Guests + authenticated users and bandwidth control for each

  • Besides my main SSID, I have two additional ones, one for MAC-based RADIUS AAA and the public/guests one--it's been a while since I've had this idea and I'm halfway there--with the help of the Captive Portal, browserless, non-WPA2Enterprise-capable devices get their pass through and it can be shared with the "open" network* cleaning up a bit the Wi-Fi dropdown and with the plus side that authenticated users can get their smart cards, setup devices with a handful of hosts whitelisted (iCloud, Google, Azure...) and further lock the main network to EAP-TLS only.

    I'm already salivating like a cartoon animal, well was until I ran into this bump, I don't actually know how to set dual authentication, meaning authentication and... not.

    I'd like to give guests the usual access, filtered and with just enough bandwidth to stream video 720p-ish without buffering and authenticated users free reign to do whatever they please. I've only used just one other portal solution before, the one included with the wireless AP system (UniFi) -- since there was only one type of users I disabled it altogether not to burden people with notices nobody reads anyway but, I had two ways of solving this there, one was using a dedicated guest access account, not really and account but a trial package since UniFi caters to businesses. The other was just whitelisting hosts allowed before authentication, say so in the splash screen and don't authenticate at all. I more-or-less tried that on pfSense but the notification appears automatically--so far I've only tested on Android, I still have iOS to go but this things on iOS usually are never a problem--the shade, or the portal I guess, won't pop up if the notification is ignored but won't go away apparently either.

    Does this approach work here? PreAAA whitelisting of hosts. Or should I just give up and go back to separate SSIDs? Haven't merged them yet, but I'm thinking I already did. :/ I did separate a couple of radios and changed their settings on the lower frequency band and everything from the custom pages, to proper authentication confirmations on the RADIUS servers--there's only the anonymous access piece missing and I'm done.

    I'm way over my head here but, could federation protocols like SAML, OpenID Connect be used to authenticate? I just thought of it.


    **: it's not really that open, it's got very strict firewall rules, controlled DNS, Suricata both ways, no tunnels, HAProxy intercepts and responds ICMP, awesome to prevent disguised tunnels--I was so tired that day I don't even know how I managed to do it but back the hell out of it :) I don't want to be liable for something yet I live next a small church draws people on the weekend mornings and y'know...Internet should be free. Where I live there's basically no restrictions or copyright bullies or even acknowledgement, for that matter but still, that's just a tiny bit of the illegal spectrum.*

  • Rebel Alliance

    Let me make a sumary :

    • you are using devices like servers that should be MAC authenticated
    • you have regular users that should be authenticated with a regular username/password
    • you also want unauthenticated users to login on the same captive portal, but with restricted bandwith
    • you want everyone to
      use the same pfSense captive portal

    Even if it's not a great idea to merge everyone on the same network (coudn't you use different radio, then different vLAN to pfSense and different captive portal zone for each radio? That's the reason why captive portal zones have been invented...), it is technically possible to do what you want with pfSense

    Setup a captive portal. Use "Radius MAC authentication" for the authentication method. Don't setup any bandwith limit, allow concurrent logins and check "fallback to login page when radius MAC auth fail". Also setup your RADIUS server on pfSense user Manager.

    Then on the RADIUS server, setup few users and create one particular user, with username guest and password guest. Set up RADIUS Bandwith attributes for this user (pfSense-Bandwidth-Max-Up and pfSense-Bandwidth-Max-Down . If your RADIUS server don't accept them, you can also replace pfSense by WISPr)
    To some values. Pfsense expect to recieve these values in kib/s

    Then create a custom captive portal page : in addition to the original login form, create another form containing two hidden inputs "auth_user" and "auth_pass" both having "guest" as value. Also add a button (input submit) to this form containing "Please click here to continue as guest".

    This way, you could probably have both anonymous guests, logged users, and MAC authenticated devices using the same captive portal and the same RADIUS server

  • Hey thanks,

    I did thought of that but gotta admin nowhere that detailed, that was impressive. I was thinking maybe isolating users at the AP, or I guess NAS -level, then selectively allowed them to communicate somewhere deeper in the network--RADIUS can also control to whom they're are allowed to talk if I recall correctly from the NPS screens right where those settings/attributes you mentioned are added.

    I went to the book to do a little homework on it and realized that for some reason I had forgotten connections don't have the keys that protect WPA2 users' data; not even a passphrase. So it all went south real quick as I started putting two and two together.

    If I had come up with your solution, though, the farthest I would've made it is to leave the credentials there not hidden but pre-filled. Thanks to this crazy idea I had I got back into web design and I gotta say I know way less than I thought I did. Those prête-à-porterpublier site hosts such as Squarespace spoiled me awful. ☹️ I'm still trying you're way on a random subnet, not broadcasted on the APs, to see if I can create it; just for fun. I don't really need to consolidate SSIDs, it's just since forever I've wanted this single network capable of doing everything: IDing users on a C portal and magically switch their VLAN even after already having a reservation or even voluntarily going back to the portal to tell it now get me to X isolated VLAN, cert-based auth on a browser, all that stuff Passpoint/Hotspot 2.0 lousily touts--which is really none of what I just mentioned but you get the idea. 😂

    UniFi makes it kid's play to create heterogeneous wireless without about knowing the concept of channel interference but at best it creates still per-use-case networks, like everyone else. Captive Zones, as in more than one, is awesome though, most specialty systems only have the one.

    Maybe on the next gen, they renamed it Wi-Fi 6, which I'm sure you already know. Anyway, thanks a million for your advice!

  • Rebel Alliance

    @umademelosemyusernamepfsense you're welcome :)
    (And btw, it's *prêt-à-porter )

  • @free4 Yes, when it's to wear or take somewhere. You don't actually take a website with you, it lives on a server, you publish it. :) ⌨

    You made me think though, what if I carry the web server with me, like those early-days iOS file server apps, but I'd still need a browser to access it and even with the browser being on the same device somehow makes me think I'm getting it, that it's still somewhere in a colo. The one thing I think could make me see it differently is if the address bar was 3x as big and read ...://localhost/... . 😂

Log in to reply