Captiv portal and vouchers integration with ssid on wlc 9800
-
@Jozy said in Captiv portal and vouchers integration with ssid on wlc 9800:
I have Cisco WLC configured and redirections to http://10.223.103.230:8002/index.php?zone
You shouldn't be doing anything with captive portal on your wlc if you want pfsense to handle it - if your wifi devices are on a different network then on that network in pfsense setup the captive portal.
-
@johnpoz How should I reach Captiv portal over wifi if I dont put on SSID on WLC redirects me to http://10.223.103.230:8002/index.php?zone=CaptivPortal& ?
-
@Jozy your wifi should just connect your wifi to a wired network on pfsense. No captive portal in your wlc - just setup a ssid, and have your clients connect..
Their dhcp should come from pfsense. On whatever network this is - setup pfsense captive portal on that network.
-
@johnpoz I have wlc where all access points are added and managed by wlc.
So, what would be right setup? Since it is virtual macine where L3 interface would be, on my network l3 router?
For example if I have range 10.223.103.0 for dhcp, lan adress on pfsense it 10.223.103.10
Anyway I have to configure l3 and vlan on trunk and wlc to have access to that dhcp, once I try establish connection over ssid, right?
In that case i should configure Lan ip address as my dhcp relay, right?Jozy
-
@Jozy that is fine you use wlc to control you wifi, why not just use the captive portal features in wlc? But if you want to leverage captive portal in pfsense then the clients need to be on the same L2 network as a pfsense interface.. How they get dhcp be it from your wlc or pfsense doesn't really matter.. But they need to be on the pfsense network.
-
@johnpoz we want to use pfsense captiv portal due to vouchers which can be generated on pfsense.
Currently they are on the same L2 network, only difference is that dhcp is on win server and clients get ip add from that range but wlc redirection to pfsense captiv portal not working
-
@Jozy said in Captiv portal and vouchers integration with ssid on wlc 9800:
dd from that range but wlc redirection to pfsense captiv portal not working
What part are you not understanding??? If the clients are on a pfsense network, and they have to point to pfsense as their gateway. Your captive portal would be setup on pfsense on this network the clients are on.. There would be no redirection or setup of any captive portal anything in your wlc.
-
@johnpoz im not talking on setup any captiv portal on wlc but wlc is controller for all access points, so wlc is place where ssid is cofigured and there is policy you configure your clients to use pfsense captiv portal.
So, I dont understand if I need to have L3 configured on router, there are some details missing but dont know what? :)
What is right conf step by step? -
@Jozy who cares what setups up the wifi, doesn't matter if its a wlc that manages multiple AP, or stand alone AP or some wifi router being used as an AP.
When it comes down to it the AP is a bridge from your wifi to your wired network..
You have a network 192.168.100.0./24 -- your wifi clients are on this 192.168.100.0 network.. When they try and go to the internet via pfsense as say 192.168.100.1 pfsense captive portal says hey need to auth.
That is all there is too it.. The whatever that gets your wifi client on this network is not part of this process..
Yes you need to have an L3 on pfsense - how else would it route traffic for your wifi clients?? That are on this network..
If you want devices to use pfsense as the captive portal - they should use pfsense as their gateway, and dns most likely too. if pfsense is not the gateway off this whatever network it has zero to do with controlling any thing else on the network.. It can only control who can talk to it to go to some other network.. So yes it needs an L3, and these clients need to be on this same L2/L3 network if you expect to use pfsense as a captive portal.
-
@johnpoz I have configured DHCP on pfsense and clients get ip address from that range "10.223.160.0/24".
When trying ping outside from that interface i cant, pictures below.
From other interfaces it works fine:
Whatever NAT or rule I configure it doesnt have access to outside.Second thing is:
When PC gets IP address over DHCP it can go to captiv portal is case I manually type URL of Captiv Portal but when tyring to connect to CP over WiFi it is not working.
Anyway, when I remove redirections from the WLC and try to connect to WiFI it doesnt redirects me to CP anymore.
WiFi on pfsense - 10.223.160.229
DCHP for clients and Gateway is as well 10.223.160.229?
