Captive Portal Authentication on a Transparent Proxy

  • The question hasn't been asked in a while, and I noticed some people were able to get the system working.

    Here's the idea:

    We have our typical barely-able-to-remember-their-username end user. Now, this user has a pfsense box set up in their house and would like to use squidguard to set up some content filtering. The thing is, they don't have half the knowledge to configure and maintain an explicit proxy. How can we use something simple, like the captive portal, to force everyone to authenticate with a user name. That user name will, of course, be tied to a specific rule list for themselves. Thereby, we get "setup free/maintenance free" user-based content filtering without all the hassle or learning curve.

    User –------> (Captive Portal) -------> (SquidGuard user-based-rules) ------->WAN

    What I've seen:

    From digging around the forum, it's been a popular idea quickly shunted by it's logical differences. A transparent proxy doesn't require authentication, but you want to filter based on authentication...what gives? However, there was as least one developer who had the system working. We're thinking just simple content filtering; no strings attached.

    Ideally, we'd work with the user names and have a system working within pfsense natively. If not, what your guys' thoughts on this:

    1. Captive Portal Login Detected
    2. Username + IP address of connected device is noted (It's available in Status --> Captive Portal so I imagine it wouldn't be hard to get)
    3. Squidguard ACL's are searched to see a corresponding list with a name equal to the user name
    4. Cleanup: If an IP address was added longer than 5 days ago, remove it
    5. IP address of the device used to login is added to the ACL, thereby enforcing any content filtering for that user
    6. Log date of the event, so it can be removed automatically (thinking about dhcp and people's IP addresses changing)

    Obviously something native is better than writing proprietary code, so I thought I'd ask and see if anyone has a working method. If this should be in proxy, let me know and I'll delete this and cross post it over there.

  • If you found a solution and a [HOW-TO] with it, I will be pretty happy, I need to conserv internet logs from my guests who will use the captive portal.

    And for now I didn't find a way to do it, so yeah, my message here is to keep myself informed :)

  • Took the entire idea and moved it over to a posted bounty here:

    Anyone interested or finding this thread via search, I imagine it'll be more active there