Pfsense without NAT
-
pfsense 2.3.2
Squid Transparent
Captive Portal via Windows AD RaduisIssue is not being able to log BYOD Internet Activity by AD username on Sonicwall/Analzyer.
I have a Dell Sonicwall that I use for my Internet filter and firewall. The Soinicwall can read who is logged in via Active Directory username if user are logged into the domain.
For my BYOD, I use pfsense Captive Portal. The problem is the Sonicwall only reads the WAN IP address for the logs of my BYOD users even though they are authenticating via Windows RADIUS. I assume because the network connections are NAT'ed this is the reason.
To get round this I told my AP's (Ubiquiti) to use RADUIS and take Pfsense out of the equation I then setup Radius accounting, configured it on the Sonicwall. This would of worked apart from my AP's don't utilize the 'Framed IP Address' attribute' which is a bummer considering I have 46 of these AP's.
So for the time being, I have my BYOD users logging into the WiFi via 802.1X (Raduis) with their AD credentials, they then hit the Captive portal of the Sonicwall and login via web authentication rather than single sign on.
Enough waffle
Is there a way of the Sonicwall seeing the BYOD users if pfsense was setup without NAT so it could log Internet usage by username and not the WAN address of pfsense. I find the Pfsense Captive Portal a much cleaner system than using RADIUS.
-
I find the Pfsense Captive Portal a much cleaner system than using RADIUS.
- MS Windows server with radius server role with certificates for wireless clients (company, internal)
- MS Windows server with LDAP server role wired clients (company, internal)
- pfSense Captive Portal for wireless for wireless clients (guests, external)
- pfSense Squid & SquidGuard & SARG to log all their activities
-
is this possible or am I talking broken biscuits?
For my domain users I push out a certificate from the Sonicwall to all domain computers via GPO so I can utilize DPI-SSL. Could I use this certificate on Pfsense Captive Portal so BYOD users have to accept it when they are presented with the CP? This way I could then capture SSL traffic