LAN users have to authenticate via radius

IT_TarOpo · ‎06-28-2023

Hello,

I am using radius (on windows+AD) to authenticate wifi users for certain SSID's. However, if I plug a PC via lan and login to windows domain, unless I open web browser and authenticate again I don't have internet connection.

Can I get rid of this local users authentication? For example, if they log into their own domain accouts, they would have internet connection, and leave the WiFi radius (NPS) authentication?

That's some of my wifi's ssid configuration

Should I change some policies or something? I have a policy, that allows those (for example) WiFi_UG to access wan ( i tried to add also some wifi addresses but nothing changes, they still need to authenticate on browser)

adambomb1219 · ‎06-28-2023

Do you firewall policies require authentication via splash page? Or captive portal authentication on the firewall interface? Based on the settings here should be only WPA2 Enterprise via 802.1X/RADIUS, there should be no splash page involved.

IT_TarOpo · ‎06-29-2023

I don't think I do anything more. It looks like a captive portal for me, but on the wan interface or my firewall policy I have nothing extra. The security mode on VLANs (where the captive portal can be enabled) is off

thats my wan:

thats my VLAN config

and thats my policy to access to the Internet

(I know, that I have 'all' and then specified groups, was testing how to get rid of this authentication for LAN users)

If I check logs and user events, all of my LAN users authenticate as a 'wifi-group', even if they are connected just by cable

hmm, what if I would turn on captive portal for example for vlan10, and then just exempt source vlan10. Might it work?