Captive Portal authentication and client pass-through

Home Page Forums Network Management RADIUS 802.1x and Captive Portal Captive Portal authentication and client pass-through

This topic contains 3 replies, has 0 voices, and was last updated by  tag 5 years, 1 month ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #43521

    tag
    Member

    Hi,

    I once had ZeroShell 1.0 beta 12 running as our firewall. I remember it had the ability to use a Captive Portal for controlling user access to the Internet. I also remember it supported LDAP and Kerberos for AD integration, but I never had the use for it. Now I’m looking at various options for implementing just that.

    I can see from the documentation that it is possible to grant access to AD users via the Captive Portal, which is great. However (and here is the question), is it possible to allow Active Directory computers access to the internet without being redirected to the Captive Portal (or auto pass-through), while non-AD computers would be caught in the portal, needing to authenticate with AD user credentials?

    Basically we have an AD domain for our staff with several hundred AD client machines. Many of the staff bring private smartphones, tablets etc. to work, and want to access the Internet, but we need to be able to log what they are doing on the Internet, in case the authorities contact us saying someone behind our public IP did something nasty. Also, guests should be able to use devices of their own. To accomplish this, we wish to hand out AD user accounts (to keep all users in one user DB) that will validate users in a Captive portal, but we don’t want people on AD client computers to have to revalidate to access the Internet, as they already supplied their credentials when logging on to the computer.

    I know of solutions that will allow RADIUS authentication in a Captive Portal and allow certain devices free access, but typically determined by MAC or IP, which isn’t terribly secure and adds an administrative overhead to us sysadmin types, as we have to type all the MAC addresses or IP’s and creating IP reservations on the DHCP server. Preferably, free access would be granted by AD computer account, thus automating administration of free access clients and increasing security at the same time…

    And a bonus question: I see that ZeroShell can act as a syslog server, but if we already have a syslog server can ZeroShell send its logs to another syslog server?

    Thanks

    #52563

    JamesR
    Member

    @tag wrote:

    And a bonus question: I see that ZeroShell can act as a syslog server, but if we already have a syslog server can ZeroShell send its logs to another syslog server?

    I saw the feature in 2.0RC2. I’ve not tried your 1.0 version so I don’t know if it exists.

    #52564

    tag
    Member

    JamesR,

    Thanks for your reply. Actually, I got tired of waitning for replies from somebody with a running system, so I set up a testing network and boxes using 2.0RC2. As a result I can give the following answers to my own quuestions:

    1. Unchallenged/challenged access to Internet based on Active Directory membership: No, doesn’t appear to be the case. You can grant unchallenged access by IP or MAC, which will leave you with all sorts of administrative and security headaches.

    2. As for send-to-syslog it appears to support it. Will test shortly.

    If anyone knows differently, please correct me.

    Regards.

    #52565

    Peter_H
    Member

    Dear tag,

    who did you bypass the captiv portal ?

    one user on my network has an xbox360 an the xbox can’t handle the login screen.

    Have identified the MAC address of the xbox.

    Thanks for your help.

    Peter

    #52566

    tag
    Member

    @peter_h wrote:

    Dear tag,

    who did you bypass the captiv portal ?

    one user on my network has an xbox360 an the xbox can’t handle the login screen.

    Have identified the MAC address of the xbox.

    Thanks for your help.

    Peter

    Peter,

    Sorry, haven’t been alerted to any activity in this thread…

    Anyway, if you haven’t figured it out yet, you go to the “Captive Portal” menu item (v2.0.RC2). In the right hand side you’ll find a box called “Free Authorized”. Change the context from “Service” to “Client” in the drop down menu. Click “+” and enter “Description” and “MAC Address”. If your Xbox is running DHCP you’ll want to leave the IP field blank. Don’t forget to click “Save”…

    That ought to allow your Xbox to pass through the Captive Portal without validating. Mind you, I don’t use ZeroShell for this, so there might be something I missed. Hopefully it’ll get you started, if nothing else.

    Regards

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.