• Hi everybody
    This is my first time here and I'd like to know if I can accomplish something like this:

    see attached picture..

    note: i don't need pfsense to do anything else except for guest access



  • You could simply use WPA2 Enterprise with PEAP MSCHAPv2 on the access points to authenticate against RADIUS. On the iPod/iPhone there is ZERO configuration and no hassle with PEAP MSCHAPv2. Users will directly be prompted for User name & Password when they try to connect to the AP.


  • For regular users (listed in some directory e.g. MS Active Directory) you can use 802.1x to tell the Cisco Wireless Controller, to place user X to VLAN VX and user Y to VLAN VY.

    For guests you can use pfsense's vouchers.


  • @dhatz:

    For regular users (listed in some directory e.g. MS Active Directory) you can use 802.1x to tell the Cisco Wireless Controller, to place user X to VLAN VX and user Y to VLAN VY.

    For guests you can use pfsense's vouchers.

    I have everything working I don't need to do anything with corporate users… I just need to add guest access in their location which would be open but web authentication (captive portal). NOTE I do not have the wireless controller that's the whole point.
    I don't have WLC because the WGB (bridges can't do HREAP) when they are connected to LWAP ( lightweight wireless access points) long story lol.

    I just wanted to know if i can add another SSID in the AP and with open authentication and as soon as people connect to it they should be redirect to PFSENSE server which is in my DATACENTER (it can also be a public ip server), after authentication they can access the internet thru their DSL on VLAN7.

    I hope I am clear and I hope someone can help me out.


  • If I understood your needs correctly, you want the CP / authentication server to be located at a remote site, tunnel all users' pre-auth traffic to it, and after a user gets authenticated his traffic should be bridged locally.

    afaik pfsense needs to be "in-line" traffic for CP to work. This way it can also enforce things like bandwidth limits, firewall policies etc.


  • @dhatz:

    If I understood your needs correctly, you want the CP / authentication server to be located at a remote site, tunnel all users' pre-auth traffic to it, and after a user gets authenticated his traffic should be bridged locally.

    afaik pfsense needs to be "in-line" traffic for CP to work.

    Exactly !!!
    so it can't be done eh?


  • Well, there has to be some in-line device that coordinates this type of functionality, unless the WAP itself has what's needed (e.g. some people do the CP functionality in Linux-based APs).

    If you really want this to be: Cisco LWAPs -> L2 switch -> DSL line, then you'd need to check what options those WAPs offer you.


  • @dhatz:

    Well, there has to be some in-line device that coordinates this type of functionality, unless the WAP itself has what's needed (e.g. some people do the CP functionality in Linux-based APs).

    If you really want this to be: Cisco LWAPs -> L2 switch -> DSL line, then you'd need to check what options those WAPs offer you.

    that's how I  have it .. they are not LWAPS thought not lightweight, cisco ap - l2- switch - dsl line … I just can't put a cp server in every location, cisco aps 1200 series don't offer hotspot. anyhow thank you for your help.