Captive Portal: RADIUS Authentication + VLAN Assignement

  • Hi all,

    So I have pfSense set up between a router and a switch, with the LAN interface (coming from the router) for devices wishing to connect to the internet or other internal services beyond the switch. I have 3 VLANs (VLAN25, VLAN35, VLAN45) set up on the other side of pfSense, which point to different resources on the network. Now, in order for a user to get access, they would have to go through the captive portal to get authenticated, which I have done via RADIUS and Windows Server 2012. A user in Active Directory belongs to one of 3 groups: Trusted, Untrusted, and Guest.

    Now here's the problem: Right now everyone just goes through VLAN25. Once the user is authenticated via RADIUS on the captive portal, I want to direct that user to the correct VLAN based on what group they belong to (VLAN25-Trusted, VLAN35-Untrusted, VLAN45-Guest) in order to restrict/ permit access to services in the network. Is this possible with pfSense? How would I go about doing this task? Would NAT possibly come into play? Any advice would be greatly appreciated.


    EDIT: fixed network layout description

  • Between the quest (visitor) and pfSense is there only that (dumb ?) switch (or switches) that you mentioned ?
    Or are there other devices like AP's ? (meaning Wifi connections) ?

    If the first case is true, then answer this question : "how do you - actually : the quest - switch from VLAN to VLAN ??". I guess you will find this short answer : No way, they will never do that.

  • Thanks for the reply. I've attached a diagram of my network to help with the explanation. The switch is not a dumb switch. All users come in from a router from multiple access points. I don't want to switch between VLANS; once you authenticate, you are assigned a VLAN based on what group you belong to in active directory.

  • Rebel Alliance Developer Netgate

    By the time they can reach captive portal it is too late to switch VLANs based on authentication. They already have an address and are a part of that network, and the firewall can't tell your switch to move them to another VLAN, your switch has to know that directly.

    To assign users to a VLAN based on their login credentials you need 802.1x authentication in your switch, not captive portal or anything on the firewall.

  • Thanks jimp! Will look into that.

    EDIT: Will FreeRADIUS do the trick? I see you can assign users a VLAN…

Log in to reply