Maybe you have 'https login' set?

@LadiesMan217
@and those who do the same :

Be aware that commenting this 'break;' will break "mac mask" support.

@Gertjan said in Strange (occasional) malfunction on captive portal and mac address whitelist:

Do you use several portal instances ?

Yes I use two portal instances:

0314ffa0-fd0b-4c1d-959d-3371f62da1cf-immagine.png

The first one for guest users (MAC white list and vouchers)
The second one use MAC white list and LDAP auth,

Indeed, there have only been reports of problems on the first one and not on the second one (in relation to the MAC white list) but it could be that users use the former much more while the latter is little used except with authentication by LDAP working properly.

Hi may i ask if is this still works on latest pfsense 2.8

@Gertjan

This is beautiful.

I've managed to get things working good enough to accomplish my first-level goals and turn it over to my relief so I get to go on vacation without getting emails about radius. And I noticed from my attempts earlier that as I was making changes trying to get SQL to update the Portal would stop working every so often and need to be restarted, so I'm going to leave things here for now. I was able to brute force a bash script that could calculate daily data usage as a percentage of the cap by poking around the datacounter directory and scp it to my desktop, and my relief will just have to live with the GUI user manager for a few trips.

But when I get back and have more than a couple days I'm going to dig into why radacct isn't updating then work on these changes you've outlined. Being able to view and edit all this through SQL will be a huge advance. (No smart children onboard so I added pHPmyadmin to my synology immediately after MariaDB.)

Thanks so much for this, I really appreciate it.

@regexaurus

This usermod ?

You have to re-polish your definition of pfSense 😊
pfSense maintains a (one !) system wide config. Nearly everything you see in the GUI is stored in this file.
When the system boots, every system or process config file, for example the "GUI nginx web server" config file ( here : /var/etc/nginx-webConfigurator.conf ) is re-created with the GUI settings.
Then the process (nginx) is started, and the GUI becomes active.

The same thing is valid for system users. As you can see; under /home/, every portal user has actually a (limited) system account there.
If you want to change delete or add a user, use the GUI.
Everything you do with the command line will not be persistent, not taken in account, and undone when the related process restart.

'Real' CLI command is still possible, but you need to script things.
For example, adding or modifying a user, see how the GUI does it. Know that, you know how to write your own script.
It could be as simple as modifying the pfSense config.xml file, and then restart related processes.

@regexaurus said in Captive portal + DNS redirect:

Yes, I have ACME set up to request/renew a TLS/SSL cert and added a host (A) record to Resolver, pointing to the captive portal interface, for the CN host on the cert. Under HTTPS Options for the captive portal, I checked/enabled the Enable HTTPS login option, entered the certificate CN hostname for the HTTPS server name, and selected the appropriate certificate from the SSL/TLS Certificate drop-down. After additional testing/tweaks, this seems to be working quite well

👍

@regexaurus said in Captive portal + DNS redirect:

Adding the RFC8910 option seems to be a significant improvement

Easy check to see what device is using the RFC8910 login method, obtained by the DHCP lease request.
The rfc8910.php file, line 97, remove the comment :
Change

/* captiveportal_logportalauth("rfc8910", "EMPTY SESSION", $clientip, $cpzone); */

to

captiveportal_logportalauth("rfc8910", "EMPTY SESSION", $clientip, $cpzone);

and now you'll see all the request made for this rfc8910.php file.
This will somewhat flood your captive portal authentication log.

@regexaurus said in Captive portal + DNS redirect:

but on one system (an iMac running Sequoia 15.4.1 + Google Chrome 136.0.7103.93), with Google Chrome as the default browser, sometimes the system wouldn't automatically load/display the captive portal login. Once when this happened, I manually opened Chrome and simply entered google.com in the address bar. When I did so, this appeared:

Upfront : I use Apple devices like ipads and iphones. My latest Apple computer experiences dated from ... not sure, probably the the Apple II.
Afaik, as soon as the device knows that it is behind a portal, as it will be aware of this as soon as it connects to a wifi or cabled network and the DHCP event will return a the option 41 ID = the URL to a file where it should connect to using a browser.
On ipads and iphones, this is done automatically, as soon as the wifi connection to the portal SSID becomes active and a DHCP lease was acquired.
On iMac OS : behavior could somewhat be different.

