# Wireless authentication

## aztech

Hi

My network-setup looks like this ...

Inet <-> eth0|Gentoo-router|eth1 <-> Switch <-> Wired clients / accesspoint's <-> wireless clients

I would like to know if it's possible add an extra authentication method for the wireless clients

and Not for the wired one's, as in pfSense's captive portal or something like that ?

The reason is that I would like to give internet acces only to authenticated clients.

The local subnet is 192.168.0.0

Gentoo box - .1

AP1 - .2

AP3 - .3 (repeater)

I know it would be a lot more easy if I had another NIC, but it would be great if

I didn't need to buy one.

// andreas

----------

## erik258

The problem as I see it is this: how are you to tell what traffic is wired and what's wireless?  I think the APs are basically bridges, and therefore your wired and wireless networks are on one unified broadcast domain.

I assume you want to keep the wireless network unencrypted.  One option is to impose an additional layer of security atop the wireless connection - maybe a VPN or something - and then refuse to forward traffic to the internet that isn't authenticated.  But how to do this without physically seperating the wired and wireless networks, I don't know.  I can say that ethernet interfaces are a dime a dozen, at least in my neck of the woods (the USA), and I'd imagine you'd be able to procure one for $5US or so.  

Of course, if you're willing to encrypt the wireless network, you could use RADIUS or just plain old shared-key WPA to authenticate, and then all your wireless clients would be authenticated or they wouldn't be connected.  

Or, if you could impose the same restrictions on the wired computers, you could have them all use a tunneling system like openVPN on all the computers that should be online.  

I know this isn't particularly helpful, it's just thoughts that I figured I'd share since this has been in the unanswered queue for a while now and is almost off the first page.

----------

