Do you have a URL configured to forward users to after they login? If not, it may be redisplaying the login page since it wasn’t told to do anything else. Try setting a post-login redirect and then see if the behavior is the same.
Those log messages could possibly be related, but it looks more like maybe you were trying the same voucher code on multiple computers.
@snailkhan said in Windows 10 Voucher authentication page reappears after entering correct and valid voucher:
I am struggling with the new interface of the support portals forum to find the edit button for editing existing post.
Replies with new information are better than re-editing the initial post, because edits to the initial post won’t show that the thread was updated to others, or trigger a notification to anyone watching the thread. That said, you can edit a post by clicking the three dots at the end of the “Reply / Quote / Upvote” line under the post text.
@21hertz said in Windows 10 (?) users cant login:
What I can confirm though, is that pfSense still has some sort of bug with “Allowed Hosts”. Sometimes it takes a couple of minutes and sometimes it doesn’t work at all, when you have entered a value / domain.
It seems like the list of domains that you enter in “Allowed Hosts” isn’t applied to the rules as it should. Feels intermittent. This was a actual reported bug in an earlier release (don’t remember which version).
The “allowed hosts” is easy to “debug”.
Add your host, ad then look at the generated ipfw rules (this page is very useful : https://www.netgate.com/docs/pfsense/captiveportal/captive-portal-troubleshooting.html - it has told many, many portal admins that they shouldn’t break their DNS before operating a captive portal - or, using more common words : Captive portal will not work better as our DNS).
Btw : In case you didn’t know : if you use the Allowed host to let portal visitors visit public Internet sites before authentication, be careful : even the most dull WordPress index page includes tells your browser to search for additional info at Google, FB, and else where. These places - hosts, are of course not allowed, so the principle site seams broken, or even the Allowed host entry doesn’t seem to work.
** Don’t add a host without checking first with nslookup, dig or your favorite DNS tool.
I don’t use vouchers, neither selling access time.
I just need to guarantee an Internet access for my clients.
@gertjan said in Free wifi Acccess on first 15minutes Captive Portal:
tw : I didn’t test drive this - I just read what is explained on the settings page of the captive portal.
@netx34 said in route the ip address after authentication:
then afther the authentication the ipaddress will get change to 192.168.20.1-255.
This can’t happen - not on the network called Internet (Ethernet) as we know it.
It’s the client-device that declares his IP (== static, not a good choice when using unknown , like captive portal networks) or DHCP : it asks an upstream DHCP server for network info.
Forcing a client device to change IP settings on the fly : never saw that before.
What you want needs a smart switch or even router in between with VLAN capabilities, routing rules, and the captive portal to set some VLAN after logging in. I guess with FreeRadius and again, some intermediate hardware, it can be done.
@gertjan That url is broken.
I am using pfsense with unifi (ubnt) wireless APs, and they already introduce Facebook authentication. So there is an alternative to make it work without pfsense support.
I would personally prefer to be able to configure it in pfsense, where I already have most of the networking configuration.
Gertjan,
Thanks for your reply. Fun fact; I’ve managed to do the same thing yesterday and got it working.
Good to see that I’ve done it right. I’ll make sure to check the links your provided!
Thanks again dude.
Cheers,
Lex
Ok… Without some details nothing for anyone to help you with.
Were you just wanting people to know, or did you actually want some help with your issue?
Here from that info this is best can offer
https://www.netgate.com/docs/pfsense/captiveportal/captive-portal.html
@becasist2 said in Voucher tickets fails sometimes after updating:
The devices with the MAC included in those lists can connect without a Ticket, the devices without the MAC in this lists have to put the ticket code in the Portal Captive Index page, am I wrong?
Noop, you’re right - it works like that.
Hi,
@tjthomas101 said in How to create a captive portal without username/password:
Unless anyone has a better idea, I’m still all ears.
Consulting the Chillispot support site ?
(but the solution looks ok to me)
@p3n6 said in Reduce length Voucher:
@Gertjan
Is this being done in pfsense
Yes.
Use the console access, or better, enable SSH access, access SSH (Putty is your friend here) and use option 8.
or do i need to run a command?
Yes.
You asked for non-standard possibilities. You’ll be needing a keyboard.
Can you provide a screen shot?
Never used vouchers myself.
@kjstech said in Redirect all pages to Captive Portal login page until authenticated:
Though finding a regular unsecured http:// page is getting harder and harder to come by these days
No need to find these.
Take an example : an iPhone or iPad (sorry, no pub intended - but I do not have other devices):
As soon as the Wifi comes up, the DHCP negotiation kicks in. When the dust setles down, the OS (iOS) throws out a simple “http” request using port “80” :
http://captive.apple.com/hotspot-detect.html
This URL request gets redirected by our pfSEnse ipfw firewall rules to the internal Captive portal web server :
2018-05-31 02:42:20 Local5.Info 192.168.1.1 May 31 02:42:23 pfsense.brit-hotel-fumel.net nginx: 192.168.2.114 - - [31/May/2018:02:42:23 +0200] "GET /index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html HTTP/1.0" 200 1554 "-" "CaptiveNetworkSupport-355.30.1 wispr"
Click on the link : http://captive.apple.com/hotspot-detect.html : it returns only one (viewable) thing : the word “Success”.
If this word isn’t returned, but something else, like our Captive Portal login page, the the OS knows it’s probably behind a Captive portal.
The OS will launch a navigator/browser and repeats the question. Our captive portal shows again - and this time the user sees it - and can act upon.
Microsoft uses the same technic in its OS’s (The Windows stuff) the last decade or so.
So, no need to visit a http://www.whatever.tld site to force an access to the captive portal login page.
At least, I never had to do so.
