Captive Portal: RADIUS Authentication + VLAN Assignement

AppropriateUsername · Jun 15, 2017, 1:18 PM

Hi all,

So I have pfSense set up between a router and a switch, with the LAN interface (coming from the router) for devices wishing to connect to the internet or other internal services beyond the switch. I have 3 VLANs (VLAN25, VLAN35, VLAN45) set up on the other side of pfSense, which point to different resources on the network. Now, in order for a user to get access, they would have to go through the captive portal to get authenticated, which I have done via RADIUS and Windows Server 2012. A user in Active Directory belongs to one of 3 groups: Trusted, Untrusted, and Guest.

Now here's the problem: Right now everyone just goes through VLAN25. Once the user is authenticated via RADIUS on the captive portal, I want to direct that user to the correct VLAN based on what group they belong to (VLAN25-Trusted, VLAN35-Untrusted, VLAN45-Guest) in order to restrict/ permit access to services in the network. Is this possible with pfSense? How would I go about doing this task? Would NAT possibly come into play? Any advice would be greatly appreciated.

Regards,
Ricky

EDIT: fixed network layout description

Gertjan · Jun 15, 2017, 2:17 PM

Between the quest (visitor) and pfSense is there only that (dumb ?) switch (or switches) that you mentioned ?
Or are there other devices like AP's ? (meaning Wifi connections) ?

If the first case is true, then answer this question : "how do you - actually : the quest - switch from VLAN to VLAN ??". I guess you will find this short answer : No way, they will never do that.

AppropriateUsername · Jun 15, 2017, 3:02 PM

Thanks for the reply. I've attached a diagram of my network to help with the explanation. The switch is not a dumb switch. All users come in from a router from multiple access points. I don't want to switch between VLANS; once you authenticate, you are assigned a VLAN based on what group you belong to in active directory.

jimp · Jun 16, 2017, 4:03 PM

By the time they can reach captive portal it is too late to switch VLANs based on authentication. They already have an address and are a part of that network, and the firewall can't tell your switch to move them to another VLAN, your switch has to know that directly.

To assign users to a VLAN based on their login credentials you need 802.1x authentication in your switch, not captive portal or anything on the firewall.

AppropriateUsername · Jun 16, 2017, 7:58 PM

Thanks jimp! Will look into that.

EDIT: Will FreeRADIUS do the trick? I see you can assign users a VLAN…