How to do it...

  1. Navigate to System | Package Manager.
  2. Click on the Available Packages tab.
  3. Scroll down to find the freeradius3 package. Click on the corresponding Install button.
  4. You will be redirected to the Package Installer tab. Confirm the installation by clicking on the Confirm button. A text box will appear that updates you on the installation status; installation should not take more than a couple of minutes.
  5. When the installation is complete, you can begin RADIUS configuration by navigating to Services | FreeRADIUS.
  6. Click on the Interfaces tab. Here, you will set up the ports for Accounting, Authentication, and Status,, as shown in the following screenshot:

  1. Click on the Add button and set up the authentication port, keeping the following things in mind:
    • You can keep the Interface IP Address as * (in which case the RADIUS server will listen on all interfaces).
    • Port should be kept at its default value of 1812.
    • Keep Interface Type set to its default value of Authentication.
    • Keep IP Version set to its default value of IPv4, unless your system is using IPv6, in which case you can select IPv6 in the IP Version dropdown box.
    • Enter a brief description in the Description edit box.
    • Click on the Save button when you are done.

  1. Repeat step 7 for the other two ports. Set one port's Interface Type to Accounting with a Port value of 1813. Set another port's Interface Type to Status with a Port value of 1816. If there are other ports you wish to configure, you can repeat this process, but once the Accounting, Authentication, and Status ports are added, we have set up the bare minimum we need to for RADIUS to work.
  1. Click on the NAS / Clients tab. We must add the pfSense captive portal as a client.
  2. Click on the Add button. Now we can begin client configuration with the following steps:
    • Enter the pfSense system’s IP address in the Client IP Address edit box. Since we installed the RADIUS server onto the pfSense system, we can enter the loopback address here (127.0.0.1).
    • The Client IP Version can be kept at its default value of IPv4, unless you are using IPv6 on your system, in which case change the value to IPv6.
    • Enter a name in the Client Shortname edit box (such as Captive-portal).
    • In the Client Shared Secret edit box, enter a password that will authenticate the captive portal client. You will need this password later when configuring the captive portal.
    • The remaining fields can remain unchanged for now (note that you can use either UDP or TCP as the client protocol, with UDP being the default protocol). You may enter a brief description in the Description edit box.
    • When you are done, click on the Save button:

  1. Click on the Users tab. Here, we can add one or more captive portal users.
  2. Click on the Add button and configure the following:
    • Add a username/password combination in the Username and Password edit boxes.
    • You can leave Password Encryption set to Cleartext-Password, unless you need to have encrypted passwords; in which case, you can change this setting to MD5.
    • Click on the Save button when you are done.

  1. Repeat step 12 for as many users as you wish to add.
  2. Navigate to Services | Captive Portal.
  3. Click on the Add button.
  4. Enter a name into the Zone name edit box and a brief description into the Zone description edit box.
  5. When done, click on the Save and Continue button.
  6. When the page loads, it should default to the Configuration tab. Check the Enable Captive Portal checkbox to display other captive portal configuration options.
  7. In the Interfaces list box, select the interface(s) on which the captive portal will be enabled.
  8. Enter reasonable values in the Idle timeout and Hard timeout edit boxes.
  1. Check the Enable logout popup window checkbox so that users can explicitly log out before the idle timeout period expires.
  2. In the After authentication Redirection URL edit box, enter a redirection URL (such as www.google.com).
  3. Scroll down to the Authentication section and set Authentication Method to RADIUS Authentication, as shown in the following screenshot:

  1. You can keep RADIUS Protocol set to PAP, unless you set Password Encryption to MD5 in step 12, in which case you should select CHAP-MD5.
  2. For the Primary RADIUS Server, enter the IP Address (127.0.0.1), RADIUS port (1812), and RADIUS shared secret (whatever you entered as the Client Shared Secret in step 10):

  1. Scroll down to Accounting. You don’t have to set up accounting, but it will potentially make troubleshooting easier if you do. To set up accounting, do the following:
    • Check the Send RADIUS accounting packets to the primary RADIUS server checkbox.
    • Set the Accounting port to 1813.
    • Set Accounting updates to Stop/Start (FreeRADIUS).
  2. Set the RADIUS NAS IP Attribute to the IP address of the interface on which the captive portal is running.
  3. You can enable MAC authentication by checking the RADIUS MAC Authentication checkbox. If you enable this option, the RADIUS server will use the end user’s MAC address as the username and the value entered in the MAC authentication secret edit box as the password. This is a useful option if you don’t want to configure separate user accounts but still want to keep track of different users. If this option is used, any username entered in the Username field on the captive portal login page will be ignored, as shown in the following screenshot:

  1. Scroll down to HTML Page Contents and make sure an appropriate page is configured for Portal page contents (it must have a username and password field), or just use the pfSense default page by clicking on the Restore default page button.
  2. When you are done making changes, click on the Save button.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.15.219.80