Relay Captive Portal to VLANs in Layer 3 Switch
-
In my network, users connect to Layer 3 switch where multiple VLANs are defined. To make it more precise, the gateways of VLANs are defined in the L3 switch. The default gateway of the L3 switch is given as the IP address of the Firewall, which connects with the WAN. Once I am configuring the captive portal in PFSense, the users in the default VLAN of the L3 Switch are able to get the captive portal on their screens, but the users connecting to the other VLANs in the L3 switch are not able to get the login screen and is also not able to get internet connectivity in their machines. Without enabling the captive portal everyone is getting internet.
I am stuck here for days and tried multiple options in PFSense, but is not able to get it solved to date. Please help and guide me on how to get it solved.
-
@cncnitc Well since captive portal uses mac and is layer 2.. The captive portal would never see the actual mac of the client - they would be seeing the mac of the switch that is routing the traffic.
What switch are you using - some offer a captive portal or http auth method if the device can not use the typical 802.1x auth that you normally do on as switch - this is normally for when you might have "guests" etc..
-
Wouldn't it be easier if those users are on a different SSID & VLAN? That way, they're already sorted out at the access point.
-
@jknott yeah with wifi its easier for sure, but I take the OP is also working with wired devices he wants to leverage a captive portal for.
-
Perhaps he can use DHCP option 132, to put the devices on a VLAN.
-
@jknott doesn't seem like he wants or is having issues assigning vlans. His is issue is he has downstream networks routed by his L3 switch..
If his pfsense routed the networks then it wouldn't be an issue because pfsense would be attached to the different L2 networks and see the macs of all the clients in all the networks and you could leverage the captive portal.
-
It's hard to say exactly what he's doing. My understanding is he's not getting the correct VLAN. A different SSID or DHCP option 132 would put those devices on the correct VLAN.
-
@johnpoz Thank you for the reply. We are using DLINK 3630.
-
-
@cncnitc said in Relay Captive Portal to VLANs in Layer 3 Switch:
DLINK 3630
I have no experience with that switch, but a quick google
https://www.manualslib.com/manual/1344033/D-Link-Dgs-3630-Series.html?page=517
Web-based Access Control
Web-based Access Control (WAC) is a feature designed to authenticate a user when the user is trying to access the
Internet via the Switch. The authentication process uses the HTTP or HTTPS protocol. The Switch enters the
authenticating stage when users attempt to browse Web pages (e.g., http://www.dlink.com) through a Web browser.
When the Switch detects HTTP or HTTPS packets and this port is unauthenticated, the Switch will launch a pop-up
user name and password window to query users. Users are not able to access the Internet until the authentication
process is passed.So it does look like you could have your switch do the captive portal auth for you..
-
@johnpoz In the switch, there is a user limit of 100 users in each port. Also, it has support only for plain text password authentication, which we are not able to use as per our radius configuration. Anyway I will explore more with the switch
-
@cncnitc said in Relay Captive Portal to VLANs in Layer 3 Switch:
t has support only for plain text password authentication
I don't have any experience with that line of switch - but looks like you can use radius for the web-auth with a quick look at the cli cmd listings.. Which wouldn't be plain text, or wouldn't have to be, etc.
The only way you can get the pfsense captive portal to work is if the L2 is connected to pfsense.. I have never heard of any sort of like helper or proxy that could forward captive macs for use in a captive portal - even if you could, how would it work after the auth.. The only mac pfsense is ever going to see is the mac of the switch port connected to pfsense on your uplink since your switch is doing the L3 routing.
Simple solution would be to let pfsense do the routing, now you can run multiple captive portals on all your networks, etc.
Might want to take a look at https://www.packetfence.org/ - if it will work with that switch, you might be able to let it do the captive portal auth, and just tell the switch to let the client on, etc.
It is a pretty well rounded opensource NAC
-
The wired based pc´s and servers could be secured over
LDAP. The entire wireless units could be secured over the
captive portal and the Radius server together, but
therefore the switch should be supporting multiple user
auth. per each switch port. With that captive portal and voucher system you may be also able to write the
VLAN ID directly in the voucher (radius certificate) so all
user will be placed in the right VLAN then.But if you are working with radius certificates and
encryption together, you may be forget to serve ~100
users per port! This is often a theoretical number and
will be shorten down due to the circumstance of the
hard traffic that will be produced by using radius & encryption.If you set up a transfer network (vlan) from the pfSense
to the switch and then other vlans for the wifi aps and
wifi users, all the vlans must be reachable by the pfSense
by setting up ACLs on the switch (vlans). -
