User can login with different VLAN on Captive Portal.



  • I have create VLAN183 (for user Guest) and VLAN 182 (for user Doctor), and make two captive portal for that (Services > Captive Portal). And then make user in (Package > FreeRADIUS: Users > Users).
    My question is: How to configure like User A can login for captive portal VLAN183 (Guest) but can't login captive portal VLAN182 (Doctor)? Thank you..

    Because their account can login into two different captive portals :(
    Screen Shot 2020-06-21 at 18.03.00.png

    Screen Shot 2020-06-21 at 18.03.17.png

    Sorry for my English.



  • @ontzuevanhussen said in User can login with different VLAN on Captive Portal.:

    How to configure like User A can login for captive portal VLAN183 (Guest) but can't login captive portal VLAN182 (Doctor)?

    I didn't try this out myself, but :

    You saw the user settings ? There is a VLANID.
    (I'm not sure if the context of VLANID is correct here)

    Another way to go : you have two captive portal instances, so you are using two NAS clients, right ?
    The "Advanced Configuration" users settings, like "Additional RADIUS Attributes (CHECK-ITEM)" could be use to check the NAS client before access is granted.

    Anyway, didn't check this myself.



  • @Gertjan said in User can login with different VLAN on Captive Portal.:

    You saw the user settings ? There is a VLANID.
    (I'm not sure if the context of VLANID is correct here)

    Doesn't work, I have try this before.


  • Rebel Alliance Developer Netgate

    Look at the RADIUS requests, the portal zone should be in there somewhere (NAS-Identifier, I think). Make your radius config check that along with the user.



  • I do not have multiple portal, but I could test this :

    My "NAS Identifier", to bet defined in the captive portal settings, is =

    1b6945d8-442c-4622-9ee0-5b9501e9d7c3-image.png

    So, it's "CaptivePortal-cpzone1".

    I added in the 'radcheck" table this line for my user called "x" :

    7700a471-d430-4a3e-8899-86c0f3c8394f-image.png

    Now, when the user "x" logs in, an additional check is made : The NAS-Identifier should be "CaptivePortal-cpzone1", if not : no access.

    This should enforce that a user "x" can only login using a specific portal.

    Btw : there is no GUI access to add records to the radcheck table. Use classic mysql commands, or a database GUI like phpmyadmin.

    If needed, stop Freeradiusd process in the pfSense GUI, goto console/ssh access, option 8 and launch freeradius with

    radiusd -X
    

    This permits you to follow all the radius activity in great detail.



  • Ok, I am done. I am using OpenLDAP for Authentication Servers. Now everything work fine. This is my configuration:

    Screen Shot 2020-08-08 at 10.44.17.png

    Screen Shot 2020-08-08 at 10.44.28.png

    Screen Shot 2020-08-08 at 10.44.54.png

    Screen Shot 2020-08-08 at 10.55.38.png

    Now user 'direktur' can login to Captive Portal 'Direksi' but can't login to Captive Portal 'Dokter'.

    Screen Shot 2020-08-08 at 10.49.05.png

    Screen Shot 2020-08-08 at 10.49.16.png


Log in to reply