Welcome to TP-LINK Tech Support Forum
+ Reply to Thread
Results 1 to 7 of 7
  1. #1

    (EAP110) Portal Access from SSID in different VLAN

    Model :

    Hardware Version : Not Clear

    Firmware Version :

    ISP : [/COLOR]

    All,

    I have two VLANs

    VLAN 0 - Private ( 192.168.1.0/24 )
    VLAN 1 - Guest ( 192.168.2.0/24 )

    The EAP110 has an IP in VLAN 0 ( 192.168.1.88 ) . When enabling a portal on a SSID that is assigned to VLAN 1 , a WiFi client gets directed to the portal on 192.168.1.88 . As per firewall rules access is denied from VLAN 1 to VLAN 0 , the portal is not accessible.

    Any ideas besides setting a FW rule to allow access to the portal ?

    Max

  2. #2
    Since VLAN 0 and VLAN 1 are in different subnet a device which support routing is required. Consider that they are in different VLAN this device should also support VLAN. In summary you need to have a router/L3 switch which supports VLAN routing. According to my limited experience Cisco 1841 supports VLAN but you are free to use any other device which support VLAN routing.

  3. #3

    This is a serious issue with the eap controller software

    The purpose of having the captive portal in a hotel type environment (which this is specifically targeted at) is to have guests using the WiFi. If you want to ensure that sensitive information located on the private business systems VLAN is the natural choice without having to build two completely separate physical networks (the reason VLAN exists)

    Forcing the computer hosting the eap controller software to also serve the portal page is ridiculous. This forces you to have and maintain a separate computer that is on the same unsecured vlan as the guest computers yet has complete control in maintaining the eaps, a computer that no business could be conducted on because it is unsecured, it's ludicrous.

    It would make far more sense to separate those two functions and have it be optional to host the portal from the same computer or default to the EAPs. I was recently told by support that when we move to an external portal page that we must keep the eap software running at all times to accomplish this, which has all the same nonsense as above. Why can't the AP's handle the redirect themselves sans the controller?

  4. #4

    same topic here

    Hi, have implemented a hotel wlan solution with a lot of EAP110 (outdoor) and EAP245 APs. Guests using the Internet access with bandwidth limitation over VLAN. But with this configuration i canīt use a portal. This is not what i expect from a solution called "business solution". Currently i print a lot of vouchers in advance but in the future we want to have a portal! Is this in develepment currently or is there another solution about this?

    thank you
    Cheers Ronald
    1x TL-SG3424P v2.0
    3x EAP225

  5. #5
    Members R1D2 is on a distinguished road
    Join Date
    Dec 2015
    Posts
    1,194
    Quote Originally Posted by binary View Post
    Hi, have implemented a hotel wlan solution with a lot of EAP110 (outdoor) and EAP245 APs. Guests using the Internet access with bandwidth limitation over VLAN. But with this configuration i canīt use a portal.
    The EAPs are just access points, not multi-functional servers running a Captive Portal and not even a router. A CP must be hosted on a separate system. It makes no sense to have a CP on every AP in a hotspot system. Every CP solution I know of needs such a central authentication server for good reasons, be it on a dedicated local server or on a system in a cloud. I'm in the hotspot business since more than 10 years now and yes, we use EAPs (among other routers acting as gateways) as APs with our Captive Portal controller, which is hosted on a central server in our hotspot solution.

    You can host the EAP controller in an AWS cloud instance if you don't want to use a local server for this task. And yes, the APs indeed do handle the redirect to the controller themselves if set to managed mode. The claims from user Advantech regarding the portal redirection are just nonsense.

    What's more, a server running a Captive Portal should never ever run other unrelated business software for a simple reason: basic security considerations. A CP is not just an app or a service which can run on a system used for other tasks such as a billing system or hotel reservation system, since the CP must be exposed to the guest's LAN to handle the requests.

    That being said, you can indeed use a portal with separate VLANs for EAP's multi-SSID mode, although probably not with your configuration.

    See http://www.tp-link.com/us/faq-928.html for the steps to set up an external portal/authentication service (note that the EAC and the external portal/auth services can run on the same or on different servers). With this solution you can use every authentication scheme one can think of.

    See http://www.tp-link.com/us/faq-896.html for a simple authentication scheme using a RADIUS server together with EAC (method 4). With this scheme, the RADIUS server could also reside on the same server as the EAC.
    Last edited by R1D2; 04-02-2017 at 08:37.

  6. #6
    Good morning R1D2 and thank you for your answer.

    I've understood what you're saying and iīm with you if we speak about enterprise environments!

    My solution for now: have installed a virtual machine hosting the EAP Controller which is located in both VLANs. On this VM (no Domainmember) i have configured some routing and firewall rules to prevent access to other things except EAP Controller from both VLANs. So this is working fine now and an proper solution for me right now.

    thank you and have a nice week
    1x TL-SG3424P v2.0
    3x EAP225

  7. #7
    Members R1D2 is on a distinguished road
    Join Date
    Dec 2015
    Posts
    1,194
    Quote Originally Posted by binary View Post
    On this VM (no Domainmember) i have configured some routing and firewall rules to prevent access to other things except EAP Controller from both VLANs.
    This is a professional alternative to isolate the public WiFi from the rest of the network. Glad it works for you.

    Have fun!


 

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Copyright Đ 1996-2017 TP-LINK Technologies Co., Ltd. All rights reserved.