Captive portal, VLANs, lock user to specified "Zone"



  • Helo, to all.

    I implemented pfSense Captive Portal on different VLANs (associated at dedicated SSID on my wireless sistem)
    and work fine (local and RADIUS authentication).

    Each VLAN/SSID have dedicated Captive Portal Zone (= corrisponding a one NAS Client, using different IP) on the same pfSense machine.

    It's possible to "lock" an user to login only a specified Zone (NAS Client)?

    Es.

    Zone01 - VLAN101 - userA, userB, …
    Zone02 - VLAN102 - userC, userD, ...
    ..

    userA and userB cannot log in Zone02
    userC and userD cannot log in Zone01

    Tnx ;-)



  • That's possible with RADIUS authentication. E. g. with FreeRADIUS you can store a custom RADIUS attribute like "Allowed-NAS" with each user and during the authorization phase you can use FreeRADIUS's "unlang" to compare the NAS-Identifier (which should be different for each of your zones) with the Allowed-NAS attribute and reject a user straightaway if they don't match. You can even update the Reply-Message attribute with something like "You're not allowed to log into this zone!" which will be displayed as the error message on the Captive Portal page so that the user immediately knows what went wrong. The manpage of unlang should give you a pretty good idea how to write the comparison code.



  • @cs1:

    That's possible with RADIUS authentication. E. g. with FreeRADIUS you can store a custom RADIUS attribute like "Allowed-NAS" with each user and during the authorization phase you can use FreeRADIUS's "unlang" to compare the NAS-Identifier (which should be different for each of your zones) with the Allowed-NAS attribute and reject a user straightaway if they don't match. You can even update the Reply-Message attribute with something like "You're not allowed to log into this zone!" which will be displayed as the error message on the Captive Portal page so that the user immediately knows what went wrong. The manpage of unlang should give you a pretty good idea how to write the comparison code.

    True.
    I resolved using external Freeradius, Huntgroups, Groups and unlang.
    I will update you if I can integrate solution on pfSense Freeradius :)


Log in to reply