NxFilter Tutorial

Single sign-on by 802.1X
NxFilter supports single sign-on by 802.1X Wi-Fi authentication with its built-in RADIUS accounting server. You can have single sign-on for smartphones and other mobile devices in your network. Since you can import users and groups from Active Directory, Google G Suite LDAP you can have your users to be appeared on NxFilter with their AD or Google usernames.


How it works
We use RADIUS accounting protocol to pick up usernames from Wi-Fi authentication. NxFilter works as a RADIUS accounting server and you need to set your Wi-Fi router to send RADIUS accounting requests to NxFilter. One thing to note is that NxFilter doesn't do RADIUS authentication by itself. You do RADIUS authentication with your own authentication server. If you are in an Active Directory environment, your authentication server would be your Windows Network Policy Server.

You can test NxFilter as RADIUS accounting server using a tool like NTRadPing.


GUI Options
After changing these option on GUI, you have to restart NxFilter.

- Accounting Port

The port to which you receive RADIUS accounting requests. We use UDP/1813 at default.

- Shared Secret

Shared secret string for your Wi-Fi router to communicate with NxFilter.

- Enable Logout

Destroy user login session when the status type of an accounting request is 'Stop'.

- Auto-register for New User

When there's an unknown username to NxFilter you can create a user automatically with the unknown username.

- Default Group for New User

You can set a default group for the newly created users.

- Local Domain

When you recive usernames in an email form (uname@mydomain.loal) you can specify domains to remove. At default, NxFilter removes the domain part from an email form username always.

- Use RADIUS

Run RADIUS account server.


Active Directory integration
Firstly, import users and groups from your Active Directory on 'User > Active Directory'. After that, you need to set up NxFilter's integrated RADIUS accounting server on 'User > RADIUS'. Mostly you don't need to change anything on there except Shared Secret. Lastly, you implement 802.1X authentication with your Wi-Fi router and Windows NPS (Network Policy Server).

To set up Windows NPS, read the NPS setup part of Managing RADIUS Authentication with UniFi

This is the capture image of our NPS setup.

And the below is the capture image of our Unifi router setup.


Delay for the first contact
There will be several seconds of delay for getting the first RADIUS accounting request after a user logged in by Wi-Fi authentication. One problem is that your users might get blocked by NxFilter as unauthenticated users. The solution is to create a default user associating an IP range covering all the IP addresses in your network. Your Wi-Fi authenticated users will be appeared as the default user for several seconds before NxFilter receiving the first RADIUS accounting request and then they will be appeared with their own usernames.


Auto-register for new users
You may have some guest users temporarily using your network through 802.1X Wi-Fi authentication by a third party authentication service like Eduroam. They are not in your user database, but they are authenticated users. You want to allow them to use your network but monitor them with their usernames and apply a policy to them as a group. If you have only small number of visitors, you can do this by issuing temporary usernames to these guest users. But if there are hundreds of them coming and going, you don't want to do it manually.

For this kind of situation, we have 'Auto-register for New User' option. With this option enabled, when NxFilter finds a new username in an RADIUS accounting request, it will create a user with the username. You also can set a default group for these new users with 'Default Group for New User' option.

However, before you enable 'Auto-register for New User', there's one thing to think about. These visitor users most likely use email form usernames like 'uname@visitor.com' to differentiate themselves from other organization users. However, NxFilter strips out the domain part of an email form username at default. To keep the domains in these visitor usernames, you can specify Local Domain. If you specify Local Domain, NxFilter removes only the specified domains.

You can add multiple local domains separated by commas.