Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Implementation

    Scheduled Pinned Locked Moved Captive Portal
    8 Posts 3 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      edon
      last edited by

      Hi everybody
      This is my first time here and I'd like to know if I can accomplish something like this:

      see attached picture..

      note: i don't need pfsense to do anything else except for guest access

      Drawing1.png
      Drawing1.png_thumb

      1 Reply Last reply Reply Quote 0
      • K
        kathampy
        last edited by

        You could simply use WPA2 Enterprise with PEAP MSCHAPv2 on the access points to authenticate against RADIUS. On the iPod/iPhone there is ZERO configuration and no hassle with PEAP MSCHAPv2. Users will directly be prompted for User name & Password when they try to connect to the AP.

        1 Reply Last reply Reply Quote 0
        • D
          dhatz
          last edited by

          For regular users (listed in some directory e.g. MS Active Directory) you can use 802.1x to tell the Cisco Wireless Controller, to place user X to VLAN VX and user Y to VLAN VY.

          For guests you can use pfsense's vouchers.

          1 Reply Last reply Reply Quote 0
          • E
            edon
            last edited by

            @dhatz:

            For regular users (listed in some directory e.g. MS Active Directory) you can use 802.1x to tell the Cisco Wireless Controller, to place user X to VLAN VX and user Y to VLAN VY.

            For guests you can use pfsense's vouchers.

            I have everything working I don't need to do anything with corporate users… I just need to add guest access in their location which would be open but web authentication (captive portal). NOTE I do not have the wireless controller that's the whole point.
            I don't have WLC because the WGB (bridges can't do HREAP) when they are connected to LWAP ( lightweight wireless access points) long story lol.

            I just wanted to know if i can add another SSID in the AP and with open authentication and as soon as people connect to it they should be redirect to PFSENSE server which is in my DATACENTER (it can also be a public ip server), after authentication they can access the internet thru their DSL on VLAN7.

            I hope I am clear and I hope someone can help me out.

            1 Reply Last reply Reply Quote 0
            • D
              dhatz
              last edited by

              If I understood your needs correctly, you want the CP / authentication server to be located at a remote site, tunnel all users' pre-auth traffic to it, and after a user gets authenticated his traffic should be bridged locally.

              afaik pfsense needs to be "in-line" traffic for CP to work. This way it can also enforce things like bandwidth limits, firewall policies etc.

              1 Reply Last reply Reply Quote 0
              • E
                edon
                last edited by

                @dhatz:

                If I understood your needs correctly, you want the CP / authentication server to be located at a remote site, tunnel all users' pre-auth traffic to it, and after a user gets authenticated his traffic should be bridged locally.

                afaik pfsense needs to be "in-line" traffic for CP to work.

                Exactly !!!
                so it can't be done eh?

                1 Reply Last reply Reply Quote 0
                • D
                  dhatz
                  last edited by

                  Well, there has to be some in-line device that coordinates this type of functionality, unless the WAP itself has what's needed (e.g. some people do the CP functionality in Linux-based APs).

                  If you really want this to be: Cisco LWAPs -> L2 switch -> DSL line, then you'd need to check what options those WAPs offer you.

                  1 Reply Last reply Reply Quote 0
                  • E
                    edon
                    last edited by

                    @dhatz:

                    Well, there has to be some in-line device that coordinates this type of functionality, unless the WAP itself has what's needed (e.g. some people do the CP functionality in Linux-based APs).

                    If you really want this to be: Cisco LWAPs -> L2 switch -> DSL line, then you'd need to check what options those WAPs offer you.

                    that's how I  have it .. they are not LWAPS thought not lightweight, cisco ap - l2- switch - dsl line … I just can't put a cp server in every location, cisco aps 1200 series don't offer hotspot. anyhow thank you for your help.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.