• I'm hoping that someone can help point me in the right direction.

    Here is the situation: I currently have a Captive Portal checking against a freeradius/MySQL. That part is working great. I want to add access points at various places on the network (ok so far) but the problem is I want only a subset of the users to be able to access via wireless. Has anyone done this, or have an idea about what would be the best/most user-friendly approach?

    User A connects to the lan and his username/password work fine.
    He then connects to wireless, and since he is an authorized wireless user, he is able to connect optimally using the same username/password.
    User B connects to the lan and his username/password work fine.
    He is not authorized to connect wirelessly, so when connecting via wireless, he is rejected (hopefully with a little note telling what he needs to do to get wireless authorization).

    I want to keep this as a single pfsense-box solution and have very little (if any) flexibility in re-cabling.

    I'm currently looking into freeradius user groups and separate VLANs for access points and LAN ports, but I'm not sure if this is the best (or even a viable) option.

    Any ideas?

  • I'll go ahead and reply to myself…

    It seems that Captive Portal doesn't seem to work on multiple VLANs (please let me know if this is incorrect), so my original plan doesn't work. I was able to get FreeRadius to do PEAP authentication against the Captive Portal database, using username/password wireless authentication and groups. That seemed to work fine, except for the overly difficult wireless setup (it only takes 30 seconds, but is too involved for non-technical users).

    Next step would be to ad a second Captive portal box (only CP). Unfortunately this gives me double NATing, but allows me to differentiate the two different networks and still run captive portal on both. This also creates a traffic shaping problem, but slower WLAN traffic is acceptable.

    This all requires that I can get VLANs to all the wireless boxes, but I think I can manage that.

    *as a side note, my preview text comes up as white-on-white unless I specifically choose a color.

  • You could make the VLAN separation on the switch itself.
    –> You have a single untagged interface to the switch.
    Traffic from the pfSense is allowed to both groups (wired, wireless).
    Traffic from the groups is only allowed to the pfSense and not to the other group.