[pfSense Support] Can captive portal authenticate based on windows login
First. Thanks for making the best rouster software in the world. Second. I'v searched, but i cant quite figure it out. I would like to use captive portal. What I want is to have certain users based on windows username and passwords automatically autenticate without seeing the captive portal screen. If the user is unknow, then have them redirected to supply alternate credentials. I was hoping maybe I could do this with a radius server. Any help or sugestions are greatly appreciated. I hope I am clean in what I am asking for. I am not very familiar with radius and captive portal. Thank you.
Re: [pfSense Support] Can captive portal authenticate based on windows login
On Tue, Apr 21, 2009 at 1:27 PM, Ryan L. Rodrigue radiote...@aaremail.com wrote: First. Thanks for making the best rouster software in the world. Second. I'v searched, but i cant quite figure it out. I would like to use captive portal. What I want is to have certain users based on windows username and passwords automatically autenticate without seeing the captive portal screen. If the user is unknow, then have them redirected to supply alternate credentials. I was hoping maybe I could do this with a radius server. Any help or sugestions are greatly appreciated. I hope I am clean in what I am asking for. I am not very familiar with radius and captive portal. Thank you. Without seeing the CP screen, automatically logging them in with Windows credentials, no. You can authenticate them on the CP screen with RADIUS using their Windows credentials to IAS on a Windows Server DC (if you're using AD). - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Can captive portal authenticate based on windows login
Without seeing the CP screen, automatically logging them in with Windows credentials, no. You can authenticate them on. the CP screen with RADIUS using their Windows credentials to IAS on a Windows Server DC (if you're using AD). I kinda thought that was the case. Thank you for your help Chris. Do you know of anything that might do this? __ NOD32 3834 (20090206) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Can captive portal authenticate based on windows login
Microsoft Internet Security and Acceleration Server (ISA Server), and you need to have AD. I've used it, but only in this particular case. I do not know of anything in the open source world that works reliably specifically the way you want it to. (That is not to say that nothing exists, I just may not know about it). With respect to ISA, there is a client installation (aka Firewall Client) that is required to make the authentication transparent--without it, it would work just like pfSense would-- with RADIUS against AD, and the user would have to enter credentials manually. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Ryan [mailto:radiote...@aaremail.com] Sent: Tuesday, April 21, 2009 11:50 AM To: support@pfsense.com Subject: RE: [pfSense Support] Can captive portal authenticate based on windows login Without seeing the CP screen, automatically logging them in with Windows credentials, no. You can authenticate them on. the CP screen with RADIUS using their Windows credentials to IAS on a Windows Server DC (if you're using AD). I kinda thought that was the case. Thank you for your help Chris. Do you know of anything that might do this? __ NOD32 3834 (20090206) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Can captive portal authenticate based on windows login
Ryan Rodrigue Office: (985) 876-4096 Fax: (985) 853-0134 -Original Message- From: Dimitri Rodis [mailto:dimit...@integritasystems.com] Sent: Tuesday, April 21, 2009 2:47 PM To: support@pfsense.com Subject: RE: [pfSense Support] Can captive portal authenticate based on windows login Microsoft Internet Security and Acceleration Server (ISA Server), and you need to have AD. I've used it, but only in this particular case. I do not know of anything in the open source world that works reliably specifically the way you want it to. (That is not to say that nothing exists, I just may not know about it). With respect to ISA, there is a client installation (aka Firewall Client) that is required to make the authentication transparent--without it, it would work just like pfSense would-- with RADIUS against AD, and the user would have to enter credentials manually. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com Thanks a bunch. This Really helps. I have ISA, but never even installed it. I thought it was just a firewall. Thank you again for your help, Ryan. Without seeing the CP screen, automatically logging them in with Windows credentials, no. You can authenticate them on. the CP screen with RADIUS using their Windows credentials to IAS on a Windows Server DC (if you're using AD). I kinda thought that was the case. Thank you for your help Chris. Do you know of anything that might do this? __ NOD32 3834 (20090206) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Can captive portal authenticate based on windows login
Ryan wrote: Without seeing the CP screen, automatically logging them in with Windows credentials, no. You can authenticate them on. the CP screen with RADIUS using their Windows credentials to IAS on a Windows Server DC (if you're using AD). I kinda thought that was the case. Thank you for your help Chris. Do you know of anything that might do this? I don't know if the Captive Portal can be coerced to support LDAP or Kerberos, but I have heard of people achieving a single sign-on type setup with Squid that way. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Can captive portal authenticate based on windows login
