Results 1 to 6 of 6
  1. #1
    Master Untangler
    Join Date
    Jan 2014
    Posts
    115

    Default Captive Portal on LAN Question

    Ok, heres the situation. I'm tired of users plugging in devices that are out of our management window (like rogue wifi routers) and screwing with the network. As such, I've been looking into NAC kind of setups, and was wondering if Untangle could fit the bill.

    Effectively, I'm wondering if say I setup Captive Portal on the network for all IP's to be captured, would this stop devices like a store bought belkin router from pulling an IP and doing it's thing? If I'm not mistaken, Captive Portal still allows them to pull an IP address, so it makes me think no.

    If this isn't the case, if this something Untangle could handle, or am I looking at another device to do so? No problem with another device, just wanting to make sure that if I don't need to set something up, I dont.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,095

    Default

    Untangle is a UTM, NAC is NAC. You'll need NAC aware switches to do what you're asking.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,787

    Default

    You can't stop the device from getting an IP, but you can prevent that IP from having internet access. With policy manager, you can have a RACK with a default block rule for everything, and push unknown IPs to that rack.

    To really make this work well, though, you'd want to be able to control this by MAC address, rather than IP, and you'd want an easier user interface than Untangle provides for maintaining your list of allowed MACs.

    Depending on what is handling your DHCP server, you might set up reservations for your known devices (this is very easy to do with Windows: just right click on a lease and select "Convert to Reservation".) Once you've captured all your existing devices this way, you could go and edit the reservations to move them all to the front of your dhcp scope. Then you set up rules in Untangle so that any IPs from the back of your scope end of on the policy manager rack with the "block everything" rules. Of course local connectivity would work, but you will have blocked what matters to most people.

    A more sophisticated network could do something similar with vlans. For example, if you have an enterprise wifi service that is able to do vlan assignments based on policies and device fingerprinting, it's fairly simple to then set rules in Untangle to enforce internet access based on those vlan choices.
    Last edited by jcoehoorn; 05-18-2015 at 10:08 AM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 15.1.0 to protect 500Mbits for ~450 residential college students and associated staff and faculty

  4. #4
    Master Untangler
    Join Date
    Jan 2014
    Posts
    115

    Default

    Quote Originally Posted by sky-knight View Post
    Untangle is a UTM, NAC is NAC. You'll need NAC aware switches to do what you're asking.
    Thats exactly what I needed to hear. I figured this was the case, but wanted to make sure.

  5. #5
    Master Untangler
    Join Date
    Jan 2014
    Posts
    115

    Default

    Quote Originally Posted by jcoehoorn View Post
    You can't stop the device from getting an IP, but you can prevent that IP from having internet access. With policy manager, you can have a RACK with a default block rule for everything, and push unknown IPs to that rack.

    To really make this work well, though, you'd want to be able to control this by MAC address, rather than IP, and you'd want an easier user interface than Untangle provides for maintaining your list of allowed MACs.

    Depending on what is handling your DHCP server, you might set up reservations for your known devices (this is very easy to do with Windows: just right click on a lease and select "Convert to Reservation".) Once you've captured all your existing devices this way, you could go and edit the reservations to move them all to the front of your dhcp scope. Then you set up rules in Untangle so that any IPs from the back of your scope end of on the policy manager rack with the "block everything" rules. Of course local connectivity would work, but you will have blocked what matters to most people.

    A more sophisticated network could do something similar with vlans. For example, if you have an enterprise wifi service that is able to do vlan assignments based on policies and device fingerprinting, it's fairly simple to then set rules in Untangle to enforce internet access based on those vlan choices.
    internet access isn't as much the concern as pure network access. I figured Untangle wouldn't be the solution for this, but figured it was worth asking!

  6. #6
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    I don't think Untangle will do this since it sits at the gateway.
    It can control what comes and goes, but it can't control internal network traffic since it doesn't see that traffic.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2