Different Authentication on different SSIDs/VLANs
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Different Authentication on different SSIDs/VLANs
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Different Authentication on different SSIDs/VLANs
Posts: 5
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2018-03-28
2018-03-28 22:14:49
Posts: 5
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2018-03-28
Different Authentication on different SSIDs/VLANs
2018-03-28 22:14:49
Tags:
Model :
Hardware Version : 1.0
Firmware Version : latest
ISP :
Hi Guys,
i have configured an AC50 with some CAP1750 with 2 SSIDs on different VLANs
As example my AC50 has the ip 192.168.0.253/24 (ManagementNetwork) Default VLAN 1 connected to a HP 2530-24
SSID "Internal" maps to VLAN 10 Controller has 192.168.1.253/24 (ProductivityNetwork)
SSID "Guest" maps to VLAN 11 Controller has 192.168.2.253/24 (Guest-WiFI)
Multiple DHCP-Server on Gateway with all VLANs functional.
Everything works very well, :o but now i want to configure different Auth. on VLANs :
VLAN 10 only WPA/WPA2
VLAN 11 captivePortal with voucher Auth.(or WebAuth,onkey what ever)
If i try to connect to vlan 11 captive Portal capture my devicerequest and trys to redirect to vlan 1 192.168.0.253, but VLAN 11 is the guest-network
and devices from here i do not want in my ManagementNetwork:mad: or elsewhere...
Knows anybody how to resolve this problem ??
Is there a way to bind the captiveportal to another IP(192.168.2.253)
greets
TK
Hardware Version : 1.0
Firmware Version : latest
ISP :
Hi Guys,
i have configured an AC50 with some CAP1750 with 2 SSIDs on different VLANs
As example my AC50 has the ip 192.168.0.253/24 (ManagementNetwork) Default VLAN 1 connected to a HP 2530-24
SSID "Internal" maps to VLAN 10 Controller has 192.168.1.253/24 (ProductivityNetwork)
SSID "Guest" maps to VLAN 11 Controller has 192.168.2.253/24 (Guest-WiFI)
Multiple DHCP-Server on Gateway with all VLANs functional.
Everything works very well, :o but now i want to configure different Auth. on VLANs :
VLAN 10 only WPA/WPA2
VLAN 11 captivePortal with voucher Auth.(or WebAuth,onkey what ever)
If i try to connect to vlan 11 captive Portal capture my devicerequest and trys to redirect to vlan 1 192.168.0.253, but VLAN 11 is the guest-network
and devices from here i do not want in my ManagementNetwork:mad: or elsewhere...
Knows anybody how to resolve this problem ??
Is there a way to bind the captiveportal to another IP(192.168.2.253)
greets
TK
#1
Options
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Thread Manage
Announcement Manage
13 Reply
Posts: 4334
Helpful: 1039
Solutions: 173
Stories: 3
Registered: 2015-12-05
Re:Different Authentication on different SSIDs/VLANs
2018-04-16 06:48:48
tx350z wrote
I don't know how else to explain the problem; the built-in portals are tightly integrated into the controller software, bound to a single IP/port, and separated only by URI. That means the controller web UI must be accessible from every VLAN needing access to a portal. This alone is a huge security concern.
Regarding EAP software and AC hardware controllers:
That's only a security problem if you think you would have to open the whole subnet to reach just one IP. But that's not the case and the solution is outlined in the recipe linked above. You just need to set a static route to the controller's IP for the controller/built-in portal. If using VLANs, this requires Inter-VLAN routing, which almost all managed switches in the T1/T2/T3 series do support.
Regarding EAP controller:
The EAP controller binds to INADDR_ANY, so you can just set up another IP (i.e. an IP alias if you have only one interface) on your server to have it listen to more than one IP. I deployed a server in my LAN using two different IPs/interfaces for the controller over a single trunk port. Works fine; the controller can be reached from both VLANs under two different IPs:
[CODE]
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:8043 *:* LISTEN 1384/java
tcp 0 0 *:29811 *:* LISTEN 1384/java
tcp 0 0 *:29812 *:* LISTEN 1384/java
udp 0 0 *:29810 *:* 1384/java
udp 0 0 *:27001 *:* 1384/java
[/CODE]
Using two or more IPs for the server's interface(s) connected to the switch allows to reach the EAP controller through as many IPs as you define.
But make sure to not use this setup on a Linux system outside an isolated private network w/o firewalling several ports not needed for communication with EAPs. There are indeed security-related flaws related to binding all and every EAPC service to INADDR_ANY. I did report those bugs to TP-Link already and won't go into more detail until this has been fixed by them in v2.6 or v2.7 for Linux.
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#12
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 25
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2018-02-26
Re:Different Authentication on different SSIDs/VLANs
2018-04-17 17:26:29
In my case Easy Smart switches are being used so no inter-VLAN routing can be done by the switches. I agree that you can multi-home a net adapter which just leads to even greater security issues; both those that you mention as well as having every portal exposed to every sub-net.
So, without the ability to bind a specific portal to a specific IP, my recommendation is to roll your own external portal which includes the security features missing from the built-in portals. That is what I am working on now.
So, without the ability to bind a specific portal to a specific IP, my recommendation is to roll your own external portal which includes the security features missing from the built-in portals. That is what I am working on now.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#13
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 4334
Helpful: 1039
Solutions: 173
Stories: 3
Registered: 2015-12-05
Re:Different Authentication on different SSIDs/VLANs
2018-04-19 08:06:00
tx350z wrote
In my case Easy Smart switches are being used so no inter-VLAN routing can be done by the switches. I agree that you can multi-home a net adapter which just leads to even greater security issues; both those that you mention as well as having every portal exposed to every sub-net.
You got me wrong. Multi-homed servers do not introduce security problems, but binding to INADDR_ANY has problems even on a server with a single IP.
Multi-homing can be set up a) with separate subnets, completely unrelated to any other local subnets the host is in, and b) using VLANs on a Linux server (eth0,10, eth0,12 etc.) perfectly supporting a TL-SG108PE/TL-SG108E with VLANs (in fact, I use this fine switch, too, as an edge switch to connect the EAPs to).
If you want to secure the server, block port 1099 for any host except localhost.If you want to try wether official v2.5.3 or whatever you use can run with privilege separation, try to set up the scheme outlined in the README of the tpeap replacement attached as a zip archive below.
File:
tpeap.zipDownload
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#14
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 5
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2018-03-28
2018-03-28 22:14:49
Posts: 5
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2018-03-28
Information
Helpful: 0
Views: 3913
Replies: 13
Voters 0
No one has voted for it yet.
Tags
Related Articles
Report Inappropriate Content
Transfer Module
New message