MacAuth over Splash Page via external Webserver

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

MacAuth over Splash Page via external Webserver

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
27 Reply
Re:MacAuth over Splash Page via external Webserver [SOLVED]
2020-09-16 14:27:01 - last edited 2020-09-16 20:04:05

@R1D2 

 

I have tested early this morning with the Mikrotik and it works great (but of course not useful for one AP per site model).

 

However, I find that when I enable Guest mode, then splash page from the Mikrotik will also not work as Guest mdoe on the APs simply disable forwarding to any private address space and there is no option for me to whitelist an address (unless you know a place in the controller to do it). So splahs page off of Mikrotik (aand for that matter from anything) stops working the moment we enable Guest mode on the SDN controller for the Guest SSID.

 

The supplied demo template does not work at all. We wasted time trying to code that and customize it. TP-link has not been responsibe for any template and they tell you the same broken and incomplete documentation. Any solution you can think of where we can have Guest mode plus external portal working?

 

Thanks and very best,

 

 

  0  
  0  
#12
Options
Re:MacAuth over Splash Page via external Webserver-Solution
2020-09-16 15:37:55 - last edited 2020-09-16 20:03:32

 

dpsguard wrote

However, I find that when I enable Guest mode, then splash page from the Mikrotik will also not work as Guest mdoe on the APs simply disable forwarding to any private address space and there is no option for me to whitelist an address (unless you know a place in the controller to do it).

 

Do you mean the »Guest Network« setting in Omada Controller? Yes, it enables both, »Client Isolation« for isolating WLAN clients against each other (formerly wrongly called »SSID Isolation« in Omada Controller v2) as well as blocking private IPs (RFC1918). Unfortunately, I could not convice R&D (yet) to re-introduce a »Client Isolation« setting alone, which still could co-exist with the »Guest Network« setting.

 

To unblock the router from the ACL set by »Guest Network« implicitly you can use following »Block« ACL to exclude the IP of the Mikrotik from being blocked in »Exclude Subnets«. The following ACL in Omada Controller unblocks the IP address 192.168.11.1, which is the router's IP running the Captive Portal:

 

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
Recommended Solution
  1  
  1  
#13
Options
Re:MacAuth over Splash Page via external Webserver
2020-09-16 16:30:09

@R1D2 

 

I dont have any gateway, only an AP per site. Only option under Network Security I have is EAP ACL. But I believe based on your guidance, I can manipulate this to allow access to Mikrotik router and then block eveything else. I will test in few hours and I will report back, but I am now positive your hint will help me make it work.

  0  
  0  
#14
Options
Re:MacAuth over Splash Page via external Webserver
2020-09-16 16:51:15

Again this will not resolve the issue of needing an external portal page at centralized site, with an AP at each site. Mikrotik based solution requires L2, so it cannot be used at a central site or up in the cloud.

 

Hopefully TP-link will be able to fix the broken template and then we can simply use that.

 

Very best

  0  
  0  
#15
Options
Re:MacAuth over Splash Page via external Webserver
2020-09-16 20:03:15

@R1D2

 

The solution works based on your ACL based approach. Basically, I had to disable Guest Network under SSID and then used this ACL to allow access to MT (and the IP of the Splash page server since MT uses external webserver to server login pages) and then disable anything from and to the Guest SSID going to any private RFC1918 networks.

 

This is good approach for anyone with a local webserver or a local controller.

 

Thanks again and I am marking it as SOLVED.

  0  
  0  
#16
Options
Re:MacAuth over Splash Page via external Webserver
2020-09-17 06:13:39

@dpsguard, you should leave »Guest Network« enabled if you want isolation of wireless clients against other wireless clients.

 

»Guest Network« is needed b/c it includes »Client Isolation«.

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#17
Options
Re:MacAuth over Splash Page via external Webserver
2020-09-17 14:57:13

@R1D2 I dont find any difference with and without Guest network. In both cases, I do have client isolation.

 

I have a rule that permits TCP with source of Guest SSID and destination of an IP group that includes Mikrotik and External Portal server (which actually is also Radius). Then I have a second rule that permits TCP from IP group of Mikrotik and External Portal server  with destination of IPGroup_Any (dont have option of SSID as destination, I could probably try the Guest subnet itself) and then third rule is to deny ALL from SSID to the RFC1918 networks IP Group.

