Captive Portal silent authentication on 2nd interface $500



  • Hi,

    In a school network we have two different subnet interfaces, LAN and OPT.  Our PFsense box is connected to a w2003 RADIUS server.  We want to use the 'normal' CP http login dialog (against RADIUS) on the LAN subnet, which of course works flawlessly.

    However, on the OPT subnet we need a 'silent' login CP against the same RADIUS server.  I.e. that users having logged their notebooks on to the domain should be granted internet access automatically through pfsense without having to log in a second time via CP's web dialog.

    Two obstacles here:

    1. CP currently cannot be used on more than one interface (workaround through VLANs?).

    2. CP need to support 'silent' login, i.e. checking if the workstation's current user is actually logged on to the domain.  M$ ISA server has this feature built in, but I want to avoid using ISA and would gladly spend som bucks to get this to work with pfsense ;-)

    Thanks for comments and suggestions.

    Payment via PayPal.

    regards

    Tor



  • Hi again,

    Are both issues here 'impossible'?

    1. Silent CP log in for users already logged in to a domain

    2. CP running on two interfaces

    If anyone has good knowledge of the CP functionality, please put down some lines about the (im)possibilities (or the lack thereof….)

    regards

    Tor



  • To do the silent CP would require finding what users are logged into the domain and what IP or Mac address they are coming from.

    I searched for a way to see find out who is logged in this is what I found:

    PsLoggedOn
    http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx

    Additional Links
    http://www.averageadmins.com/blog/2006/04/11/finding-user-information-remotely/
    http://support.microsoft.com/kb/237282

    Still need to find the user's IP Address or MAC address in order to instruct Captive Portal what computers to allow.



  • Thanks mcrane for the input.

    Any other pfsense gurus who can comment with authority if CP on two interfaces is completely impossible or not..?

    Tor



  • Neither of these tasks are impossible.  Active Directory is just another flavor of ldap, so you could query the AD server directly if needs be.  In fact, the user manager in 1.3 probably already has some of the code you need.  As for making CP work on multiple interfaces, it's definitely possible, although it'd take some coding.  I know that some of the devs are already working on some CP enhancements for someone, maybe this could be folded in.



  • Good to hear, submicron.

    But I understand I shouldn't hold my breath.

    Please post here if you need these features, and - good ideas for solutions are also welcome ;-)

    regards

    Tor


Locked