Captive Portal Question

[c4rdinal]

Hi,

I have a few questions regarding Captive Portal, I hope you can enlighten me. As follows:

1. Does enabling Captive Portal Service will force all users to authenticate to be able to access the internet? 
2. Using Captive Portal, is it possible to Create an Object (Group of People) and limit their bandwidth usage thru Captive Portal?

Thanks

[masnizar]

From my experience using it in 2.2
1. Does enabling Captive Portal Service will force all users to authenticate to be able to access the internet? 
  In my case yes and you must select which group of users can use the captive portal,Default is all can
2. Using Captive Portal, is it possible to Create an Object (Group of People) and limit their bandwidth usage thru Captive Portal?
  I think you could limit how bandwidth they are consuming in months on the captive portal setting

[c4rdinal]

From my experience using it in 2.2
1. Does enabling Captive Portal Service will force all users to authenticate to be able to access the internet? 
  In my case yes and you must select which group of users can use the captive portal,Default is all can
2. Using Captive Portal, is it possible to Create an Object (Group of People) and limit their bandwidth usage thru Captive Portal?
  I think you could limit how bandwidth they are consuming in months on the captive portal setting

Hi Masnizar,

Thanks for your reply.

1. Does it mean only those I added to the User Group in Captive portal will be able to access the Internet?
The default it all - which means everyone can access the internet, right?

2. Limit bandwidth in month? So the Bandwidth Throttling feature does not apply to Captive Portal?

Thanks

[vshaulsk]

1) The captive portal will authenticate users on which ever interface you assign it on.  In the module it will let you check the interface.  If you only have one interface than all your users will be going through the captive portal.  In your users and group section you can make a group which will contain users that can authenticate in the captive portal.  Under the captive portal module all you need is to select that group.

2) The bandwidth limit you can set/per day or per/wee or per/month.  Once a user who is allowed to authenticate through the captive portal reaches that limit they will get kicked off (from what I understand).  The bandwidth throttling feature still applies to captive portal because that just controls how fast someone can download or upload data.  The bandwithd limit you set in the captive portal is just the max amount of megabytes or gigabytes that user can use up.

At least this have been my experience so far with this module.

[exekias]

Hi,

You can limit bandwidth throttling using Traffic Shaping module, you only need to create rules for the subnet configured in the captive interface.

Best regards

[Escorpiom]

So if I understand the explanation, the captive portal will bind to a network interface.
If the Zentyal box has only one LAN interface, it means that all users have to go trough the captive portal, no exception can be made so that some users have direct Internet access?

If so, would it be possible to create VIRTUAL interfaces in the Zentyal GUI and bind the captive portal to that virtual interface? Or is a physical interface mandatory?
The only solution would be installing another network card and connect all captive portal users to that network interface. 
In my setup, I have fixed users that have unrestricted access to the net (IP+MAC binding), and "guest" users that will have to go trough the captive portal.

Cheers.

[exekias]

@Escorpiom:

You can use VLANs to do this, or if you want, you can add a new ethernet card, but yes, captive portal needs the full interface (virtual or not). In the future we may add a white/black list to captive portal's configuration.

Best regards

[vshaulsk]

Cperez...... I have a question for you !!   I have Vlans and my captive portal is turned on one of those interfaces.  It is actually my wifi.guest domain.  So all guests (wireless connect to that interface).  I make my guests sign out credential when they need access (guest1 password1 ..... etc...)

I also have transparent proxy working currently.  I would like to get away from transparent proxy, but I am not sure how to do this.  Since if I use non-transparent proxy my guests will have to setup their internet connection pointing to the proxy server. I don't want my guests to have to reconfigure their systems. Is there a way to setup captive portal on a virtual interface, have users get authenticated through the portal and than get forwarded to the proxy ?  I figured on the proxy I could setup the wifi.guest subnet to always allow.

[Escorpiom]

@Cperez: A whitelist would be a simple and effective solution, whitelist and add those network objects that may use Internet without authentication/restriction.
Those objects NOT in the whitelist would be required to authenticate against the captive portal. I hope Zentyal devs will implement this!

Cheers. 

[exekias]

vshaulsk,

You can disable transparent proxy and add a port forwarding rule to redirect captive portal users to the proxy. Rest of the users won't be affected by this rule.

Escorpiom,

I have added this feature to our wishlist:

https://trac.zentyal.org/wiki/Document/Development/Wishlist/Module/CaptivePortal

Hopefully we will discuss this at Zentyal Summit and include it for the next release

Best regards

[ankprasanna]

@Cperez: A whitelist would be a simple and effective solution, whitelist and add those network objects that may use Internet without authentication/restriction.
Those objects NOT in the whitelist would be required to authenticate against the captive portal. I hope Zentyal devs will implement this!

Cheers.

Hi
I am new to zentyal. could you give me steps for the whitelist to avoid authentication in captive portal.

Thanks & Regards
Prasanna

[Escorpiom]

Hi
I am new to zentyal. could you give me steps for the whitelist to avoid authentication in captive portal.

Thanks & Regards
Prasanna

It has not been implemented yet as far as I know. Wait for the next version.

Cheers.

[jsalamero]

You can always use a captiveportal.postservice custom hook to add iptables rules that bypass the captiveportal chain for give IP addresses.