Self register and radius authentication?

  • i want to set up the captive portal on the the opt interface and have the users either log in with their current usernames and passwords and authenticate with radius server or register as a new user and make an account on the pfsense box (not radius).  Then pfsense can check users against the radius server or local database..  can the captive portal do this?  then i want to give the raius uses access to the lan for printing and network browsing and the self registered users only access to the internet.  So basically a campus hotspot for new users and an wireless access for faculty and students with radius authentication.  does that make sense?

  • i guess want i want to do set up two vlans within pfsense, one for lan access and the other just web access.  can i do this with pfsense and captive portal?

  • the portal can use radius or the local data file but not both at same time
    what you can do is this
    use the portal on opt1
    give opt1 this rule
    action pass Interface opt1  protocol tcp Source any Source port range any any Destination any Destination port range htpp htpp

    this will give users on opt1 afther the portal access to only http

    then setup on the pfsense box a vpn ptpp server on interface opt1
    then set this rule for ptpp vpn clients
    action pass Interface ptpp protocol tcp Source any Source port range any any Destination any Destination port range htpp htpp
    action pass Interface ptpp  protocol any Source any Source port range any any Destination lan subnet Destination port range any any
    to give vpn clients access to the network on the lan port and htpp access to the internet

    clients on vpn don't have to go trou the portal

    the vpn server adress you set on the vpn server is not the same as that that the vpn clients conect to
    if youre opt1 ipadress is then the vpnclients on opt1 interface will use in there vpn software as vpn server adress
    afther the vpn tunnel is setup the clients will use the server ip u set in the vpn ptpp server setup
    the vpnserver adress and the opt1 ipadress can't be the same
    vpn server ipadress can't be in the same /28 range as the vpn clients ipadresses
    vpn server ipadress and Remote address range will work

    pfsense only will let u use 16 vpn clients at the same time

  • Thanks for the info, i will give it a shot…
    i guess i would need an access point that can handle vlans right?  i don't want to deploy two access points at the same location.  I have seen several higher end access points that can handle multiple vlans and you can assign different ssid per vlan.

    or i can get one of these access points, set up multiple vlans and have one vlan go to radius auth and the other pass straight to does that sound?


  • for what i typed you do not need vlans
    every accesspoint can do this for the access point is the data from normal clients and the vpn clients the same
    both are using opt1 but the data of the vpn users is protected in  a tunnel between the vpn server and the client and running on top of the normal opt1 ipadresses

    with this you have normal clients surfing  using the portal on interface opt1
    and the protected clients are surfing with a vpn conection to the vpn server of pfsense on opt1
    but the vpn server is also conectebol from the lan or the wan interface

    the data of normal clients on opt1 every one can read
    the data of the vpn clients on opt1 is only readebol for the vpn server an the vpn client