Per-user/group web content filtering using captive portal?

  • Hello,
    i know it's a bit out of the scope as the captive portal isn't meant for applying filters for the users.

    Still i'm looking forward for a way to accomplish such task.

    Basically i know that it's possible to enable transparent proxy with squidguard on a network where captive portal is enabled, BUT of course as the proxy is transparent, it's not aware of the actual user doing the request, but it only knows the IP address (afaik).

    Do you know if it's possible to customize something, eventually even by using some radius attributes, so that the proxy server is aware of the user?

    i'm also considering to use a proxy server not embedded in pfsense, configured using squid+squidguard or dansguardian and then redirecting the traffic, but i cant seem to figure out how it would be possible to have them recognize the user.

    any suggestion, implementation trick, idea or whatever is really welcome.. just let's brainstorm over it.

    I've seen some commercial solutions that handle this with weird tricks but i really don't know how to reproduce it.

  • Hello,

    good question! but I think that you can, only, filter by ip address. By definition, if it is a transparent proxy, there is no user logs, basically because there is no users!!

    Anyway, it could be interesting to know how to trick it!



  • try squid3-dev, marcelloc has added a feature for captiveportal authentication with non transparent proxy, whit this feature squid now gets the username from captiveportal and content filtering with captiveportal usernames by squidguard is now possible, the only issue is to force the clientsto use proxy and it can be done by using wpad/pac function

    my solution is

    1-use non-transparent proxy
    2-block everything except proxy
    3-force clients to use autoproxy via wpad/pac feature or set browsers to use my proxy manually
    4-so if a client does not configure his browser to use my proxy or not set it to autodedect the proxy, he can not access internet
    5-all the web based software must be configured to use proxy too
    6-use squidguard to apply content filtering by captiveportal usernames

    The one and only problem I am facing is, some java applets(especially games) does not work behind squid, but  it can be solved by adding allow rules for every domain that java wants to connect using firewall rules and aliases, and setting the connection method to "direct connection" in windows java settings

    and also if you have some php skills, you can modify marcelloc's solution in and squid.xml files to be used for transparent proxy too

Log in to reply