-
@Jozy are your clients using pfsense as dns? Did you create rules on your interface to allow internet? What nat rules - did you edit your outbound nat to not be auto?
First thing I would do is make sure your connection is working before attempting to enable captive portal
That redirection sure doesn't look correct - where did that 192.0.2.1 come from? You still trying to redirect in wlc - that sure doesn't look like pfsense captive portal setup.
-
@johnpoz Yes, after chnaning NAT rule to below it started pinging outside.
Hybrid Outbound NAT rule generation.
(Automatic Outbound NAT + rules below)Anyway, when I get IP address over WiFi on my cell phone or PC over DHCP from pfsense I can not ping 10.223.160.229 whic is interface for WiFi configured on pfSense, but when I get ip address over DHCP on wired network I can ping 10.223.160.229.
Btw, i cant ping deafulr gateway as well for even if I can ping 8.8.8.8 form the LAN interface.
regarding 192.0.2.1 it is mandatory since if I dont configure it it redirects me to WLC captiv portal
It is very weird that I have to use redirection on WLC to pfSense Captiv Portal. Shouldn't pfSense be one who will do it if DHCP is configured there? -
@Jozy said in Captiv portal and vouchers integration with ssid on wlc 9800:
It is very weird that I have to use redirection on WLC to pfSense Captiv Portal.
YOU DON'T! You should not set any web auth anything on this ssid you setup in wlc.
If your client that gets and IP on this network you have can not ping pfsense IP on that interface - what are the rules you setup on that interface in pfsense?
-
@johnpoz
Rules below
I disabled web adn can see that there is no redirection
"You said - You should not set any web auth anything on this ssid you setup in wlc. " Yes, I know but in case I dont set any web auth it redirects to nowhere.
I dont know if it is possible to setup to work, since Cisco maybe has itself rules or incompatibility with ?
If you know anyone who already did this ??
-
What / why is this ?
Btw : don't use things (devices) or rules like this that no one else has ever tried.
Use proven methods. -
@Jozy said in Captiv portal and vouchers integration with ssid on wlc 9800:
I dont know if it is possible to setup to work, since Cisco maybe has itself rules or incompatibility with ?
nonsense - it can clearly setup a SSID that just connects to the network with no auth - just an open network.
Normally when you run a captive portal the connection to the wifi is open, and the user auths with the captive portal.
maybe this would be a good video for you to watch
And with @Gertjan why would you setup a port forward???
-
@johnpoz this is just basic video of how to configure basic/initial things.
I agree with you that is should be just setup ssid and connect to network.
I get dhcp address on both PC and wirelles, PC works on somw and wifi not.
Not sure why cant ping over wifi my pfsense lan address but over wired network it works. There must be some other rule or permission on wlc or somwhere whic dont send echo replay or something.
Im tired, seems will look for some other solution
-
@Jozy again what rules do you have on this pfsense interface? What makes more sense wlc doing some odd firewalling thing when its just a AP when comes down to it or you have no rule to allow icmp on pfsense which when you create a new interface zero rules are on it.
Create you simple wifi setup and do not enable captive portal on pfsense yet for this network. Make sure you have rules on this interface that allows what you want. I would start with any any rule.
Make sure that works, you can ping pfsense IP, you can surf the internet, etc..
Then enable the captive portal.
to pfsense there is zero difference between a wireless client or a wired client - because to pfsense they come in on a wire.
-
@johnpoz this is what I sent earlier is interface OPT1 with any any
It is the same, with or without captiv portal enabled.
The thing is as you said I deal with you that wlc have some restictions and should bypass it, but what
-
@Jozy so your saying you can browse the internet through pfsense, but it doesn't answer ping?
And those are the only rules you have for this interface - do you have any rules in floating?
On your client when you try and ping pfsense IP, do you see the mac in the arp table?
Do you have some ACLs set on your WLC - why would you block icmp??
If your mac shows up and you say you can get internet through pfsense.. I would do a simple packet capture on that opt1 interface while you pinging.. If you do not see the ping - they yeah you have something blocking it between the client and pfsense. If you see the pings but just no answer than points to a floating rule in pfsense blocking it.. Or some weirdness with mask or something, but seems unlikely that internet through pfsense would work then.
