Freeze new clients until authorization in a second layer

Hey, guys!

imagine the scenario that follows:

  • a new client is authenticated on my ssid by the defined password
  • I have a second authentication method in my wlan
  • I need this client to have no communication and no ip is assigned to him until this second authentication is completed

I thought about using captive portal, but it has support for clients that have a browser. I need IoT devices (which don't have a screen or browser) to be hit too!

How can I do this? Can anyone help?

Thank you!

monowall had a neat password per segment walled garden feature for such a scenario...

depending on the IoT device... your options will vary. but based on what you've written, i'm struggling to know why or how you'd think a second layer could be implemented...

basic programmable devices speak http/udp/mqqt/etc fine... light bulbs on the other hand? Good luck :scream_cat:

How did you think doing that authentication, if the client has no IP address???

Second authentication? By which component? WiFi hostapd knows about SSID etc.., but not much more.

What scenario you are thinking?
Rogue device knows WiFi password, so why would it not know the second password? Is there some config to be done, or what are you trying to accomplish?

Some ideas for you:

  • Assign device to guest network until second authentication is done
  • Use Port knocking or something similar simple as the second authentication to trigger the release to open internet.
  • Use WPA enterprise with radius for WiFi, so that the device needs to have a certificate file installed.

So, the environment is emulated

In this scenario, I want to test a transaction for a private blockchain as soon as a new device get in the wlan.

Since the mac for that address is already on the blockchain, I want to release access, otherwise I want to generate an alert

the transaction needs to contain the mac address of the customer who entered the password, so I need to know his mac and I need to keep it without traveling until I check if it is a device that my network already knows.

I hope it's clear enough

thanks for answering