Self register and radius authentication?
-
i want to set up the captive portal on the the opt interface and have the users either log in with their current usernames and passwords and authenticate with radius server or register as a new user and make an account on the pfsense box (not radius). Then pfsense can check users against the radius server or local database.. can the captive portal do this? then i want to give the raius uses access to the lan for printing and network browsing and the self registered users only access to the internet. So basically a campus hotspot for new users and an wireless access for faculty and students with radius authentication. does that make sense?
-
i guess want i want to do set up two vlans within pfsense, one for lan access and the other just web access. can i do this with pfsense and captive portal?
andy -
the portal can use radius or the local data file but not both at same time
what you can do is this
use the portal on opt1
give opt1 this rule
action pass Interface opt1 protocol tcp Source any Source port range any any Destination any Destination port range htpp htppthis will give users on opt1 afther the portal access to only http
then setup on the pfsense box a vpn ptpp server on interface opt1
then set this rule for ptpp vpn clients
action pass Interface ptpp protocol tcp Source any Source port range any any Destination any Destination port range htpp htpp
action pass Interface ptpp protocol any Source any Source port range any any Destination lan subnet Destination port range any any
to give vpn clients access to the network on the lan port and htpp access to the internetclients on vpn don't have to go trou the portal
note:
the vpn server adress you set on the vpn server is not the same as that that the vpn clients conect to
if youre opt1 ipadress is 1.2.3.4 then the vpnclients on opt1 interface will use in there vpn software 1.2.3.4 as vpn server adress
afther the vpn tunnel is setup the clients will use the server ip u set in the vpn ptpp server setup
the vpnserver adress and the opt1 ipadress can't be the same
vpn server ipadress can't be in the same /28 range as the vpn clients ipadresses
vpn server ipadress 10.141.250.254 and Remote address range 10.141.250.224 will workpfsense only will let u use 16 vpn clients at the same time
-
Thanks for the info, i will give it a shot…
i guess i would need an access point that can handle vlans right? i don't want to deploy two access points at the same location. I have seen several higher end access points that can handle multiple vlans and you can assign different ssid per vlan.or i can get one of these access points, set up multiple vlans and have one vlan go to radius auth and the other pass straight to internet...how does that sound?
andy
-
for what i typed you do not need vlans
every accesspoint can do this for the access point is the data from normal clients and the vpn clients the same
both are using opt1 but the data of the vpn users is protected in a tunnel between the vpn server and the client and running on top of the normal opt1 ipadresseswith this you have normal clients surfing using the portal on interface opt1
and the protected clients are surfing with a vpn conection to the vpn server of pfsense on opt1
but the vpn server is also conectebol from the lan or the wan interfacethe data of normal clients on opt1 every one can read
the data of the vpn clients on opt1 is only readebol for the vpn server an the vpn client