Somewhat strange; imho, that you need to type in 'some' URL to force the browser's to show you the login page. The browsers knows their is a captive portal : it showed you the login URL

The Wi-Fi you are using may require you to visit ....

What was the URL you've shown ? Not the host name (I use portal.bhf.tld here on the forum, that isn't my real host name neither). What is the file ? index.html or rfc8910.php ?

That's isn't a may .... the URL shows was obtained by the DHCP request and needs to be visited so a login page shows up, so the user (human) can identify.

Btw : Chrome from Google. That's not -imho- a browser, more a system / user data collector. I'm a FF man, as long as it lasts.
Be careful with commercial browsers, as they tend to not use the system (iMac, PC's) DNS, they go straight to their own DNS server, like 8.8.8.8, most probably using DoH or DoT, so the pfSense Resolver never sees their DNS requests. So pfBlockerng can't work ... DNSSEC can't work .... But, when a portal is used - present in the network -, this won't work.
And because DNS doesn't work for them, they have a hard time dealing with portals.
Rfc8910 should make live easier on us, but if the browser doesn't care, well, then nothing can be done to solve that.
Well, something can be done. Like not using these kind of browsers 😊

@Summer1000 said in CRASH REPORT CAPTIVE PORTAL:

will uodate

?
Oops.

@Summer1000 said in CRASH REPORT CAPTIVE PORTAL:

amd64
14.0-CURRENT
FreeBSD 14.0-CURRENT

and also :

@Summer1000 said in CRASH REPORT CAPTIVE PORTAL:

pfSense-Plus-snapshots-23_09_1-main

I didn't spot the ancient software ...
Yeah, suddenly : you experience ancient bugs.
Good news : solved months ago ^^

And it gets better : I'm using the latest beta 25.03 version, with a captive portal, and it works great.

Ok that was too, quick it seems that this was my Phone cache. The page does not load the uploaded files. Not any of them.
When i use the Preview of the page or use my phone or device, it shows a blank icon where it should show the logo or the background image.
When i click on the Preview button the page opens and show the same behavior like the user Devices, http://192.168.7.1:8002/captiveportal-background.jpg.

@1013215273

Look again at the captive portal settings.
There are no IPv4 addresses to be set.
You have to select an interface, like LAN, or, so what I have, PORTAL (was originally OPT1).

How where why do you want to set "172.16.69.x" ?
What are you trying to achieve ?

@stompro said in Captive portal only works on mobile or Chromebook not yet logged in:

It seems like the GoGuardian extension might be trying to check the captive portal page to see if it is in their filter... but since the captive portal blocks the https connection it tries to make, the extension doesn't allow the page to render.

In my case there must be a 5 minute timeout for goguardian to check a url because the captive portal page will load after about 5 minutes.

It looks like that application is created for a world where there are no captive portals.
Ok, why not.
Use the app, and then don't bring your device to public networks, McDonald's, plains, trains, etc etc etc. Just use it 'at home' and you'll be fine 😊

On the other hand, every OS created since ... not sure, 2012 ? is captive portal aware.
Connect any phone, pad, PC, whatever over a cable ( ! ) or wifi connection and you see that right after DHCP did it's work, the PC got a lease and knows in what network it is, it sends out a http (not https !) request.

Example : Apple device use this request : http://captive.apple.com/hotspot-detect.html - click on it and you'll see what happens.
If the reply on the http request wasn't 'Success', then the device knows it hasn't a direct Internet connection and a portal is presumed.
A browser will open, the same request will be repeated in that browser and the actual answer back will be ... the portal login page.

Using an app that does 'DNS' requests from the start and if it can't do them then blocks/locks up is .... then you can't use that if there is a portal.

On the other hand, some devices are not meant to be used behind a captive portal. A portal is there for the 'public' that wants to use an Internet connection, and don't want to use their own 3G/4G/5G device capabilities (or because it doesn't have a sim card, etc).

