Captive Portal + Radius + Proxy

[menuvirtual]

Hello, (i m newbie to to Zentyal)
I have a LAN with xp and Win7 workstations (30).
I need to configure the following situation:
- 5 PCs always access to the internet without restrictions
- the others PCs when need to access the internet need to put username and password (Captive Portal)

Installed and running: DHCP, Radius, Captive Portal, HTTP Proxy

Problem:
Create a LAN Object (IP-MAC) to fix an IP to the specific PC (the PC gets the correct IP, works), on the HTTP Proxy create a policy to that object that allow allways, but in the workstation allways show the Captive Portal.

What i m doing wrong?

Thanks

[christian]

I don't know if you do something wrong but for sure you mix 2 different constraints: one is to grant access to some PCs (so this is an IP address based control), the other being to control users (based on login/password) and everything relies on DHCP, meaning you have no control on granted IP unless you allocate IP based on MAC address.

Why don't you rather  create group of users, ask all for authentication and allocate different proxy polices? Is the captive portal mandatory here?
And BTW what's the point with Radius? Radius stands for Remote Authentication Dial In User Service. Where is the remote access in what you describe?

Or there is something I don't understand 

[menuvirtual]

Hello,
Thanks for your reply.
I assigned an ip to MAC address of the client that i want to be full internet access (by creating an object in network->objects).
DHCP is running, that client ip is in fixed address, everything ok, client get that ip.
HTTP Proxy -> object policies, i create one that always permit access to this object.
The problem his that computer always show the Captive Portal.
How can i see if the Captive Portal is mandatory?
The objective of the Captive Portal is for users that do not have internet access, sometimes needs to download program updates, and in that ocasion, the section supervisor put username and password to grant access to the internet.
How can i do that?
Thanks.

[ichat]

the captive portal is working by network object not by ip object, so to exclude users from your captive portal, connect them to a diferent network... - for example  by use of a vlan... or a completly doferent  switch.

hope this answers your question.

[menuvirtual]

OK, understood.

Thanks

[vshaulsk]

Sorry to steal the thread, but is there any way to modify the behavior of the captive portal so that only certain IP's or range are forwarded to it??

[menuvirtual]

That is what i need, but apparently is not possible.

If anybody have an alternative solution, i appreciate.

Thanks.

[christian]

Idea behind "captive portal" is to intercept any out-going communication. So, on the principle, captive portal is deployed at default gateway.
This means that if you define proxy (non transparent) authorized only to some users and deploy captive portal at default gateway, this should work, from theoretical standpoint.
This said, I need to look closer at Zentyal captive portal because I don't know what they did.

[menuvirtual]

Hi,
I try to do that ("define proxy (non transparent) authorized only to some users and deploy captive portal at default gateway"), but Captive Portal always catch the client.

Any ideas?

Thanks

[christian]

because your proxy is at same IP as your captive portal.
what I explained was, sorry for that, the theoretical view. Then implementation is a bit tricky especially if you want to achieve it with on single Zentyal box.
Give me a couple of day to play with this  on my test platform

[vshaulsk]

So what you are saying is that I will have to try the following setup:

Vlan1 - Use specific proxy (none transparent) - For all clients on this IP Range

Vlan2 - Setup captive portal - from what you are saying these people will not be directed through the proxy, but only through the portal?

[christian]

If you have different vlan, then problem is different. I mean proxy can be transparent or not, this should not have any impact.
I really need to test this.
I suppose captive portal enables rules at FW level to redirect ports.

[vshaulsk]

I will test it tonight.... I am at the captive portal and proxy level of my setup (I will give the wpad.dat a try tonight as well). 

I currently have only one access point working so my guests and my clients are on the same VLan.

[vshaulsk]

menuvirtual - How are your clients setup?

Are your clients mobile or are they just office computers with some of them needing to use captive portal.

For instance om my setup.... I want all guests (usually mobile devices) to go through the captive portal (I have special username and passwords setup for guests).... All other clients (mobile or wired) to either bypass the proxy all together or use the authentication method.  My setup is a little different since I have Vlan's setup for different domains and access points.

I tried last night to both allow some computers on my guest Lan to go through the captive portal and to bypass it.  It worked once this morning, but might have been an error.  I pointed my client directly to the proxy port (192.168.1.1:3128) and this let it bypass the captive portal (I have transparent mode OFF).  I than left another client in standard mode (no proxy in browser).  This client found the captive portal and asked for authorization.  However once authorized the clients could not go to the internet.  I think I can solve this problem by opening port 80 for certain IP or range (my guest clients).  I still have to try this, but it may possibly work.

[menuvirtual]

vshaulsk,
My clients are wired, all in the same IP network, because of various type of servers that exists on network.

I need the following solution:
5 PCs full internet access (Web, POP3, https, etc.)
The others (25) access the internet through the Captive Portal (when the supervisor authorize, for software updates, etc.)
Guests (mobile) through the Capitve Portal.

Thanks