@regexaurus said in Captive portal + DNS redirect:

Yes, I have ACME set up to request/renew a TLS/SSL cert and added a host (A) record to Resolver, pointing to the captive portal interface, for the CN host on the cert. Under HTTPS Options for the captive portal, I checked/enabled the Enable HTTPS login option, entered the certificate CN hostname for the HTTPS server name, and selected the appropriate certificate from the SSL/TLS Certificate drop-down. After additional testing/tweaks, this seems to be working quite well

👍

@regexaurus said in Captive portal + DNS redirect:

Adding the RFC8910 option seems to be a significant improvement

Easy check to see what device is using the RFC8910 login method, obtained by the DHCP lease request.
The rfc8910.php file, line 97, remove the comment :
Change

/* captiveportal_logportalauth("rfc8910", "EMPTY SESSION", $clientip, $cpzone); */

to

captiveportal_logportalauth("rfc8910", "EMPTY SESSION", $clientip, $cpzone);

and now you'll see all the request made for this rfc8910.php file.
This will somewhat flood your captive portal authentication log.

@regexaurus said in Captive portal + DNS redirect:

but on one system (an iMac running Sequoia 15.4.1 + Google Chrome 136.0.7103.93), with Google Chrome as the default browser, sometimes the system wouldn't automatically load/display the captive portal login. Once when this happened, I manually opened Chrome and simply entered google.com in the address bar. When I did so, this appeared:

Upfront : I use Apple devices like ipads and iphones. My latest Apple computer experiences dated from ... not sure, probably the the Apple II.
Afaik, as soon as the device knows that it is behind a portal, as it will be aware of this as soon as it connects to a wifi or cabled network and the DHCP event will return a the option 41 ID = the URL to a file where it should connect to using a browser.
On ipads and iphones, this is done automatically, as soon as the wifi connection to the portal SSID becomes active and a DHCP lease was acquired.
On iMac OS : behavior could somewhat be different.

Somewhat strange; imho, that you need to type in 'some' URL to force the browser's to show you the login page. The browsers knows their is a captive portal : it showed you the login URL

The Wi-Fi you are using may require you to visit ....

What was the URL you've shown ? Not the host name (I use portal.bhf.tld here on the forum, that isn't my real host name neither). What is the file ? index.html or rfc8910.php ?

That's isn't a may .... the URL shows was obtained by the DHCP request and needs to be visited so a login page shows up, so the user (human) can identify.

Btw : Chrome from Google. That's not -imho- a browser, more a system / user data collector. I'm a FF man, as long as it lasts.
Be careful with commercial browsers, as they tend to not use the system (iMac, PC's) DNS, they go straight to their own DNS server, like 8.8.8.8, most probably using DoH or DoT, so the pfSense Resolver never sees their DNS requests. So pfBlockerng can't work ... DNSSEC can't work .... But, when a portal is used - present in the network -, this won't work.
And because DNS doesn't work for them, they have a hard time dealing with portals.
Rfc8910 should make live easier on us, but if the browser doesn't care, well, then nothing can be done to solve that.
Well, something can be done. Like not using these kind of browsers 😊

@Summer1000 said in CRASH REPORT CAPTIVE PORTAL:

will uodate

?
Oops.

@Summer1000 said in CRASH REPORT CAPTIVE PORTAL:

amd64
14.0-CURRENT
FreeBSD 14.0-CURRENT

and also :

@Summer1000 said in CRASH REPORT CAPTIVE PORTAL:

pfSense-Plus-snapshots-23_09_1-main

I didn't spot the ancient software ...
Yeah, suddenly : you experience ancient bugs.
Good news : solved months ago ^^

And it gets better : I'm using the latest beta 25.03 version, with a captive portal, and it works great.

Ok that was too, quick it seems that this was my Phone cache. The page does not load the uploaded files. Not any of them.
When i use the Preview of the page or use my phone or device, it shows a blank icon where it should show the logo or the background image.
When i click on the Preview button the page opens and show the same behavior like the user Devices, http://192.168.7.1:8002/captiveportal-background.jpg.

@1013215273

Look again at the captive portal settings.
There are no IPv4 addresses to be set.
You have to select an interface, like LAN, or, so what I have, PORTAL (was originally OPT1).

How where why do you want to set "172.16.69.x" ?
What are you trying to achieve ?

@stompro said in Captive portal only works on mobile or Chromebook not yet logged in:

It seems like the GoGuardian extension might be trying to check the captive portal page to see if it is in their filter... but since the captive portal blocks the https connection it tries to make, the extension doesn't allow the page to render.

In my case there must be a 5 minute timeout for goguardian to check a url because the captive portal page will load after about 5 minutes.