 

With above, I cannot ping between guest devices. Without this EAP ACL and with Guest network disabled, I can ping between clients.

 

I am using 4.15 SDN controller. The screenshot you sent might either refer to old controller version or the Gateway router itself. For me, with above setup, everything works the way I need to.

 

Thanks

 

 

  0  
  0  
#18
Options
Re:MacAuth over Splash Page via external Webserver
2020-09-17 21:11:41 - last edited 2020-09-18 12:23:09

@dpsguard, can't second that. Client isolation is for clients connected to the same WLAN on the same EAP. Traffic between two clients in the same WLAN doesn't leave the EAP on the LAN side and won't go through the router.

 

Regarding firewall entries on the router: rules using IP addresses won't catch any non-IP traffic. IP rules are not enough to completely separate two networks. If you share the same network on two wireless networks you even have the same broadcast domain in both WLANs.

 

For a truly isolated guest network you need to use VLANs. See this HowTo for more information on how to set up a fully isolated guest network (Method 2). There is no difference between Omada Controller v3 and v4 in this respect.

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  1  
  1  
#19
Options
Re:MacAuth over Splash Page via external Webserver
2020-09-18 03:26:45

@R1D2  you are correct as always. I did not pay attention and thought EAP ACL is doing some kind of local ACLs to force all clients to tunnel their traffic thru controller and hence will achieve this client to client isolation, but I did test just few minutes ago and as you said, I do need Guest Network to really achieve this isolation. The EAP ACL mearly overides to permit whitelisting or overriding this client isolation.

 

Thanks again and stay healthy.

  0  
  0  
#20
Options
Re:MacAuth over Splash Page via external Webserver
2020-09-18 13:03:27 - last edited 2020-09-18 13:15:44

@dpsguard, there are several situations which must be taken care of to isolate clients in a wired/wireless network:

 

  1. Traffic from a client connected to SSID #1 to a client associated with the same SSID #1 of the same EAP (uses bridging in the WiFi chip, controlled by »Client Isolation« setting inside the WiFi chip),
  2. trafic from a client connected to SSID #1 to a client associated with a second SSID #2 of the same EAP (uses bridging between radio interfaces radio0/wl0 and radio1/wl1 (»Client Isolation« should take care of this, too),
  3. traffic from a client connected to a SSID of an EAP to a client connected to a SSID of another EAP (uses either switching or routing in the same LAN or between different LANs, controlled by ACLs in the switch or by firewall rules in the router),
  4. traffic from a client connected to a SSID of any EAP to a client connected by wire to the LAN or the WAN if WAN is the local main network (routing, controlled by switch ACLs or firewall rules in the router).

 

Possible solution #1:

»Client Isolation« (and probably an additional ebtables rule for the internal bridge) in the EAP could achieve isolation in wireless networks (situations 1. and 2.). Switch ACLs or firewall rules covering L2 traffic could achieve isolations in the wired network (situations 3. and 4.). Pretty complex IMO, so see possible solution #2 below.

 

Now, the »Guest Network« setting of Omada Controller tries to achieve isolation by implicitely setting »Client Isolation« in the WiFi chip and by defining (invisible!) ACLs in the EAP blocking RFC1918 IPs. At best, this is kind of a »poor man's guest network«, which has no true isolation: non-IP traffic still can pass. I did proof this in the HowTo linked in my previous reply.

 

Possible solution #2:

IMO, the right way to achieve true isolation inside a guest netwok and between a guest network and the LAN is using a »Client Isolation« setting and VLANs. Client isolation covers bridging inside the EAP's radio and a VLAN covers the wired networks (LAN, GUEST) including the associated wireless networks (SSID for the LAN and SSID for the GUEST network) when using VLAN-mapped Multi-SSIDs.

 

Background info:

A »single click plug'n'play guest network« was demanded by home users in the past, b/c VLANs are not common in home networks. They finally got the »Guest Network« setting in Omada Contoller. Nothing wrong with this, but the the »Client Isolation« setting should have been retained IMO. Both settings could co-exist.

 

@dpsguard, please can I count your vote for the feature request to re-introduce the »Client Isolation« setting as an own setting in Omada Controller?

 

If so, @Fae, could you please add vote #22 for this feature request? Thanks to you both!

 

 

 

 

 

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  1  
  1  
#21
Options