Captive portal Questions…



  • ok.. first let me say.. Loving this PfSence!!! used Monowall… and loved that.. moved to pfsence.. well... cuz of the features.

    here is where I am. I'd like to try the following

    I have two networks (192.168.15.x and another with multiple VLANS - 10.0.x.x) the 192.168.15.x is purely for internet access..... as a matter of fact it is set up with a wireless access point (Linksys) going to a completely different provider... the other is through a Cisco ASA.

    What I would like to do is use Captive portal (authenticate against AD - Radius perhaps)... once a user is authenticated against Radius.. assign and IP in the 10.0.x.x range and give those that are authenticated access to internal resources..  (shares, exchange, etc.). If a user is not authenticated against Radius... (local Authentication... perhaps located within PFSence) ... they are then shunted over to the 192.168.15.x.. then only have access to the internet over there.. and DO NOT have access to internal resources..

    The ultimate goal is to set up internal wireless nodes in several rooms. Each in turn will be linked to our internal network. I don't want unauthorized users gaining access to internal resources, but do have a requirement to give external people access to the internet.

    My question is... can PFSence do this... can I leverage Captive portal to accomplish this... ?

    Any guidance would be great..

    Thanks in advance
    Hotliner



  • I'm not sure pfsense can do this…  I think you'll need your wireless kit to handle some of this...

    I'm using some 3com access points that support vlan tagging, and I notice there is an option to assign VLAN based on the authentication but I'm not sure how that works...  To authenticate the user it'll need an IP - so I wonder if it'll just change the vlan tag, without changing the IP range(?)

    Because my AP supports different VLANs and SSIDs the way I have the APs setup at the moment, staff get a wifi key they can use - that connects them to a vlan with full access to the normal LAN, then visitors can use the public wifi - but hit the captive portal (so they know the terms etc).  We can also turn authentication on the captive portal on, but from its local user database if we need to / want to.



  • @glued2:

    I'm not sure pfsense can do this…   I think you'll need your wireless kit to handle some of this...

    I'm using some 3com access points that support vlan tagging, and I notice there is an option to assign VLAN based on the authentication but I'm not sure how that works...  To authenticate the user it'll need an IP - so I wonder if it'll just change the vlan tag, without changing the IP range(?)

    Because my AP supports different VLANs and SSIDs the way I have the APs setup at the moment, staff get a wifi key they can use - that connects them to a vlan with full access to the normal LAN, then visitors can use the public wifi - but hit the captive portal (so they know the terms etc).  We can also turn authentication on the captive portal on, but from its local user database if we need to / want to.

    Thanks… I see what ur saying. at the very least I can have wireless access to both.. if I have two nodes in each room.. one public one private. (public on the captive portal, the other authenticating in anther way

    thanks for this..

    Cheers!!!



  • A combination if RADIUS and vendor specific entries can do this… VLAN's based on SSID.. Then have them come into an intermediate network where they can access the portal. Cisco definately can. Linksys can't as far as I know. Its more a dot1x thing than pfSense. By choosing the SSID paired with AD credentials (PEAP), you can have it forced into the network you need, otherwise no access. Then give your users the private SSID, and the guests/visitors/etc the public SSID.



  • @Docwyatt2001:

    A combination if RADIUS and vendor specific entries can do this… VLAN's based on SSID.. Then have them come into an intermediate network where they can access the portal. Cisco definately can. Linksys can't as far as I know. Its more a dot1x thing than pfSense. By choosing the SSID paired with AD credentials (PEAP), you can have it forced into the network you need, otherwise no access. Then give your users the private SSID, and the guests/visitors/etc the public SSID.

    Thanks for this..  I know my ASA can't help with this..


Locked