Single Sign-on (aka one set of credentials) is one thing, the captive portal's ability to automatically _receive_ (and authenticate) the credentials from the requesting client/browser is another. Unless I'm misunderstanding, Ryan wants to get rid of the username/password prompt from the captive portal, and have the current windows logon credentials automatically pass to the captive portal, which is currently not possible with pfSense-- ISA Server is the only thing I know of that does this. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Jim Pingle [mailto:li...@pingle.org] Sent: Tuesday, April 21, 2009 1:18 PM To: support@pfsense.com Subject: Re: [pfSense Support] Can captive portal authenticate based on windows login Ryan wrote: Without seeing the CP screen, automatically logging them in with Windows credentials, no. You can authenticate them on. the CP screen with RADIUS using their Windows credentials to IAS on a Windows Server DC (if you're using AD). I kinda thought that was the case. Thank you for your help Chris. Do you know of anything that might do this? I don't know if the Captive Portal can be coerced to support LDAP or Kerberos, but I have heard of people achieving a single sign-on type setup with Squid that way. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Can captive portal authenticate based on windows login
-Original Message- From: Dimitri Rodis [mailto:dimit...@integritasystems.com] Sent: Tuesday, April 21, 2009 4:34 PM To: support@pfsense.com Subject: RE: [pfSense Support] Can captive portal authenticate based on windows login Single Sign-on (aka one set of credentials) is one thing, the captive portal's ability to automatically _receive_ (and authenticate) the credentials from the requesting client/browser is another. Unless I'm misunderstanding, Ryan wants to get rid of the username/password prompt from the captive portal, and have the current windows logon credentials automatically pass to the captive portal, which is currently not possible with pfSense-- ISA Server is the only thing I know of that does this. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com You are correct. This is exactly what i want to do. Ryan Rodrigue -Original Message- From: Jim Pingle [mailto:li...@pingle.org] Sent: Tuesday, April 21, 2009 1:18 PM To: support@pfsense.com Subject: Re: [pfSense Support] Can captive portal authenticate based on windows login Ryan wrote: Without seeing the CP screen, automatically logging them in with Windows credentials, no. You can authenticate them on. the CP screen with RADIUS using their Windows credentials to IAS on a Windows Server DC (if you're using AD). I kinda thought that was the case. Thank you for your help Chris. Do you know of anything that might do this? I don't know if the Captive Portal can be coerced to support LDAP or Kerberos, but I have heard of people achieving a single sign-on type setup with Squid that way. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Can captive portal authenticate based on windows login
That is the type of setup I was describing, where they sign on once (in Windows) and then further authentication happens in the background via Kerberos/LDAP/AD/etc. I can't find the exact article I read before, but this describes sort of what I was talking about: http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/ Which is still may not quite what the OP had in mind, but closer. You are correct that it isn't handled by anything in pfSense currently, but it doesn't seem out of the realm of possibility if someone had the knowledge (or money) for such a project. Jim Dimitri Rodis wrote: Single Sign-on (aka one set of credentials) is one thing, the captive portal's ability to automatically _receive_ (and authenticate) the credentials from the requesting client/browser is another. Unless I'm misunderstanding, Ryan wants to get rid of the username/password prompt from the captive portal, and have the current windows logon credentials automatically pass to the captive portal, which is currently not possible with pfSense-- ISA Server is the only thing I know of that does this. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Jim Pingle [mailto:li...@pingle.org] Sent: Tuesday, April 21, 2009 1:18 PM To: support@pfsense.com Subject: Re: [pfSense Support] Can captive portal authenticate based on windows login Ryan wrote: Without seeing the CP screen, automatically logging them in with Windows credentials, no. You can authenticate them on. the CP screen with RADIUS using their Windows credentials to IAS on a Windows Server DC (if you're using AD). I kinda thought that was the case. Thank you for your help Chris. Do you know of anything that might do this? I don't know if the Captive Portal can be coerced to support LDAP or Kerberos, but I have heard of people achieving a single sign-on type setup with Squid that way. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Can captive portal authenticate based on windows login