It looks like that application is created for a world where there are no captive portals.
Ok, why not.
Use the app, and then don't bring your device to public networks, McDonald's, plains, trains, etc etc etc. Just use it 'at home' and you'll be fine 😊

On the other hand, every OS created since ... not sure, 2012 ? is captive portal aware.
Connect any phone, pad, PC, whatever over a cable ( ! ) or wifi connection and you see that right after DHCP did it's work, the PC got a lease and knows in what network it is, it sends out a http (not https !) request.

Example : Apple device use this request : http://captive.apple.com/hotspot-detect.html - click on it and you'll see what happens.
If the reply on the http request wasn't 'Success', then the device knows it hasn't a direct Internet connection and a portal is presumed.
A browser will open, the same request will be repeated in that browser and the actual answer back will be ... the portal login page.

Using an app that does 'DNS' requests from the start and if it can't do them then blocks/locks up is .... then you can't use that if there is a portal.

On the other hand, some devices are not meant to be used behind a captive portal. A portal is there for the 'public' that wants to use an Internet connection, and don't want to use their own 3G/4G/5G device capabilities (or because it doesn't have a sim card, etc).

@leonida368 said in Captive portale with FreeRadius joined with Google Workspace:

Can you give me some advice on how to do this configuration?

There are a lot of variables there, version of pfSense or Plus, duration of power outage, etc.

Basically, all versions of pfSense support the "Preserve Connected Users across Reboot" option so if you don't have that checked off under Services, Captive Portal, then select the portal itself.
526aaae2-7ec0-46c9-accb-b4f89ee5ae33-image.png

There is also the duration of the lease and settings for idle and hard timeouts:
60091acf-a826-4df5-aa4b-13a21b1431d1-image.png

If you are following the DHCP instructions, your hard timeout will be less than the lease duration but many users of ISC DHCP do not respect that requirement as it allocates the oldest IP next so, depending upon the number of different connections vrs size of lease pool, the IP may remain available for reassignment to the same mac address for days, weeks or even months. This fact lets the DHCP Lease expire and when the device returns with the same mac address, it will get the same IP, thus the fact you set the hard timeout in CP longer than the lease duration is not a problem as when the device returns, it gets the same IP and is still authenticated.

In the Kea DHCP server, the duration of lease retention for assignment to the same mac address is very short, a second or so. In order to address this concern, they support "lease affinity" but just as you mentioned for the default CP authentications, it is lost on a reboot. There is a ticket to change that but it is well into the future.

Redmine 15854 and Redmine 15934 may interest you in regard to this.

@kamu said in téléchargement de l'Appliance pfsense:

je ne sais pas si c'est un problème de région.

Essayez ceci: https://atxfiles.netgate.com/mirror/downloads/

Le ISO doit correspondre à ton appareil (serial or vga)

After much digging into /usr/local/captiveportal/index.php and /etc/inc/captiveportal.inc,
I was able to figure out logic behind Captive portal itself and successfully created custom PHP login page,
now I can collects guests info (with their permissions of course) and store it in Google Spreadsheets.

@Gertjan , thank you very much for help,
now I just need to solve legal and design problems with this page :)

@Dmc said in Captive Portal & Radius Authentication:

Could you guide me how to lookup redmine bug reports?

Here : https://redmine.pfsense.org/

@Gertjan

Yes, i am using interim and also tested it with stop/start

I do not have the logs for the diagnostic mode but the outputs were as follows

concurrent connection limit was set to 1 Radius was aware that user4 was connected 4 times as the radius itself would show me connections would always allow requests stop was only sent if the credentials were incorrect

again, I am not sure if this helps but I was not using SQL. Instead the flatfile radutmp? i think is whats it called was being used. so perhaps that's why it wasn't being enforced properly

7f3ea3d8-fccf-4d74-9205-129c61b22831-image.png

It says to read the documentation but where..? i went through it and only found this, the yellow box I think is referring to the captive portal configuration "first,last, multiple, disabled" so its implying it to be multiple

ee7d1a63-2655-40b3-a426-681527e10bc9-image.png

Source: https://docs.netgate.com/pfsense/en/latest/usermanager/index.html

@Gertjan

Agreed, perhaps ill change my approach and perspective. I shouldn't be punishing the 9 people for one bad player, I can just limit them abusers by IP if I must and have a talk with them for their abuse.

I am really starting to learn that network administration is really simple to talk about "oh, ill do this and that" 🤡 but implementation is just a whole another game. We've been too spoiled with the "one-click" culture 🤡 🤡

@EDaleH

Installed "25.03-BETA (amd64)" ( 25.03.b.20250204.0023 ) - Updated the latest 'kea options' patch as mentioned in this thread : all is ok.

Hi @AYSMAN

Did you happen to find the solution to this by anychance??

I am stumped as well after spending weeks on this... i know my accounting is working fine since its all logged but FreeRadius will not stop the connection after the limit is reached.

Ive setup identical to the OP except my IP is on 127.0.0.1 and listening ports *

Also added the Simultaneous-Connection := 1 to the user profile which didn't appear to do anything.

@scifoflux said in Captive portal with sponsorship approval:

Is this possible?

