> > What we want to do, is have anyone on the "external port" come up on their
> > own locked down VLAN to the captive portal. Then we want to use RADIUS and
> > machine certificates to authenticate the individual machines, not users. If
> > they authenticate, put them onto the private network with all access. If
> > they don't authenticate, just put them on a jailed VLAN that only has
> > internet access and DNS access but no access to internal services or other
> > machines.
> > Is this feasible?
> What you're talking about there is actually switching the VLAN the
> user is on. m0n0wall can't do that, that's a function of the switch.
if its a decent switch with AAA and full RADIUS support, then you can
simply configure dot1x on thw switch so that this can be achieved. configure
the switch to talk to the RADIUS box...the radius box will then be handed
the machine certificate etc and, if valid, return an appropriate VLAN
for the switch to move the port to. not a m0n0wall function.