CP on WAN…

  • Hi,

    I never thought on having CP on the WAN interface ;-)

    We have a pfsense box with WAN, LAN and OPT interfaces.  I need CP authentication for internet access (from AD / radius w2003 server) on both the LAN and OPT interfaces.

    Will I achieve the above goal by setting CP on the WAN interface?

    If the above answer is yes, a few more questions:

    Does it exist a 'silent login' CP option when the user is already logged in to his/hers domain account? I.e. that CP's Radius / AD link acknowledges that the current user has already been authenticated to the domain and hence CP does not need to pop up the logon dialog.

    I understand that CP and schedules do not work together, but can I successfully add a schedule to the LAN interface in the above scenario?  (I don't need any schedule for the opt interface).

    Does CP prohibit any internet traffic until autherticated?

    Will the CP logon dialog pop up when any type / port of traffic to the internet is detected or oo users need to request a http page to force the logon and 'open' the internet portal?

    Thanks for comments on these issues



  • You can have the CP only active on one interface at one time.

    Afaik you can have schedules on LAN if you're running the CP on OPTx.
    But if you're running it on LAN you cannot have schedules on LAN at the same time.

    I dont know if such a "silent login" exists.

    I think it does block anything until authenticated.
    At least antivirus cannot update unless you open a webbrowser and try to access anything to get the authentication pop-up.

  • CP on WAN won't work. You have to enable it on an internal interface and there can only be one interface that has the CP enabled. CP and schedules on different interfaces should work I think though I never have tested this. It will block all traffic until you have authenticated. There is no option to silently pass logged in domain users (unless you add all the macadresses of your domain hosts to the passthrough macs for example). Authentication has to be performed via the CP loginpage which means you have to open a browser for that.

  • @hoba:

    CP on WAN won't work. You have to enable it on an internal interface

    I thought so too, but while skimming through posts I misinterpreted the "when I configure Captive Portal in WLAN interface… " phrase in http://forum.pfsense.org/index.php/topic,8594.0.html as if he meant WAN and not VLAN...

    Anyhow, thanks for the feedback.  So there is no option for a silent login like ISA server does for authenticated users.  I thought there might be a way to retrieve the workstation's current username/password and pass that away to the radius engine for clearence.

    We would be willing to spend some hundred $$s in bounty on a silent CP login on the OPT interface in addition to 'traditional' CP with weblogin on the LAN interface.  Is CP on two interfaces like this really far beyond the possibilities of the current pfsense framework..?

    I don't want to move to ISA Server just because of this :-(



  • I would think it's doable somehow but it's absolutely beyond my scope so I could be wrong. Post a bounty and see what happens and someone more knowledgable than me is thinking about that.

Log in to reply