@leonida368 said in Captive portale with FreeRadius joined with Google Workspace:

Can you give me some advice on how to do this configuration?

There are a lot of variables there, version of pfSense or Plus, duration of power outage, etc.

Basically, all versions of pfSense support the "Preserve Connected Users across Reboot" option so if you don't have that checked off under Services, Captive Portal, then select the portal itself.
526aaae2-7ec0-46c9-accb-b4f89ee5ae33-image.png

There is also the duration of the lease and settings for idle and hard timeouts:
60091acf-a826-4df5-aa4b-13a21b1431d1-image.png

If you are following the DHCP instructions, your hard timeout will be less than the lease duration but many users of ISC DHCP do not respect that requirement as it allocates the oldest IP next so, depending upon the number of different connections vrs size of lease pool, the IP may remain available for reassignment to the same mac address for days, weeks or even months. This fact lets the DHCP Lease expire and when the device returns with the same mac address, it will get the same IP, thus the fact you set the hard timeout in CP longer than the lease duration is not a problem as when the device returns, it gets the same IP and is still authenticated.

In the Kea DHCP server, the duration of lease retention for assignment to the same mac address is very short, a second or so. In order to address this concern, they support "lease affinity" but just as you mentioned for the default CP authentications, it is lost on a reboot. There is a ticket to change that but it is well into the future.

Redmine 15854 and Redmine 15934 may interest you in regard to this.

@kamu said in téléchargement de l'Appliance pfsense:

je ne sais pas si c'est un problème de région.

Essayez ceci: https://atxfiles.netgate.com/mirror/downloads/

Le ISO doit correspondre à ton appareil (serial or vga)

After much digging into /usr/local/captiveportal/index.php and /etc/inc/captiveportal.inc,
I was able to figure out logic behind Captive portal itself and successfully created custom PHP login page,
now I can collects guests info (with their permissions of course) and store it in Google Spreadsheets.

@Gertjan , thank you very much for help,
now I just need to solve legal and design problems with this page :)

@Dmc said in Captive Portal & Radius Authentication:

Could you guide me how to lookup redmine bug reports?

Here : https://redmine.pfsense.org/

@Gertjan

Yes, i am using interim and also tested it with stop/start

I do not have the logs for the diagnostic mode but the outputs were as follows

concurrent connection limit was set to 1 Radius was aware that user4 was connected 4 times as the radius itself would show me connections would always allow requests stop was only sent if the credentials were incorrect

again, I am not sure if this helps but I was not using SQL. Instead the flatfile radutmp? i think is whats it called was being used. so perhaps that's why it wasn't being enforced properly

7f3ea3d8-fccf-4d74-9205-129c61b22831-image.png

It says to read the documentation but where..? i went through it and only found this, the yellow box I think is referring to the captive portal configuration "first,last, multiple, disabled" so its implying it to be multiple

ee7d1a63-2655-40b3-a426-681527e10bc9-image.png

Source: https://docs.netgate.com/pfsense/en/latest/usermanager/index.html

@Gertjan

Agreed, perhaps ill change my approach and perspective. I shouldn't be punishing the 9 people for one bad player, I can just limit them abusers by IP if I must and have a talk with them for their abuse.

I am really starting to learn that network administration is really simple to talk about "oh, ill do this and that" 🤡 but implementation is just a whole another game. We've been too spoiled with the "one-click" culture 🤡 🤡

@EDaleH

Installed "25.03-BETA (amd64)" ( 25.03.b.20250204.0023 ) - Updated the latest 'kea options' patch as mentioned in this thread : all is ok.

Hi @AYSMAN

Did you happen to find the solution to this by anychance??

I am stumped as well after spending weeks on this... i know my accounting is working fine since its all logged but FreeRadius will not stop the connection after the limit is reached.

Ive setup identical to the OP except my IP is on 127.0.0.1 and listening ports *

Also added the Simultaneous-Connection := 1 to the user profile which didn't appear to do anything.