Captive Portal: RADIUS Authentication + VLAN Assignement
So I have pfSense set up between a router and a switch, with the LAN interface (coming from the router) for devices wishing to connect to the internet or other internal services beyond the switch. I have 3 VLANs (VLAN25, VLAN35, VLAN45) set up on the other side of pfSense, which point to different resources on the network. Now, in order for a user to get access, they would have to go through the captive portal to get authenticated, which I have done via RADIUS and Windows Server 2012. A user in Active Directory belongs to one of 3 groups: Trusted, Untrusted, and Guest.
Now here's the problem: Right now everyone just goes through VLAN25. Once the user is authenticated via RADIUS on the captive portal, I want to direct that user to the correct VLAN based on what group they belong to (VLAN25-Trusted, VLAN35-Untrusted, VLAN45-Guest) in order to restrict/ permit access to services in the network. Is this possible with pfSense? How would I go about doing this task? Would NAT possibly come into play? Any advice would be greatly appreciated.
EDIT: fixed network layout description
Gertjan last edited by
Between the quest (visitor) and pfSense is there only that (dumb ?) switch (or switches) that you mentioned ?
Or are there other devices like AP's ? (meaning Wifi connections) ?
If the first case is true, then answer this question : "how do you - actually : the quest - switch from VLAN to VLAN ??". I guess you will find this short answer : No way, they will never do that.
Thanks for the reply. I've attached a diagram of my network to help with the explanation. The switch is not a dumb switch. All users come in from a router from multiple access points. I don't want to switch between VLANS; once you authenticate, you are assigned a VLAN based on what group you belong to in active directory.
By the time they can reach captive portal it is too late to switch VLANs based on authentication. They already have an address and are a part of that network, and the firewall can't tell your switch to move them to another VLAN, your switch has to know that directly.
To assign users to a VLAN based on their login credentials you need 802.1x authentication in your switch, not captive portal or anything on the firewall.
Thanks jimp! Will look into that.
EDIT: Will FreeRADIUS do the trick? I see you can assign users a VLAN…