Slides for the June 2017 pfSense Hangout video

1. Advanced Captive Portal
pfSense 2.3/2.4
June 2017 Hangout
Jim Pingle

2. About this Hangout
● Project News
● Brief Captive Portal Review
● Pass-Through Credits
● Pass-Through MAC Auto
Entry
● Pre-Auth Redirect
● Advanced Voucher Topics
● FreeRADIUS Package Basics
● RADIUS Time Limits
● RADIUS Data Limits
● RADIUS Primary and
Secondary Sources
● RADIUS MAC Authentication
● RADIUS Reply Attributes

3. Project News
●
OpenVPN update, patch ASAP
– https://www.netgate.com/blog/important-update-for-openvpn.html
●
2.3.4-p1-RELEASE Coming Soon
– Security/Errata fixes (XSS, Stack Clash, OpenVPN update)
– Will be released once FreeBSD completes fixes for Stack Clash and they are merged and tested
●
Netgate Global Support
– New support structure, moving away from incidents to a per-device support model
– 24x7, several SLA and contact method options
– https://www.netgate.com/blog/announcing-netgate-global-support.html
●
pfSense Brand Refresh
– New logos for both pfSense and Netgate to more closely align the two
– https://www.netgate.com/blog/pfsense-brand-refresh.html
●
pfSense article in FreeBSD Journal
●
BSDCan was earlier this month
●
Minnowboard Turbot Dual-E models shipping now, on Amazon and Netgate store pages
●
New book featuring pfSense: Building Virtual Machine Labs: A Hands-On Guide, by Tony V Robinson
– Available also as an add-on item when ordering certain hardware models from the Netgate store

4. Captive Portal Review
● Captive Portal prevents user traffic from exiting the local network until the user authenticates using the
portal login page
● The portal captures HTTP/HTTPS requests and redirects unauthenticated users to the Captive Portal
login page
● Captive Portals are often used to present users with a ToS or User Agreement, etc
● Operates primarily at Layer 2, checks the user’s MAC address and/or IP address
● Zones define different portals, and each zone can have one or more interfaces
● Bypass lists for sources/destinations based on MAC or IP address to skip auth
● Can use local auth, RADIUS, vouchers, or no auth at all
● Once a user is authenticated, their traffic flows based on regular firewall rules, as if the portal were not
there
● See last month’s hangout for details, prerequisites, basic setup, etc.

5. Pass-Through Credits
●
Pass-Through Credits allow a user to “login” to the portal a number of times without prompting for a password.
●
Combined with hard timeouts, this can effectively allow configurations such as “3 hours of access, then require a
login”
●
Pass-Through Credits Per MAC Address:
– The number of times the MAC can pass through the portal login process per “waiting period” without redirecting to the portal
login page
●
Waiting period to restore pass-through credits:
– A time, specified in hours, after which pass-through credits reset
– Example: “24” would be per day
– Starts counting after the first pass-through
– Must be a non-zero number if pass-through credits are enabled
●
Reset waiting period
– When enabled, attempting to access the portal again resets the user’s waiting period start time, making them wait longer for
access
– Useful to curtail abusers

6. Pass-Through MAC Auto Entry
● Useful for user self-registration style setups
– Allows the portal admin to force a login just once, without requiring a login each and every time
– Useful for networks that do not change often, but still require authenticating each device
– Another potential use cases is WISP networks where knowing which user has a MAC is important,
but repeated logins would be undesirable
● Cannot be combined with RADIUS MAC Authentication
● Will not show a logout pop-up or page
● To remove a user, manually remove them from the MAC tab, or setup a script to POST
the proper parameters
● “… with username” option
– The username is stored along with the MAC address in the pass-through entry

7. Pre-Auth Redirect
● Forces users to a page outside the firewall before the portal login screen
● Flow is:
– User attempts to load page, user is redirected to the portal page
– Portal page sees that the user is trying to reach some other site, sends them to the pre-auth URL instead
– User clicks link on pre-auth page
– Portal page sees the link it expects coming from the pre-auth page
– User receives the portal login page
– User logs in, and is redirected back to the pre-auth URL
● Outside page links back to portal URL
● If the site is remote, you must add it and any assets it needs as a bypass (host or IP address)
● Requires a special block of PHP at the start of the login page
– In the book, also will be in the example page posted with this hangout
● Upload custom page, set URL to landing page in Pre-Auth Redirect box
● In the supplied example, the landing page must also include itself as the final redirect URL so users return to that same
landing page after login
– The code could be adjusted for other cases

8. Advanced Vouchers - Bits
● Voucher bits must add up to less than the key size, which by default is 64
– Default values add up to only 31
– Default is:
● 16 roll bits (2^16-1 or 65535 rolls)
●
10 ticket bits (2^10-1 or 1023 tickets per roll)
– When adjusting numbers, reduce one to increase another
– More tickets in a roll:
● Decrease roll bits, increase ticket bits
– More rolls with less tickets
● Decrease ticket bits, increase roll bits

9. Advanced Vouchers – Code Sizes
● Simpler voucher codes
– Change character set to only include a limited set of characters (e.g. uppercase letters)
– This will make codes longer, as it needs more bits of entropy
● Shorter voucher codes
– Either a more complex character set… OR
– Generate a shorter key and adjust bits to fit new size
● Shorter key means less randomness, which means vouchers could be more predictable/crackable, less
secure!
● openssl genrsa 31 > /tmp/private.key
● openssl rsa -pubout -outform PEM < /tmp/private.key > /tmp/public.key
● Edit/open/download /tmp/private.key and /tmp/public.key and copy to appropriate fields in the GUI
● Reduce roll/ticket/checksum bits to fit under the new size