Note : stupid - non-captive portal aware devices (read : OS’s) , or users with fckd up default system settings can have real troubles connecting. I remember a lot of smartphones and other devices (OS’s dating from the other century), some great firewall software with the “works only at home and no where else” setting … well … correct, my place is not your place.
Devices that are locked down by a hardware lease company, or VPN software that is non-portal-minded can give you some hard time, but, hey, you (the portal users) get what they paid for.
A bug from 5 years ago ?
No one is talking about this one, so I consider it doesn’t exist any more. I was using pfSense 5 years ago, and I never saw this “send() failed (40: Message too long)”” in my logs.
Back then, I remember that I could force pfSEnse (nginx or lighthttpd) to show this message by ‘programming’ a redirect error in my home made captive portal html page (it went recursive, and the web server reply became to long).
When you say “Users can not login” you should also post the firewall rules that you obtained by reading this : https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting
You can use
Voucher
or
Radius
Not both at the same time at the same portal instance.
This means that vouchers all share the same bandwidth settings, set up on the captive portal page.
FreeRadius gives you the possibility to set a per-user bandwidth setting.
@Gloom:
Silly question but have you put rules in place to allow the connections to the interface on VLAN20 from the subnet?
Hrm What do you mean? Should I need an additional rule besides the Firewall Rule on the mvneta1.20 VLAN IF that allows all protocols/ports to pass?
This is the only rule I have in that IF:
Nice. The progress is the word “Failure”.
This message is the result of one check ( see /usr/local/captiveportal/index.php - at the bottom ) : if the user+pass are in the local user list, access is granted.
A second check is done if you checked “Allow only users/groups with “Captive portal login” privilege set” on the Captive portal settings page.
If these test(s) are ok, you are logged in. If not, a “Failure” is thrown out.
So, if you are sure the user and password are ok when entered, and you are sure they are in the local user manager list, the conclusion is simple :
Consider your system broken - probably a hardware (disk) failure.
If a login works - and after some time (hard or soft time out ?) the user can’t login anymore, then something is not working as it should.
Btw : I’m replying knowing that you did not mention anything about your setup, so I consider every setting is set (kept to) to default (value). It is of course possible that a user logs in, and after time out he can’t login anymore for the rest of the day. Or something like that.
and why can i access other zones’ captives portals just by changing this this is too weird
EDIT nevermind i solved it… i addes multiple rules in the captive portal but i guess something went wrong… can anyone help me allow all those ports without causing any problem ? i suspect that the ipfw rules must have a limit or they are used elsewhere …
can i use any other method to allow those ports before the authentication ? like with a table where there are all the ports and like one or two rules that wont cause any other problem ?
appreciate the help and thanks in advance
here are the rules i tried https://fr.scribd.com/document/379814591/Captiveportal-Rules
PS : the rules worked perfectly but caused many other problems
53 UDP (keep-state and out)
138 UDP (in out and keep-state)
137 UDP(in out keep-state)
389 UDP TCP (same)
88 TCP (same)
445 TCP (same)
139 TCP (same)
135 TCP (same)
and from 49152 to 65535 TCP (same for everyone one of them)
for what i’m trying to do : allow ports for the windows authentication through captive portal to the active directory
EDIT 2 : trying again same problem, the redirection ends up on one captive portal for all interfaces, it’s like something gets messed up. when i get rid of those rules, everything works normally, so how can i allow without having to face such problems ?
EDIT 3 : Solved : https://www.freebsd.org/cgi/man.cgi?ipfw(8)
Yep, it does not work
Moreover what I want to accomplish is different limit per user.
Also I do have checked “Send RADIUS accounting packets to the primary RADIUS server.” and start/stop freeradius
k, I just subscribed to Gold. The current information about Voucher Sync is out of date.
I think there should be at least something that suggests you to enable HASync here: https://portal.pfsense.org/docs/book/captiveportal/vouchers.html#synchronizing-vouchers
Asfar as I understand the current version of that section is that it would be enough to use the settings mentioned.
@Gertjan:
Hi,
Yep, probably true. I see the same thing.
This time the ipfw firewall rules are (still) destroyed, but the session stays present in captive portal SQLITE database : the user seems to be logged in but without ipfw rules they’re hitting into the wall.
Temporarily solution : Finish up you config, and don’t change settings when users are connected
yeah I am doing it right now. I can not even touch it. a very annoying situation
@drduckun:
I’m using wifi controller and firewall connecting to radius server. Everytime user connect to wifi, it will request user input ID&Pass. But this network system don’t have captive portal and use authenticate with voucher.
What Wi-Fi controller are you using out of interest.
The captive portal is not a redirecting thing.
By default, close to nothing get through the interface and when authenticated, the rules on the GUI interface are used.
No redirecting comes into play here … or I’m not understanding how you use the captive portal.
Btw, I believe this is more a wifi-radio connection issue - just cable up a device, not a phone of course, to see if the problem still exists.
@ayruel:
…
I Hope this :
Set to 2 : user can only login ones, further logins using the same identification (voucher or login with user and paswword) will not be granted.
Ask for a Feature request here : https://redmine.pfsense.org/projects/pfsense/issues?per_page=100&set_filter=1&tracker_id=2
The patch : moving a line : https://redmine.pfsense.org/projects/pfsense/repository/revisions/29a272f7361689c87dd7ad9fc1c903e843a1c593/diff/src/etc/inc/captiveportal.inc
Not rocket science.
Some text-editing skills are needed though.
Reduce DHCP lease time.
But keep in mind that the pool should be bigger as the potential number of devices requesting an IP.
If not, you’ll be stressing your DHCP server and your users.
A Captive portal should run on it’s own interface - so a 10.0/16 (65 K addresses) is two clicks away.
