Welcome, Guest. Please login or register.
Did you miss your activation email?
+  pfSense Forum
|-+  pfSense English Support» Captive Portal» Captive portal with auth from AD on the WAN side
Username:
Password:
 
Home Help Search Login Register
 

Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Captive portal with auth from AD on the WAN side  (Read 515 times)
0 Members and 1 Guest are viewing this topic.
wizzie
Newbie
*
Offline Offline

Posts: 1


View Profile
« on: March 02, 2010, 07:42:15 am »
Hi folks, my first post to the forums here.

I was thinking of using PF and captive portal as authentication for the students using wireless in our school.

[student] -> [Wireless] -> [accesspont] -> [PF+captive portal] -> [AD]
 
<--------------------- LAN --------------->                       <-WAN->

The WAN side of PF is actually the LAN side of our school network and therefore the domaincontroller with AD is here.
I have setup PF without captive portal and everything works ok. Tried to set up captive portal according to the tutorial about
captive portal (Radius and W2K3). When I try to open a webpage from the LAN side of PF, Iīm redirected to the loginpage of
captive portal, but I get an error when I try to login. The error is that my username or password is incorrect.
I think that the communication between PF and AD isnīt working due to firewall rules.

My questions is if this is doable and if itīs a good idea to do it? What should I do to make it work?

Thanks in advance!

/Wizzie
Logged
buraglio
Full Member
***
Offline Offline

Posts: 142



View Profile WWW
« Reply #1 on: March 08, 2010, 12:05:04 pm »
I've never done this with AD but I did this extensively with RADIUS.  There is no design reason that the auth server can't be outside. If you're concerned with firewall rules, create an allow for all traffic to/from the AD server to test.   
Logged
capnsteve
Newbie
*
Offline Offline

Posts: 21


View Profile WWW
« Reply #2 on: March 08, 2010, 03:42:49 pm »
We do something similar at my university.  However, for security I'd try a different approach:

LAN - Wireless AP's
WAN - Actual connection out through modem
OPT1 - Internal network.

This is what I use at this school and it works great.  Just set up a RADIUS server on any machine on the internal network and point the captive portal at it for RADIUS auth.  Setting up IAS is pretty easy, and NPS is even easier if you feel like moving to Server 2008.

Quick note - double check your ports that you're using in IAS.  W2k3 doesn't use the same ports that pfSense does by default and that messed me up for a bit on my first setup.

Combine it with decent traffic shaping and consider Snort to fulfill your "we tried to stop them" legal requirements for p2p prevention.
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

 

Powered by SMF 1.1.11 | SMF © 2006-2009, Simple Machines LLC
Page created in 0.122 seconds with 19 queries.