Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captive Portal: RADIUS Authentication + VLAN Assignement

    Scheduled Pinned Locked Moved Captive Portal
    5 Posts 3 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AppropriateUsername
      last edited by

      Hi all,

      So I have pfSense set up between a router and a switch, with the LAN interface (coming from the router) for devices wishing to connect to the internet or other internal services beyond the switch. I have 3 VLANs (VLAN25, VLAN35, VLAN45) set up on the other side of pfSense, which point to different resources on the network. Now, in order for a user to get access, they would have to go through the captive portal to get authenticated, which I have done via RADIUS and Windows Server 2012. A user in Active Directory belongs to one of 3 groups: Trusted, Untrusted, and Guest.

      Now here's the problem: Right now everyone just goes through VLAN25. Once the user is authenticated via RADIUS on the captive portal, I want to direct that user to the correct VLAN based on what group they belong to (VLAN25-Trusted, VLAN35-Untrusted, VLAN45-Guest) in order to restrict/ permit access to services in the network. Is this possible with pfSense? How would I go about doing this task? Would NAT possibly come into play? Any advice would be greatly appreciated.

      Regards,
      Ricky

      EDIT: fixed network layout description

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        Between the quest (visitor) and pfSense is there only that (dumb ?) switch (or switches) that you mentioned ?
        Or are there other devices like AP's ? (meaning Wifi connections) ?

        If the first case is true, then answer this question : "how do you - actually : the quest - switch from VLAN to VLAN ??". I guess you will find this short answer : No way, they will never do that.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • A
          AppropriateUsername
          last edited by

          Thanks for the reply. I've attached a diagram of my network to help with the explanation. The switch is not a dumb switch. All users come in from a router from multiple access points. I don't want to switch between VLANS; once you authenticate, you are assigned a VLAN based on what group you belong to in active directory.

          pfsenseLayout.PNG
          pfsenseLayout.PNG_thumb

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            By the time they can reach captive portal it is too late to switch VLANs based on authentication. They already have an address and are a part of that network, and the firewall can't tell your switch to move them to another VLAN, your switch has to know that directly.

            To assign users to a VLAN based on their login credentials you need 802.1x authentication in your switch, not captive portal or anything on the firewall.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • A
              AppropriateUsername
              last edited by

              Thanks jimp! Will look into that.

              EDIT: Will FreeRADIUS do the trick? I see you can assign users a VLAN…

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.