(EAP110) Portal Access from SSID in different VLAN

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

(EAP110) Portal Access from SSID in different VLAN

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
(EAP110) Portal Access from SSID in different VLAN
(EAP110) Portal Access from SSID in different VLAN
2015-09-04 22:16:10
Model :

Hardware Version : Not Clear

Firmware Version :

ISP :

All,

I have two VLANs

VLAN 0 - Private ( 192.168.1.0/24 )
VLAN 1 - Guest ( 192.168.2.0/24 )

The EAP110 has an IP in VLAN 0 ( 192.168.1.88 ) . When enabling a portal on a SSID that is assigned to VLAN 1 , a WiFi client gets directed to the portal on 192.168.1.88 . As per firewall rules access is denied from VLAN 1 to VLAN 0 , the portal is not accessible.

Any ideas besides setting a FW rule to allow access to the portal ?

Max
  0      
  0      
#1
Options
7 Reply
Re:(EAP110) Portal Access from SSID in different VLAN
2015-09-06 09:04:18
Since VLAN 0 and VLAN 1 are in different subnet a device which support routing is required. Consider that they are in different VLAN this device should also support VLAN. In summary you need to have a router/L3 switch which supports VLAN routing. According to my limited experience Cisco 1841 supports VLAN but you are free to use any other device which support VLAN routing.
  2  
  2  
#2
Options
This is a serious issue with the eap controller software
2015-11-11 08:46:42
The purpose of having the captive portal in a hotel type environment (which this is specifically targeted at) is to have guests using the WiFi. If you want to ensure that sensitive information located on the private business systems VLAN is the natural choice without having to build two completely separate physical networks (the reason VLAN exists)

Forcing the computer hosting the eap controller software to also serve the portal page is ridiculous. This forces you to have and maintain a separate computer that is on the same unsecured vlan as the guest computers yet has complete control in maintaining the eaps, a computer that no business could be conducted on because it is unsecured, it's ludicrous.

It would make far more sense to separate those two functions and have it be optional to host the portal from the same computer or default to the EAPs. I was recently told by support that when we move to an external portal page that we must keep the eap software running at all times to accomplish this, which has all the same nonsense as above. Why can't the AP's handle the redirect themselves sans the controller?
  0  
  0  
#3
Options
same topic here
2017-04-02 15:23:25
Hi, have implemented a hotel wlan solution with a lot of EAP110 (outdoor) and EAP245 APs. Guests using the Internet access with bandwidth limitation over VLAN. But with this configuration i can´t use a portal. This is not what i expect from a solution called "business solution". Currently i print a lot of vouchers in advance but in the future we want to have a portal! Is this in develepment currently or is there another solution about this?

thank you
Cheers Ronald
  0  
  0  
#4
Options
Re:(EAP110) Portal Access from SSID in different VLAN
2017-04-02 15:58:50

binary wrote

Hi, have implemented a hotel wlan solution with a lot of EAP110 (outdoor) and EAP245 APs. Guests using the Internet access with bandwidth limitation over VLAN. But with this configuration i can´t use a portal.


The EAPs are just access points, not multi-functional servers running a Captive Portal and not even a router. A CP must be hosted on a separate system. It makes no sense to have a CP on every AP in a hotspot system. Every CP solution I know of needs such a central authentication server for good reasons, be it on a dedicated local server or on a system in a cloud. I'm in the hotspot business since more than 10 years now and yes, we use EAPs (among other routers acting as gateways) as APs with our Captive Portal controller, which is hosted on a central server in our hotspot solution.

You can host the EAP controller in an AWS cloud instance if you don't want to use a local server for this task. And yes, the APs indeed do handle the redirect to the controller themselves if set to managed mode. The claims from user Advantech regarding the portal redirection are just nonsense.

What's more, a server running a Captive Portal should never ever run other unrelated business software for a simple reason: basic security considerations. A CP is not just an app or a service which can run on a system used for other tasks such as a billing system or hotel reservation system, since the CP must be exposed to the guest's LAN to handle the requests.

That being said, you can indeed use a portal with separate VLANs for EAP's multi-SSID mode, although probably not with your configuration.

See http://www.tp-link.com/us/faq-928.html for the steps to set up an external portal/authentication service (note that the EAC and the external portal/auth services can run on the same or on different servers). With this solution you can use every authentication scheme one can think of.

See http://www.tp-link.com/us/faq-896.html for a simple authentication scheme using a RADIUS server together with EAC (method 4). With this scheme, the RADIUS server could also reside on the same server as the EAC.
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#5
Options
Re:(EAP110) Portal Access from SSID in different VLAN
2017-04-03 14:31:53
Good morning R1D2 and thank you for your answer.

I've understood what you're saying and i´m with you if we speak about enterprise environments!

My solution for now: have installed a virtual machine hosting the EAP Controller which is located in both VLANs. On this VM (no Domainmember) i have configured some routing and firewall rules to prevent access to other things except EAP Controller from both VLANs. So this is working fine now and an proper solution for me right now.

thank you and have a nice week
  0  
  0  
#6
Options
Re:(EAP110) Portal Access from SSID in different VLAN
2017-04-04 00:34:17

binary wrote

On this VM (no Domainmember) i have configured some routing and firewall rules to prevent access to other things except EAP Controller from both VLANs.


This is a professional alternative to isolate the public WiFi from the rest of the network. Glad it works for you.

Have fun! :)
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#7
Options
Re:(EAP110) Portal Access from SSID in different VLAN
2021-09-12 13:29:57 - last edited 2021-09-12 13:33:07

This issue still exists with the EAP110-Outdoor v3, as of fw 5.0.1 Build 20210316 Rel. 38795(5553).

 

 

FTR: the EAP110-Outdoor in standalone mode - no Omada controller - provides a basic captive portal function for the guest network WiFi. It works well with the exception that when you put the guest network on a separate VLAN, the clients won't be able to reach the captive portal web page which is only listening on the management IP address, not in the guest VLAN.

 

You can see this in a packet capture on a guest client: in my case I have the AP on an untagged/native interface (e.g. 10.0.0.10/24), and the guest wifi on VLAN 3 (10.0.3.0/24.). Once associated, the client gets a DHCP address (from my router) in VLAN 3, say 10.0.3.100. The router is (ideally) configured to only allow traffic from the guest VLAN out to the Internet, not to the LAN. The client's Initial HTTP requests are intercepted by the AP which responds with a redirect (JS location) to the AP's web server port 22080 - on 10.0.0.10.


i.e. the problem is that web server is on the 'management' address (i.e. not the Guest VLAN); for this to work requires the gateway to forward the captive portal traffic from guest VLAN to AP management address, that is, to allow some guest traffic access to the LAN.

 

For this to work without requiring config on the router, the AP captive portal could acquire a DHCP address in the guest VLAN for which it is operating, so that the client can reach it without the help of the router.

 

  0  
  0  
#8
Options