Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captive portal, VLANs, lock user to specified "Zone"

    Scheduled Pinned Locked Moved Captive Portal
    3 Posts 2 Posters 912 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nemanager
      last edited by

      Helo, to all.

      I implemented pfSense Captive Portal on different VLANs (associated at dedicated SSID on my wireless sistem)
      and work fine (local and RADIUS authentication).

      Each VLAN/SSID have dedicated Captive Portal Zone (= corrisponding a one NAS Client, using different IP) on the same pfSense machine.

      It's possible to "lock" an user to login only a specified Zone (NAS Client)?

      Es.

      Zone01 - VLAN101 - userA, userB, …
      Zone02 - VLAN102 - userC, userD, ...
      ..

      userA and userB cannot log in Zone02
      userC and userD cannot log in Zone01

      Tnx ;-)

      1 Reply Last reply Reply Quote 0
      • C
        cs1
        last edited by

        That's possible with RADIUS authentication. E. g. with FreeRADIUS you can store a custom RADIUS attribute like "Allowed-NAS" with each user and during the authorization phase you can use FreeRADIUS's "unlang" to compare the NAS-Identifier (which should be different for each of your zones) with the Allowed-NAS attribute and reject a user straightaway if they don't match. You can even update the Reply-Message attribute with something like "You're not allowed to log into this zone!" which will be displayed as the error message on the Captive Portal page so that the user immediately knows what went wrong. The manpage of unlang should give you a pretty good idea how to write the comparison code.

        1 Reply Last reply Reply Quote 0
        • N
          nemanager
          last edited by

          @cs1:

          That's possible with RADIUS authentication. E. g. with FreeRADIUS you can store a custom RADIUS attribute like "Allowed-NAS" with each user and during the authorization phase you can use FreeRADIUS's "unlang" to compare the NAS-Identifier (which should be different for each of your zones) with the Allowed-NAS attribute and reject a user straightaway if they don't match. You can even update the Reply-Message attribute with something like "You're not allowed to log into this zone!" which will be displayed as the error message on the Captive Portal page so that the user immediately knows what went wrong. The manpage of unlang should give you a pretty good idea how to write the comparison code.

          True.
          I resolved using external Freeradius, Huntgroups, Groups and unlang.
          I will update you if I can integrate solution on pfSense Freeradius :)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.