RADIUS requests from different captive portals are indistinguishable

[cs-1]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

Assume that there're two captive portals on an OPNsense box e.g. CP1 and CP2 (this applies to every setup with more than one CP). In RADIUS terminology, the CP's IP address is the NAS IP address. Furthermore, CP1 and CP2 are completely different access services. However, RADIUS access requests...

• have the same NAS-Identifier for both CP1 and CP2,
• are sent to the configured RADIUS server using the OPNsense box's IP address that's points towards the RADIUS server and not with the IP address of either CP1 or CP2 (depending on where the client connects).

This means that RADIUS Access-Request packets of CP1 and CP2 are indistinguishable. This poses operational problems when using RADIUS servers because authorisation and authentication policies may differ.

To Reproduce

Steps to reproduce the behavior:

1. Set up a RADIUS server.
2. Set up two captive portals CP1 and CP2 with RADIUS auth.
3. Connect a client to CP1 and CP2
4. Collect the Access-Request packets on the RADIUS server.

Expected behavior

The expected behaviour is...

• that the CP's gateway IP address is used to send Access-Request and Accounting packets (optional),
• the NAS-Identifier attribute is unique for each CP on the same OPNsense machine (mandatory).

Describe alternatives you considered

There're currently no alternatives.

Screenshots

N/A

Relevant log files

N/A

Additional context

The NAS identifier is set here:

core/src/opnsense/mvc/app/library/OPNsense/Auth/Radius.php

Lines 125 to 155 in 1850661

	public function setProperties($config)
	{
	// map properties to object
	$confMap = array('host' => 'radiusHost',
	'radius_secret' => 'sharedSecret',
	'radius_timeout' => 'timeout',
	'radius_auth_port' => 'authPort',
	'radius_acct_port' => 'acctPort',
	'radius_protocol' => 'protocol',
	'refid' => 'nasIdentifier'
	);
	// map properties 1-on-1
	foreach ($confMap as $confSetting => $objectProperty) {
	if (!empty($config[$confSetting]) && property_exists($this, $objectProperty)) {
	$this->$objectProperty = $config[$confSetting];
	}
	}
	if (!empty($config['sync_create_local_users'])) {
	$this->syncCreateLocalUsers = true;
	}
	if (!empty($config['sync_memberof'])) {
	$this->syncMemberOf = true;
	}
	if (!empty($config['sync_memberof_groups'])) {
	$this->syncMemberOfLimit = explode(",", strtolower($config['sync_memberof_groups']));
	}
	if (!empty($config['sync_default_groups'])) {
	$this->syncDefaultGroups = explode(",", strtolower($config['sync_default_groups']));
	}
	}

This should be overridden when authenticating from a Captive Portal. For CPn it could be set to something like "Captive-Portal-n". Is it possible to override the nasIdentifier after the following line?

core/src/opnsense/mvc/app/controllers/OPNsense/CaptivePortal/Api/AccessController.php

Line 147 in 1850661

$authServer = $authFactory->get(trim($authServerName));

The variable $zoneid is properly set in the above function which would help to override the nasIdentifier.

Environment

Software version used and hardware type if relevant, e.g.:

OPNsense 24.7.11_2-amd64
FreeBSD 14.1-RELEASE-p6
OpenSSL 3.0.15