Active Directory + multiple VLANs + wireless = need help



  • I'm trying to set up pfSense to serve several functions on a wireless network in a University setting.

    Currently most functions are working flawlessly after reading up on several write-ups in the forums.  DHCP, DNS, Firewall, Shaping, and the rest work flawlessly.

    Unfortunately I can't get the authentication to work properly on the Captive Portal using RADIUS.  Here's the setup:

    • 36 AP's across the campus.  They will be using their own VLAN, but currently just one AP is set up for testing  This works without issue.

    • The AP's go through the Cisco core switch, to the pfSense box on the LAN NIC.

    • The WAN NIC goes back through the core to the modem.  Again, no issue.

    • DNS is forwarded from the ISP's DNS servers

    • Third NIC on the box goes into the core and is set to the server VLAN.  It will ping the other servers without issue, so communication is occurring, tested on the other servers and the pfSense box.

    • 2 Servers, domain controllers, are set up for RADIUS and run Windows Server 2003.  The second is new and untested, but the first is the RADIUS server for the current wireless setup and is tested and working.  (the new design is because we get connectivity drops due to latency in the authentication server/firewall communication.)

    • RADIUS requests never make it to the servers.  The logs on the domain controllers show absolutely no requests sent to them.  pfSense logs show communication was not made.

    The goal: All we need here is a lookup to verify the user exists and to log that their IP, MAC, time, and username.  Nothing special.  This is to prevent any legal issues if someone gets past the firewall and does something stupid and we get letters from the ISP.  I have no care about how the authentication is done, I just need some solution to the issue.  Local user authentication is not really possible considering we're going to be servicing around 8,000 accounts.

    If this is something that will require additional features or whatnot, I'm sure we could post a bounty.  If additional info is needed, I can do that in a heartbeat, as well.

    Thanks, in advance, for any assistance.



  • Never mind.  In constant checking and re-checking I managed to get the auth ports mixed up.  Issue solved and communication is going.



  • tell me how u solve ur problem?



  • Hmm, will not be bad idea to tell us how you manage and what was a problem. This can help to us maybe :-)
    TIA (Thanks in advance)



  • If anyone can tell me the software used to create the walkthroughs on the website I'll actually go ahead and create a full walkthrough.

    Currently I have pfSense running with RADIUS.  The RADIUS is checked against AD using an auth server that is not a domain controller but a domain member.  This is so it'll work so long as any DC remains functional (5 total).  The auth is done in Server 2008 (maybe moving to 2008 R2 soon). 
    Captive Portal is using https.  Wireshark verifies that we can't pick up any sensitive information from logging in.
    Filesharing is blocked using a combo of the traffic shaping along with OpenDNS.
    In the event of legal issues, logs include username, IP assigned, MAC, times, and all the essentials, stored in a RAID 5.

    The setup we're using now is pretty much tailor-made for large-scale wireless deployments, especially at educational institutions.

    As I said, I'll create a walk-through if I can get clarification on how to go about doing it best.


Log in to reply