I think you can do with some simple Javascript and Ajax. Or at least that's the way i have seen it done with Squid. On Tue, Jul 21, 2009 at 11:48 PM, Ryan radiote...@aaremail.com wrote: -Original Message- From: Dimitri Rodis [mailto:dimit...@integritasystems.com] Sent: Tuesday, April 21, 2009 4:34 PM To: support@pfsense.com Subject: RE: [pfSense Support] Can captive portal authenticate based on windows login Single Sign-on (aka one set of credentials) is one thing, the captive portal's ability to automatically _receive_ (and authenticate) the credentials from the requesting client/browser is another. Unless I'm misunderstanding, Ryan wants to get rid of the username/password prompt from the captive portal, and have the current windows logon credentials automatically pass to the captive portal, which is currently not possible with pfSense-- ISA Server is the only thing I know of that does this. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com You are correct. This is exactly what i want to do. Ryan Rodrigue -Original Message- From: Jim Pingle [mailto:li...@pingle.org] Sent: Tuesday, April 21, 2009 1:18 PM To: support@pfsense.com Subject: Re: [pfSense Support] Can captive portal authenticate based on windows login Ryan wrote: Without seeing the CP screen, automatically logging them in with Windows credentials, no. You can authenticate them on. the CP screen with RADIUS using their Windows credentials to IAS on a Windows Server DC (if you're using AD). I kinda thought that was the case. Thank you for your help Chris. Do you know of anything that might do this? I don't know if the Captive Portal can be coerced to support LDAP or Kerberos, but I have heard of people achieving a single sign-on type setup with Squid that way. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- Ermal - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Can captive portal authenticate based on windows login
On Tue, Apr 21, 2009 at 3:46 PM, Dimitri Rodis dimit...@integritasystems.com wrote: Microsoft Internet Security and Acceleration Server (ISA Server), and you need to have AD. I've used it, but only in this particular case. I do not know of anything in the open source world that works reliably specifically the way you want it to. (That is not to say that nothing exists, I just may not know about it). With respect to ISA, there is a client installation (aka Firewall Client) that is required to make the authentication transparent--without it, it would work just like pfSense would-- with RADIUS against AD, and the user would have to enter credentials manually. Not exactly, so long as you're using IE it'll pass through credentials automatically. The firewall client is so you don't have to configure all your applications to use a proxy, it automatically picks up any traffic not destined to your internal networks (as defined in ISA) and pushes it through the proxy. Works well in the environments I use it. ISA is a good proxy. I personally don't like it as a perimeter firewall, and it can be buggy (2006 is much better than 2004 and 2000, though still quirky at times), but its proxy functionality in a Windows environment is great. The reverse proxy is also nice if you use OWA and/or OMA with Exchange. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Can captive portal authenticate based on windows login
Not to get too far OT, but whenever I have a machine that doesn't have the ISA firewall client, I get credential prompts with ISA (when it's configured for specific user/group access lists, etc). From the Firewall Client for ISA Server Download: http://www.microsoft.com/downloads/details.aspx?FamilyID=05C2C932-B15A-4990- B525-66380743DA89displaylang=en ...Firewall Client sends user information transparently with each request, enabling you to create a firewall policy on the ISA Server computer with rules that use the authentication credentials presented by the client. I'd use pfSense any day of the week over ISA, even if it meant they had to use credential prompts. Bottom line: if eliminating credential prompts is an absolute must, ISA can do it for sure. pfSense, not yet ;) Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Tuesday, April 21, 2009 3:35 PM To: support@pfsense.com Subject: Re: [pfSense Support] Can captive portal authenticate based on windows login On Tue, Apr 21, 2009 at 3:46 PM, Dimitri Rodis dimit...@integritasystems.com wrote: Microsoft Internet Security and Acceleration Server (ISA Server), and you need to have AD. I've used it, but only in this particular case. I do not know of anything in the open source world that works reliably specifically the way you want it to. (That is not to say that nothing exists, I just may not know about it). With respect to ISA, there is a client installation (aka Firewall Client) that is required to make the authentication transparent--without it, it would work just like pfSense would-- with RADIUS against AD, and the user would have to enter credentials manually. Not exactly, so long as you're using IE it'll pass through credentials automatically. The firewall client is so you don't have to configure all your applications to use a proxy, it automatically picks up any traffic not destined to your internal networks (as defined in ISA) and pushes it through the proxy. Works well in the environments I use it. ISA is a good proxy. I personally don't like it as a perimeter firewall, and it can be buggy (2006 is much better than 2004 and 2000, though still quirky at times), but its proxy functionality in a Windows environment is great. The reverse proxy is also nice if you use OWA and/or OMA with Exchange. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature