@stephenw10 Sorry I wasn't clearer. Most like brevity and complain when there are details. The following use case is strictly for the VLAN operation desired:Employee see AP's SSID, "Team" for example. They enter the known password, known by all team peeps. They are presented with the CP (captive portal) challenge for user & pw from pfsense. They have their own user & password on pfSense, and use it to get past the challenge. Once successful, they are on their own, with traffic restricted at pfSense using VLAN firewall rules, like the other VLANs.
Now for each of your questions:
Do you mean simply entering the wifi pass key (WAP2/3)?
Yes. Steps 1 & 2 above.
Or are you using the Unifi captive portal for that?
I was/am not aware that is an option-that is, only entering their unique creds when connecting to AP. I'm fine with that!
If it's the latter then serial captive portals could be a problem.
I see what you mean, like cascading them. No, none of the incomplete/outdated examples I found do that.
Really, as long as each user can log onto the network (VLAN 20) via WiFi, i is a win. I just picked the closest examples I could find, and none are working as the OPs say they do.
P.S. Not that it should matter, but there is no addressable switch in this scenario: just a pfSense box with 2 physical interfaces, and a few APs. They just have user access group restrictions more involved than most.
I hear you can't use the LAN interface if there are VLANs on it by some, but at the moment I can't get the CP credential challenge page to come up once they log into the AP's SSID that matches traffic for VLAN 20.
Seems overly complex, thought about using wpa2-enterprise & freeradius ?