10. RADIUS Basics
● Next sections are specific to RADIUS and require a RADIUS server
● RADIUS is a system that provides Authentication, Authorization,
and Accounting (AAA)
● FreeRADIUS package on pfSense can fill this role for most
installations, but more complicated setups would benefit from a
dedicated external RADIUS server that ties into other systems
(accounts, billing, payment cards, 2FA, etc)
● Active Directory can also be accessed via RADIUS using NPS

11. FreeRADIUS Package
● Examples in later slides will be shown specifically using the pfSense FreeRADIUS 3.x
package, for simplicity
● The same features are usable in other RADIUS servers, but YMMV
● Install the FreeRADIUS 3.x package from System > Package Manager
● Visit Services > FreeRADIUS, EAP tab, pick SSL CA and Server Cert. Make one first if you
don’t have one, or leave it on “auto”
● Interfaces Tab: Add two instances, one for Authentication on 1812, one for Accounting on 1813
● NAS/Clients Tab: Add at least one entry for localhost (127.0.0.1), set shortname (usually
firewall hostname), shared secret, others can be left blank/default
● Users: Salt to taste (wait until covered on later slides)
● Add entry under System > User Manager and test from Diagnostics > Authentication

12. Captive Portal RADIUS Auth
● Set Authentication to RADIUS Authentication
●
Set RADIUS Protocol to MSCHAPv2
● Set Primary RADIUS Server…
– IP Address: 127.0.0.1 (or other RADIUS server)
– RADIUS Port: 1812
– Shared Secret: Password set for this NAS entry in RADIUS
● Accounting…
– Check enable
– Accounting Port: 1813
– Accounting Updates: Stop/Start (FreeRADIUS)
● RADIUS Options: Will vary depending on what features are required, see later slides

13. RADIUS Time Limits
● In addition to settings mentioned previously…
● Check Captive Portal RADIUS Option for Reauthenticate connected users every minute
● Services > FreeRADIUS, Settings tab, check Disable Acct_Unique
● FreeRADIUS User entries are limited based on a set amount of time within a period using the
Time Configuration section
● Set Amount of Time to a number, in minutes, of the duration the user is allowed to be logged
in
● Set the Time Period after which the user’s Amount of Time resets
– Daily resets at midnight every day
– Weekly resets at midnight on Sunday
– Monthly resets at midnight the first day of each month
– Forever never resets until the database files are removed/reset manually

14. RADIUS Data Limits
● Basic setup the same as Time Limits on last slide (Disable Acct_Unique in
FreeRADIUS, set to Reauth every minute, etc)
● In FreeRADIUS Users, set values in the Traffic and Bandwidth section
● Set the Amount of Download and Upload Traffic, in Megabytes, to control
how much a user can transfer, total upload and download, within the alotted
Time Period
● Set the Time Period to when the counters should reset (see previous slide)
● It does only check once per minute, so depending on circuit speed they
could exceed the limit significantly in under a minute

15. RADIUS Pri & Sec Sources
● Not a backup! This is a second, separate, source for
authentication
● Two authentication sources, needs two different login fields
on the page
● Primary source uses auth_user / auth_pass fields
● Secondary source uses auth_user2 / auth_pass2 fields
● Can be used for different sources, such as Primary = AD,
Secondary = External card number+pin provider

16. RADIUS MAC Authentication
● Automatically sends the MAC address of a client to RADIUS with a standard password to check if it’s OK before
presenting a login page
● If it fails, the user is given the normal portal login screen
● Allows for centralized MAC-based authentication without needing to populate the MACs for pass-through on
pfSense
● In FreeRADIUS, disable Plain MAC Auth on the Settings tab.
● In FreeRADIUS, add entries to Users tab, using the dash-separator notation (xx-xx-xx-xx-xx-xx) and the
common password set in Captive Portal
● In Captive Portal settings, enable RADIUS MAC Authentication
● Enter the common MAC authentication secret which must be the same for all MAC entries for this portal
● Set the MAC Address Format to IETF
● NOTE: Do not use the MACs tab in FreeRADIUS or the Plain MAC Auth option, those are for older 802.1x
equipment which cannot send usernames or passwords, only MAC address as Calling-Station-Id

17. RADIUS Reply Attributes
● Several user control options can be sent back as RADIUS Reply Attributes
● Per-user session length value
– “Session-Timeout” Reply Attribute
– Must be checked on Captive Portal settings
– Set Session Timeout field on FreeRADIUS User entry
● Per-user idle timeout value
– “Idle-Timeout” Reply Attribute
● Per-user data limits can be set, crafts automatic limiters
– In FreeRADIUS user entries, “Maximum Bandwidth” down/up fields
– WISPr-Bandwidth-Max-Up/WISPr-Bandwidth-Max-Down, or ChilliSpot-Bandwidth-Max-Up/ChilliSpot-Bandwidth-
Max-Down
● Per-user redirection URL:
– “WISPr-Redirection-URL” Reply Attribute
– Set manually in the REPLY-ITEM box on a FreeRADIUS user

18. Conclusion
● Questions?
● Ideas for hangout topics? Post on forum, comment on the blog
posts, Reddit, etc