Hi,

What about pfSense => Services => Captive Portal => [zone] => Configuration => Enable Pass-through MAC automatic additions ?

It's better to auto purge non-authenticated clients, use at least one (big) time out value - don't leave them empty.

Hi,

Look up all posts related to "FreeRadius". It's a package  for pfSEnse and can probably do what you want.

@jalegre:

@heper:

don't know what you are trying todo, but you can just upload new html 'templates' through the GUI …

Hello heper,

the problem I have is that, on my pfSense server I've configured almost 10 captive portal zones. So beyond number 8, captive portal service didn't start. After reading nginx config files I saw that 2 of them were listening on the same port, I've tried to change it manually but the server doesn't consider this kind of modifications.

This is why I've opened this topic

Regards

this sounds like a bug. if it is, please report it on redmine.pfsense.org & explain the error & fix

@TheHitchhiker:

PfSense WAN(192.168.1.14) connected to Router(192.168.1.1) which has DHCP enabled. So far, everything is fine on this interface.
PfSense LAN(192.168.2.254) with DHCP enabled, …....

stop stop.
First : check out your LAN network.
Hook up a PC. A PC you just received - a brand new one, these always work.
It should receive an IP - because dhcp was asking for it. Like a DNS a gateway.

If that works, perfect.
(but do explain me why not using  192.168.2.1 as an pfSense IP - why 192.168.2.254 ? - you took care off the dhcp pool )
(What about pfsense 192.168.2.1/24 AP = 192.168.2.2 (static) and pool 192.168.2.3-192.168.2.254 ?)

Continue :
@TheHitchhiker:

connected to an AP(192.168.2.10) in bridge mode. ….

Perfect.

@TheHitchhiker:

Now here, when enabling captive portal, I set the clients under the AP to use DNS of LAN interface, ….

What ?? Where did that came from ? You shouldn't modify ANY settings on your PC / iDevice / whatever.
You should NOT create the situation that you have to setup every device that visits your portal network.

@TheHitchhiker:

users are redirected to the portal, but then after authenticating, I have no internet access.

What are your firewall LAN rules ?
Did you modify your captive portal "html" file - uploadd your own ?
Did your device (PC) obtained a gateway ? DNS ? What are these ?
This https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting covers 99 % off all troubles.

@TheHitchhiker:

I added allow rules, to let in traffic from/to the internet on LAN interface but no luck.

Normally, to begin with,  to have a setup that woks :
NO rules on WAN
NO NAT
NO rules on the "LAN" interface - the global PASS rule ON LAN (== everything that comes INTO LAN interface from your LAN network, passes) which means : The captive portal setup on LAN (although NOT the best setup **) works with a minimal - read : none - if not no setup or changes have been applied on the interfaces

** best will be : Captive portal on separate OPTx interface.

@jimp:

If you have a current version of Chrome it should see the cert error, try an HTTP portal test, and then automatically open a new tab with the portal login. At least it does for me.

I do have HTTPS portal enabled with a valid cert (LE/ACME) for my hostname set on the portal config, and a host override pointing that hostname to the CP interface address. But last time I tested it, it should work with an invalid/self-signed cert, basically any unexpected HTTPS response, including a timeout, should kick in Chrome's portal detection.

Firefox pops up its little portal detection bar with a button to open the portal either way.

Good to here all this :D I didn"t even know that our browsers are also "captive portal aware" these days.

Like this :
You give away a login + password.
The first time the user logs in, the MAC of his device is attached to this "record". Further logins need a match against password AND MAC.

I'm pretty sure that (Free)Radius can be teached to do just that.
You need to define some policies, rules, settings or whatever they call that when you setup FreeRadius.

Btw : MAC's can be spoofed rather easy.

This :
@gadgetguy:

…  I don't understand how to debug the comm between pfSense and FreeRadius....

is a method I use so I understand what two processes exchange. Like a database server MySQL can be put in some sort of debug mode, and log all the communication it receives, I'm pretty sure FreeRadius has the same mode.
If everything works, that all this is not needed. You condemned to checkout your needs and curiosity, and look in the "manual" how to implement it.

Read also : https://forum.pfsense.org/index.php?topic=136951.msg749960#msg749960

Hi !

Google : pfsense vouchers shorter
Have a look at the first link.

I have the same issue.
I want to make pfsense can be used which1 username able to connect in 2 devices.
If I enable Concurrent user logins, it will open to many devices. How to make it only limit for 2 devices with same radius server?

Thanks.

You need Radius support.
A reply - somewhat - starts here : https://forum.pfsense.org/index.php?topic=108493.0

The app it's only for print the vouchers.
You need to create a .csv file in pfsense, then import it to the app.

@stinkfly:

…
Any other considerations like supported number of users, security etc;  Have others gone through this thought process?

Checkout this thread - in the very same forum where you posted : [HOWTO] Captive portal + FreeRADIUS + local MySQL user friendly single step  « 1 2 3 4 5 … 9 »

There is no such limit as "supported users" : your bandwidth will be depleted way before user authentication starts to crawl. Captive Portals with thousands of users online have been seen already.
Security : well, depends how you set it up ;)

Could be anything, not enough detail. Basically the error message means that it tried to send a RADIUS request but it got nothing back.

