allows for centralized MAC-based authentication without needing to populate the MACs for pass-through on
pfSense
● In FreeRADIUS, disable Plain MAC Auth on the Settings tab.
● In FreeRADIUS, add entries to Users tab, using the dash-separator notation (xx-xx-xx-xx-xx-xx) and the
common password set in Captive Portal
● In Captive Portal settings, enable RADIUS MAC Authentication
● Enter the common MAC authentication secret which must be the same for all MAC entries for this portal
● Set the MAC Address Format to IETF
● NOTE: Do not use the MACs tab in FreeRADIUS or the Plain MAC Auth option, those are for older 802.1x
equipment which cannot send usernames or passwords, only MAC address as Calling-Station-Id

17. RADIUS Reply Attributes
● Several user control options can be sent back as RADIUS Reply Attributes
● Per-user session length value
– “Session-Timeout” Reply Attribute
– Must be checked on Captive Portal settings
– Set Session Timeout field on FreeRADIUS User entry
● Per-user idle timeout value
– “Idle-Timeout” Reply Attribute
● Per-user data limits can be set, crafts automatic limiters
– In FreeRADIUS user entries, “Maximum Bandwidth” down/up fields
– WISPr-Bandwidth-Max-Up/WISPr-Bandwidth-Max-Down, or ChilliSpot-Bandwidth-Max-Up/ChilliSpot-Bandwidth-
Max-Down
● Per-user redirection URL:
– “WISPr-Redirection-URL” Reply Attribute
– Set manually in the REPLY-ITEM box on a FreeRADIUS user

18. Conclusion
● Questions?
● Ideas for hangout topics? Post on forum, comment on the blog
posts, Reddit, etc