prompt on new device to network.
-
Hi guys. I was curious (as I'm trying to really lock down my network). Is there a way to be prompted when a new device tried to connect to the network, and I can chose to allow or deny (allow for x period would be even more awesome)
-
@menethoran No, not really. There is the option of giving the device a captive portal to “authenticate” or “register” itself (by the user). But not really what you are looking for.
-
@menethoran You can allow based on MAC address and deny all others. Look at "Services/DHCP Server/LAN" for more information.
Ted
-
It would be nice if can provide us with some more informations, so we could coming near to find a
solution for you.- What is "lock down"?
- For what and whom you lock down? (Wired devices too)
- For wich devices you may lock down? (WiFi and wired?)
You may be able to set up a LDAP server on your LAN
for the wired devices and you may be able to use the
captive portal together with the radius server and
certificates or vouchers for your WiFi guests.You may be able to use switches with multi auth. per
LAN port and also VLANs (SSIDs) and on top of all
IDS/IPS may be a nice add on for that too. -
@keyser can that captive portal be called from "outside" my network? (im thinking, if it can, i MIGHT be able to do what i want, or at least come close enough as to be equal... If i can call on an outside site for the captive portal, i can put it behind a authenticator (Authelia to be specific, that relies on an LDAP server that i already have on the network) that someone would have to know a complicated username and password to pass a page and gain access to the captive portal. i think i might even be able to do that per AP (unifi APs))
THANKS, even if it wasnt right, i think you gave me a workaround that works.
@tedquade i already use mac filtering, but you can spoof a MAC address and some modern phones now randomize their MAC, i know my S23+ does unless i specifically set it not to (i set it not to on my home network/s). BUT, thank you for the suggestion, its a good one to start with when tightening security. -
@menethoran I’m not sure I understand where you are going with that idea…
I have very little experience with the captive portal so I don’t think I can support you much on which limitations it imposes. -
@keyser no worries. Just know that you kicked me in a direction I hadn't thought of which will essentially accomplish the same end goal.
Long Version;
So, I have an authenticator in front of my proxy. All traffic coming into the network MUST pass through that proxy.
I can share the login/password (say, a randomly generated nonsensical name/number/special character along with the same for a password, make each 16 digits long) to get passed that authenticator. After the authenticator page (which can issue a long lived token) they would be presented with a secondary captive portal to sign in to the network. (I can have the authenticator email me on failed login attempts or successful ones or whatever) essentially accomplishing the same thing (being notified when someone new accesses the network).
Short version; I can hide a captive portal behind an authenticator and have the authenticator email me on new logins.
-
@menethoran Interesting idea. May I ask which/what authenticator product you are using, and where is that software running in order to allow/disallow access to the pfSense Captive portal?
-
@keyser the authenticator application is called authelia. All incoming traffic passes through PfSense then the majority goes to my NAS that runs several applets. One of them is traefik which acts as the networks proxy server. All apps are resolved internally via PfSense (so, when internally I go to audiobooks.mywebsite.org it doesn't leave the network. Anyway, that's separate from this.
A captive portal is just a webpage that requires authentication of some kind to proceed to connection. I'm just creating an airlock system in my network that also notifies me of new connections. It's essentially nothing fancier than what is effectively 2 captive portals wherein you can't reach the second without passing through the first.
All of this was pretty well explained above. And repeatedly.