So it could be pointed at the wrong RADIUS server or port, it could have an incorrect NAS secret set, could be something on the RADIUS server (no entry for the firewall as a NAS, for example)…

Check your logs on pfSense and on the RADIUS server, maybe run a packet capture and see what you show for RADIUS requests on port 1812.

@Thilroy:

…. then receive a confirmation link to activate their account...

Keep in mind that portal clients have very limited possibilities when he/she hasn't authenticated yet. DNS works - DHCP works, and that's it.
So "receiving a link" (by mail) is impossible.
Fat mail clients - web mails etc won't work at that moment.

@Thilroy:

Is this in any way achievable with pfsense ?

Well, yes.
My pfSense makes coffee with the mouse click  ;) (no joke, it does)
It's all about : you have to code this one up.

edit NPS server : I don't see how a "Windows NPS server" would help you if some Portal visitor with a (example) "Android device" hooks up to your network.

edit again I do remember that "Mac Donalds" does have port "110" and "143" open up front, and better yet, they intercept the connections using these ports, they "intercept" your mail address (yes .. yes, they did) and …. when my mails came in, I also received a mail (on ALL my mail accounts) from them with HouseRules, "Welcome" & "More burgers .." etc etc. I think they abandoned this procedure  ^^ (and all my mails passes along using "993" / "995" now - Mac Donals's doesn't do MITM yet ...)

First things first.

Does the internet work if you turn off the captive portal? If not, check the rules on that interface.

More info : https://forum.pfsense.org/index.php?topic=136370.0

I have a few tips.

But first : you are using the latest (2.3.4-RELEASE-p1) .version, right ?
If not, well ….

Start by saving your config for later analysis, and bring all settings to default.
Leave LAN as proposed.
Setup your WAN connection.
Now, check that you have an Internet access from any device on LAN - and pfSense of course.

Create a group called "portalusers", and assign it this privilege "User - Services: Captive Portal login".
Create a user "test" with password "test", make it member of the portusers group.
Activate captive portal.
Set "After authentication Redirection URL" : set it to whatever, but something correct like : "https://www.google.com"
Authentication method ; select "Local User Manager / Vouchers"
Save - the portal is running now.

IF you use LAN as the interface for the captive portal, no need to add or touch the 'hidden' GUI firewall rule (actually, you can't - its hidden) . The default 'pass all' rule will do for now. DO NOT ADD anything. It's ok like this.

Now, its time for some basic checking.
On the device you use for testing, BREAK the connection (rip out the cable - switch off the wifi radio).
Activate it.
Get a command prompt ( run cmd, open a shell session, or, at least, go view network connection settings)
CHECK if you obtained an IP - and it which MUST be in the range of the DHCP server that's running on the captive portal (your LAN or OPTx interface on pfSense).
This implies that DHCP (client) must be active on your device.

Check also : what is the gateway on the device ? Must be the IP of pfSense. The DNS MUST be pfSense also (same IP gateway).

Now, for the most simple test - and most f*ck up here : ping to google.com (NOT to 8.8.8.8 !) do this : "ping google.com".
There will be NO ping replies but the name resolution part (translating google.com to 216.58.198.206) should work. This shows you that you can not reach the internet, but, somehow, DNS still works. DNS HAS to works, otherwise the captive portal doesn't work - or "no device on the LAN will work".
DO NOT use the DNS Forwarder - use the default DNS Resolver on pfSense. ( This is part of the golden rule : keep everything to default except if you know how to deal with it )

Bookmark and read this : https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting

Now, when your device has an IP, a DNS and a gateway, you see that you do not have to open a browser (you shouldn't do so - if it has a default home page to a https site, things will break because your browser will NOT accepts replies from any site except this https site.
So, a browser will up all automatically - windows launches one after a popup, iPhone/Pad will do so by themselves, Android : I don't know but I guess they do
This browser will go to some http:// site and, by magic, gets redirected to the page that the pfSense serves : our built in login page.
If credentials are ok, you will get redirected to our "After authentication Redirection URL" which proves right away your are connected.

Note : it takes 5 times more time to write this up as setting up basic captive portal access using pfSense.

Btw :
"even activating DHCP …." ?? without it you'll be an expert to make it work.
"activated a Proxy on the browser  " : What ? Why ?
Do not edit the default login page except if you have some minimum html knowledge, respect the minimal 'html coding' as shown on the captive portal settings page.
"do not start with radius" or whatever (proxies like Squid) . radius is nice if you know what it is. Know how to set it up. And, most important, know how to debug it, and know how to debug the inter communication between pfSense and radius. As usual, hours and hours of reading will reduce setup time to minutes.
Do not make complicated setups: keep it simple. These tend to works for years - mine does now for nearly a decade ( !! ).
Read - but do not trust - what you find on the Internet. Most isn't recent, talks about old version - ALWAYS miss an essential thing (up to you to find what it is). pfSense.org pages are valid, the rest is just a story of a guy writing up something ones.

Always make a minimal working situation first, then add very small steps towards your final setup. When errors are shown you can focus very easy on what went wrong, and go back to the working situation "with one click".

The captive portal can work on LAN, but it really works best on a separate, dedicated interface, like OPT1. You can put on that interface special firewall rules for captive portal users. This is a chapter of itself, and depends on what kind of visitors you have on your portal.