You are effectively looking for a "validating parking" application.

If the employee has to give them their email address, why not have the employee at the same time also send an access code good for a fixed amount of time. That access code could be a voucher or you could create a multiuser account and use the employee email address (before the @) as the login.

If you still want to send the email, you could look at something like the phpmailer application.

I do agree with Gertjan though, keep it simple. Why can't the receptionist just hand them the "info". It could be the wifi password and you could use unauthenticated access, just an "accept the terms" button. For that matter, the employee could email them that password in advance. You could change the password every Monday if you need greater security. Depending upon the number of employees, you could even set up a portal (on a separate VLAN) for each employee if your WiFi router supports sufficient number of stationIDs/VLans. OpenWrt on the WiFi Router could get that done.

Good Luck.

@GeorgeCZ58 said in PHP Fatal error: Uncaught TypeError in /etc/inc/captiveportal.inc:

Can somebody explain why that happen?

Are you sure ? 😊

A portal user entered (with the keyboard) the URL manually, and forgot to add a mandatory paramter.
He/she was using an URL like
https://your-portal.your-hostname.tld:8003/
which would work, as /index.php would be tried by the browser.
Or
https://your-portal.your-hostname.tld:8003/index.php
Better, but it will fail as
https://your-portal.your-hostname.tld:8003/index.php?zone=CPZONE1
The zone paramter has to be present, with a valid ID so 'pfSense' knows what portal instance is accessed.
A valid ID is this :

efdc8fa7-cefc-4e7b-a920-6d332d9ff8fd-image.png

without it, the PHP triggers.
The thing is, the fact that it is wrong or absent is detected. The portal user will receives a html page telling that an error happened. But to make this html page, the zone paramter is used, ..... and it was not there. => bug.

Again, normally, this can't happen.
Nobody has to or should type in manually the rather cryptic login URL ......

@Dmc Cheers 🍺

@Gertjan said in Does FreeRadius allow voucher creation?:

activate vouchers in pfSense, you can see a third line showing up on the captive portal login p

Thank you @Gertjan, at first this went little over my head but your solution is genius.

It is all about perspective, essentially hard-coding the password into the code and renaming the field name from user to voucher. This is great approach.

I am going to think about this a little more to fine-tune it further.

To give you some insight, I am essentially operating a coworking space with about 250 users. Ideally, I would like to give each user their unique credentials which i would like to expire and only renewed once i receive subsequent months payment.

Users are restricted to two devices (hence Radius) but it seems like a hasttle having to manually update their exprations. I thought perhaps i can mass print my vouchers in advance and distribute them as soon as payment is received.

However, vouchers are not expired by date, rather time and do not allow machine limitations.

Back to the drawing board.... seems like ill have to take the bullet for this administration task.

@dmchavoc said in Shortening voucher length in 2.7.2:

@Gertjan

What ? Who ? Me ?
You've explained it very well already :

It no longer is permitting 32bits codes for security measures. soo... i guess we can no longer do shorter codes?

Just change the ? for a ! and you're spot on.

What ? You don't like progress ? ^^

I can share my point of view, but you wish you didn't saw it.
First of all, I don't use 'vouchers'. For me, these guy are (were) needed if an Internet needs to be sold. If you just want a fast and easy solution, a user name and password solution works well enough, and has no admin maintenance. Btw : I use it for a hotel, and I'm to lazy to explain to every client every day what a voucher is, etc etc. And make new sets, remove old sets etc.

The user will find the login portal, the will know the room number (the portal user name) and the password is shown in the room directory they'll find in the room. This works for me - and for them.
Dealing with voucher is a, imho, not good alternative as it needs me to baby-sit the system.

When I see this :

error:04081078:rsa routines:rsa_builtin_keygen:key size too small:crypto/rsa/rsa_gen.c:78:

this tells me that pfSense uses existing software (some package, library, whatever) that wasn't created by Netgate. Probably "OpenSSL". And yeah, OpenSSL have their reasons not to allow insecure crypto stuff anymore. They've decides that for you. Normally, not an issue, as we don't care if out TLS connection to connect to this forum is based upon 512, 1024, 2048 or 4096 bits ... our browser handle this for us. This issue become apparent when you uses 'codes' which have to be manually entered, like voucher codes.

@dmchavoc said in Shortening voucher length in 2.7.2:

Findings with help of ChatGPT

😊
Sorry, guys. ChatGPT can be useful for hard questions like "how much eggs for the cake I want to prepare, 2 or 3 ?".
And we don't want GPT to "really" work.
I go for the fictional aspects of it.

@Neverstopdreaming too bad no one ever answered. I'm having the same problem, and it started after I configured carp HA. After entering CP settings and saving without doing any changes it starts working again, like your said. Logs after doing this show a check_reload_status activity followed by a minicron "(/etc/rc.prunecaptiveportal) terminated by signal 15 (Terminated)" message that is what actually gets it back to working.