Access only after login…
We have a w2k school network which we plan to migrate over to Linux / samba domain controllers. Each student will have his/her own user account in the DC. In the dorm areas we want to provide internet access only to those who have authenticated against the samba DC.
Can we use pfSense as firewall for the dorm area network and somehow require authentication from the domain controllers to gain internet access through the firewall?
If possible we want to keep only one authentication for both the classroom network and the dorm area internet access.
Which options do we have? Thanks a lot for hints and tips
Sounds like you want the captive portal feature + radius auth.
See http://www.pfsense.com/mirror.php?section=tutorials/cp_config/radius_win2k3.htm for more info.
Thanks a lot,
Seems to be exactly the functionality that I need ;-) Just to confirm, in this scenario the granted (or denied) access covers ALL internet traffic (any port / any service), not just http(s), right?
Now to the tricky part, I hioped to use this in connection with a Linux (ubuntu) Samba 3 domain controller, is this possible and does it exist a how-to for implementing a similar Radius server functionality in a Linux DC?
Thanks again for comments
It does block any traffic from an unauthenticated client. The client has to authenticate first. After that the firewall rules of the interface you run the captive portal on are applied. There is no Sambe Radius howto available yet, but maybe you want to write it and submit it so we can put it on air at pfsense.com ;)
There is no Sambe Radius howto available yet, but maybe you want to write it and submit it so we can put it on air at pfsense.com ;)
;) - point taken. But seriously, does anybody here know about a Radius to Samba HowTo? I haven't found one…
Another solution: Somebody suggested that I should use squid authentication. What about pfSense and squid against the Samba domain controller user database?
Squid authentication is not yet included in the squid package though theoretically possible. However, doing it via squid would only affect proxied connections (http, https) and not every connection attempt at any port like the captive portal does.