Hello,
I am looking to have the following setup to meet my requirements of devices belonging to same user be able to talk to each other but be blcoked from anyone else on the same subnet.
- Unifi APs are set to do 802.1x / WPA2-Enterprise for the SSID. And Radius server is external (TekRADIUS) with default EAP method defined as MSCHAPv2-PEAP. Mikrotik is the router doing the firewalling.
- Users are able to login using their username / password (ignoring for now the cert validation) and then get placed in the required VLAN as per radius attribute obtained thru radius response back.
- APs will be connected to switches using Private vlan (community vlan mapped to the upstream Primary VLAN). Essentially, all users get placed into their different vlans (each is community VLAN) and then they all share the common Primary VLAN so they all can use the same subnet for the dhcp IPs. Community VLAN will allow devices belonging to the same user to talk to each other, as they will be all in the same community VLAN, but any other user will be in different community VLAN, so there will be isolation. And each device can talk upstream to get to Internet or other vlans, if required ( like servers vlan). This portion is not fully tested yet in this setup, but was in another setup, so should work.
- hotspot is set up on the Mikrotik router with login.html and alogin.html page with embedded username / password that is then setup on the TekRADIUS and hotspot is set to use radius. Connecting user get the login splash page for a split second, gets authenticated with embedded username / password in the login page code and then gets redirected to Google.com. No user intervention needed. The whole point of doing the hotspot is that this forces MT to send a radius request to TekRADIUS and then as part of access accept, TekRADIUS also sends the speed and daily quota etc. Here is the helpful link for no intervention login splash page
http://forum.mikrotik.com/t/no-login-page-hotspot/46560/1 - My only issue is that forcing traffic thru the hotspot is causing isolation even between the same VLAN ID devices, while I was assuming that by default users within same subnet will be able to ping each other and my breaking them into different VLANs, but within same dhcp subnet will stop communication between different users, but allow devices belonging to same user to talk.
So I am looking for a way to allow client to client communication for the hotspot clients and then stop them using the private vlans. Seems like that hotspot breaks the L2 forwarding and forces all traffic to go thru the gateway.
My APs are Ubiquity Unifi. Unifi does not allow radius attributes that I need. So I will be using some larger size MT boxes for my application to act as firewalls if I can figure out breaking the L2 barrier that is generally required, but my application demands breaking it. I don’t need hotspot, but I have not found a way to have MT intercept traffic flowing thru it and then impose the speed and quota caps that I need under Radius direction.
Hopefully someone can help me in establishing the client to client forwarding thru the router.
Thanks