User can login with different VLAN on Captive Portal.

ontzuevanhussen

I have create VLAN183 (for user Guest) and VLAN 182 (for user Doctor), and make two captive portal for that (Services > Captive Portal). And then make user in (Package > FreeRADIUS: Users > Users).
My question is: How to configure like User A can login for captive portal VLAN183 (Guest) but can't login captive portal VLAN182 (Doctor)? Thank you..

Because their account can login into two different captive portals :(

Sorry for my English.

Gertjan

@ontzuevanhussen said in User can login with different VLAN on Captive Portal.:

How to configure like User A can login for captive portal VLAN183 (Guest) but can't login captive portal VLAN182 (Doctor)?

I didn't try this out myself, but :

You saw the user settings ? There is a VLANID.
(I'm not sure if the context of VLANID is correct here)

Another way to go : you have two captive portal instances, so you are using two NAS clients, right ?
The "Advanced Configuration" users settings, like "Additional RADIUS Attributes (CHECK-ITEM)" could be use to check the NAS client before access is granted.

Anyway, didn't check this myself.

ontzuevanhussen

@Gertjan said in User can login with different VLAN on Captive Portal.:

You saw the user settings ? There is a VLANID.
(I'm not sure if the context of VLANID is correct here)

Doesn't work, I have try this before.

jimp

Look at the RADIUS requests, the portal zone should be in there somewhere (NAS-Identifier, I think). Make your radius config check that along with the user.

Gertjan

I do not have multiple portal, but I could test this :

My "NAS Identifier", to bet defined in the captive portal settings, is =

So, it's "CaptivePortal-cpzone1".

I added in the 'radcheck" table this line for my user called "x" :

Now, when the user "x" logs in, an additional check is made : The NAS-Identifier should be "CaptivePortal-cpzone1", if not : no access.

This should enforce that a user "x" can only login using a specific portal.

Btw : there is no GUI access to add records to the radcheck table. Use classic mysql commands, or a database GUI like phpmyadmin.

If needed, stop Freeradiusd process in the pfSense GUI, goto console/ssh access, option 8 and launch freeradius with

radiusd -X

This permits you to follow all the radius activity in great detail.

ontzuevanhussen

Ok, I am done. I am using OpenLDAP for Authentication Servers. Now everything work fine. This is my configuration:

Now user 'direktur' can login to Captive Portal 'Direksi' but can't login to Captive Portal 'Dokter'.