NxFilter Tutorial
Tutorial Index

Single sign-on by 802.1x
As of v4.3.4.3, NxFilter supports single sign-on by 802.1x Wi-Fi authentication with its built-in RADIUS accounting server. You can have single sign-on for smartphones and other mobile devices in your network. Since you can import users and groups from Active Directory, Google G Suite LDAP you can have your users to be appeared on NxFilter with their AD or Google usernames.


How it works
We use RADIUS accounting protocol to pick up usernames from Wi-Fi authentication. NxFilter works as a RADIUS accounting server and you need to set your Wi-Fi router to send RADIUS accounting requests to NxFilter. One thing to note is that NxFilter doesn't do RADIUS authentication by itself. You do RADIUS authentication with your own authentication server. If you are in an Active Directory environment your authentication server would be your Windows Network Policy Server. So NxFilter doesn't break your RADIUS authentication chain.


GUI Options
After changing these option on GUI, you have to restart NxFilter.

- Accounting Port
The port to which you receive RADIUS accounting requests. We use UDP/1813 at default.

- Shared Secret
Shared secret string for your Wi-Fi router to communicate with NxFilter.

- Enable Logout
Destroy user login session when the status type of an accounting request is 'Stop'.

- Auto-register For New User
When there's an unknown username to NxFilter you can create a user automatically with the unknown username.

- Default Group For New User
You can set a default group for the newly created users.

- Local Domain
When you recive usernames in an email form (uname@mydomain.loal) you can specify domains to remove. At default, NxFilter removes the domain part from an email form username always.

- Use RADIUS
Run RADIUS account server.


Active Directory integration
Firstly, import users and groups from your Active Directory on 'User > Active Directory'. After that, you need to set up NxFilter's integrated RADIUS accounting server on 'User > RADIUS'. Mostly you don't need to change anything on there except Shared Secret. Lastly, you implement 802.1x authentication with your Wi-Fi router and Windows NPS (Network Policy Server).

To set up Windows NPS, read the NPS setup part of Managing RADIUS Authentication with UniFi.

This is the capture image of our NPS setup.

And the below is the capture image of our Unifi router setup.


G Suite LDAP and OpenLDAP integration
It's nothing different form Active Directory integration. You import users and groups from G Suite LDAP or OpenLDAP on 'User > OpenLDAP' and then you set up your router and your RADIUS authentication server and then send RADIUS accounting requests to NxFilter.

For how to import users and groups from G Suite LDAP, read Google's GSuite Secure LDAP import to NxFilter.


Delay for the first contact
There will be several seconds of delay for getting the first RADIUS accounting request after a user logged in by Wi-Fi authentication. One problem is that your users might get blocked by NxFilter as unauthenticated users. The solution is to define a default user for covering all the IP addresses in your network. Create a user on NxFilter GUI and associate an IP range covering your network to the user. Your Wi-Fi authenticated users will be appeared as the default user for several seconds before NxFilter receiving the first RADIUS accounting request and then they will be appeared with their own usernames.


Auto-register for new users
You may have some guest users temporarily using your network through 802.1x Wi-Fi authentication by a third party authentication service like Eduroam. They are not in your user database, but they are authenticated users. You want to allow them to use your network but monitor them with their usernames and apply a policy to them as a group. If you have only small number of visitors, you can do this by issuing temporary usernames to these guest users. But if there are hundreds of them coming and going, you don't want to do it manually.

For this kind of situation, we have 'Auto-register For New User' option. With this option enabled, when NxFilter finds a new username in an RADIUS accounting request, it will create a user with the new username in its database. You also can set a default group for these new users with 'Default Group For New User' option. For the filtering policy for these users, you can set a policy to the default group.

But before you enable 'Auto-register For New User', there's one thing to think about. These visitor users most likely use email form usernames like 'uname@visitor.com' to differentiate themselves from other organization users. However, NxFilter strips out the domain part of an email form username at default. To keep the domains in these visitor usernames, you can specify 'Local Domain'. If you specify 'Local Domain', NxFilter removes only the specified domains.