The third authentication option is RADIUS Authentication. Remote Authentication Dial-In User Service (RADIUS) provides a means of centralized authentication, authorization, and accounting for network users. To use RADIUS to authenticate captive portal users, you must have a RADIUS server. It is beyond the scope of this book to explain how to configure a RADIUS server, but we will cover some of the more important RADIUS options on the Captive Portal Configuration page.

pfSense supports several protocols for sending and receiving data from the RADIUS server. Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), MS-CHAPv1, and MS-CHAPv2 are all supported. You can supply a primary authentication source and secondary authentication source, each of these having a primary RADIUS server and secondary RADIUS server. You can supply an IP address, port, and shared secret for each. Entering an IP address for each RADIUS server used is required. If the RADIUS port field is left blank, pfSense will use the default RADIUS port. Entering RADIUS shared secret is not required, but is recommended.

One of the authentication options under RADIUS Options is the Reauthenticate connected users every minute checkbox. If this option is enabled, pfSense will send access-requests to RADIUS for each user every minute. If an access-reject is received for any user on one of these requests, the user is disconnected from the captive portal immediately. There is also an option called RADIUS MAC Authentication. Checking this box will cause RADIUS to try to authenticate captive portal users by sending their MAC address as the username and the MAC authentication secret, specified in the next edit box, as the password.