I put together a one-time-password radius server using this:

http://motp.sourceforge.net/

Not Google, I know, but as Gertjan says, this takes a bit of coding. Alternately, you might be able to write an interface between your radius server and Google, but the details are up to you to find.

Use some javascript to change it in the HTML on submission, it won't require any changes to pfSense code, just the portal page you upload.

Hi,

Without telling more about your setup ?
Well …. euh ..... no.

When a user logged in, check using this doc page : https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting and double check that you can find the user's IP and MAC in related tables.

Is their a reason for the fact your are using an (very) old pfSense version ?? You shouldn't - and if you do, do not ask for help, people that know or knew 2.2.4 upgraded for very logic reasons. No one knows what issued 2.2.4 had back then ....

nah no IPs. I allowed these hostnames:

ajax.googleapis.com
fonts.googleapis.com
maxcdn.bootstrapcdn.com

The thing that I can't wrap my head around is that it works in the browser but not this app that pops up "Captive Network Assistant". I also tried allowing the captive.apple.com hostname so device thinks it's got Internet access and there is no more of this pop up but that makes it really inconvenient to authenticate on mobile devices.

I guess I am going to have to try and make pure html and css page and see if that does the trick.

Yeah cookbook is well a cookbook and nothing more. I am glad you suggested the other book so I ended up getting Pfsense: The Definitive Guide and The Book of PF: A No-Nonsense Guide to the OpenBSD Firewall 3rd Edition. I'll be away for a while now hh ;D

@BGS:

The "bits and bytes" solution :
Nail down the place where the test is made if a MAC address should be added to the MAC pass-through list.
Add your own test that skips the "MAC pass-through" adding part IF the login was done with a "voucher".

I don't get this. I'm new at pfsense … sorry ...-.-

pfSense is a software product.
You actually have 99,99% of the source code at your disposal. So the possibilities are unlimited.

I advise you to look for a 4 NIC box.

@johnpoz:

….
  I think its http://captive.apple.com/ but not 100% on that - I believe it looks to see if it can get back a 200 from there, if it doesn't than it assumes its behind a cp or something like.

I disconnected form an AP on the LAN (192.168.1.1/24 - my iPhone was using 192.168.1.25)
It obtains a 192.168.2.139 (my Captive portal is 192.168.2.1/24)
Some non-important local IPv6 hanshaking is also present.

10-06-2016 10:03:20 Local7.Info 192.168.1.1 Oct  6 10:03:24 dhcpd: Reply NA: address 2001:470:1f13:5c0:2::c6 to client with duid 00:01:00:01:14:20:18:e3:b8:ac:6f:47:2c:77 iaid = 246983791 static 10-06-2016 10:03:20 Local7.Info 192.168.1.1 Oct  6 10:03:24 dhcpd: Renew message from fe80::75cd:7073:d0a4:bc7c port 546, transaction ID 0x1239AA00 10-06-2016 10:03:20 Local7.Info 192.168.1.1 Oct  6 10:03:24 dhcpd: Sending Reply to fe80::75cd:7073:d0a4:bc7c port 546 10-06-2016 10:03:21 Local7.Info 192.168.1.1 Oct  6 10:03:24 dhcpd: DHCPREQUEST for 192.168.1.25 from 90:b9:31:77:5e:26 via fxp0: unknown lease 192.168.1.25. 10-06-2016 10:03:22 Local7.Info 192.168.1.1 Oct  6 10:03:25 dhcpd: DHCPDISCOVER from 90:b9:31:77:5e:26 via sis0 10-06-2016 10:03:23 Local7.Info 192.168.1.1 Oct  6 10:03:26 dhcpd: DHCPOFFER on 192.168.2.139 to 90:b9:31:77:5e:26 (iPhone-5S-Gertjan) via sis0 10-06-2016 10:03:24 Local7.Info 192.168.1.1 Oct  6 10:03:27 dhcpd: DHCPREQUEST for 192.168.2.139 (192.168.2.1) from 90:b9:31:77:5e:26 (iPhone-5S-Gertjan) via sis0 10-06-2016 10:03:24 Local7.Info 192.168.1.1 Oct  6 10:03:27 dhcpd: DHCPACK on 192.168.2.139 to 90:b9:31:77:5e:26 (iPhone-5S-Gertjan) via sis0

Note : the DHCP server on pfSense tells my iPhone that DNS, Gateway, etc etc == 192.168.2.1 == the Captive portal 'pfsense' interface IP.
I'm still figuring out why I should use the DNS from "Google". Upfront, my FAI proposes two DNS's when pfSense opens a WAN connection. They always worked fine.
It's imprtant to understand that my visitors devices on the Captive portal have only 'pfsense' as a DNS server.
pfSense itself uses the DNS that came with the WAN connection.
That is the default setup.
Works fine for a decade now.

As soon as the link goes up (wifi in this case) the iOS launches a http request to http://captive.apple.com/hotspot-detect.html  :

10-06-2016 10:03:26 Local5.Info 192.168.1.1 Oct  6 10:03:29 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:29 +0200] "GET /hotspot-detect.html HTTP/1.0" 302 0 "-" "CaptiveNetworkSupport-346 wispr" 10-06-2016 10:03:27 Local5.Info 192.168.1.1 Oct  6 10:03:30 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:30 +0200] "GET /index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html HTTP/1.0" 200 1536 "-" "CaptiveNetworkSupport-346 wispr" 10-06-2016 10:03:28 Local5.Info 192.168.1.1 Oct  6 10:03:31 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:31 +0200] "GET /hotspot-detect.html HTTP/1.1" 302 5 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456" 10-06-2016 10:03:29 Local5.Info 192.168.1.1 Oct  6 10:03:32 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:32 +0200] "GET /index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html HTTP/1.1" 200 849 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456" 10-06-2016 10:03:29 Local5.Info 192.168.1.1 Oct  6 10:03:32 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:32 +0200] "GET /captiveportal-style.css HTTP/1.1" 200 836 "https://portal.brit-hotel-fumel.net:8003/index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456" 10-06-2016 10:03:29 Local5.Info 192.168.1.1 Oct  6 10:03:33 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:33 +0200] "GET /hotspot-detect.html HTTP/1.0" 302 0 "-" "CaptiveNetworkSupport-346 wispr" 10-06-2016 10:03:29 Local5.Info 192.168.1.1 Oct  6 10:03:33 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:33 +0200] "GET /index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html HTTP/1.0" 200 1536 "-" "CaptiveNetworkSupport-346 wispr" 10-06-2016 10:03:35 Local5.Info 192.168.1.1 Oct  6 10:03:39 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:39 +0200] "POST /index.php?zone=cpzone1 HTTP/1.1" 200 635 "https://portal.brit-hotel-fumel.net:8003/index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456" 10-06-2016 10:03:35 Local5.Info 192.168.1.1 Oct  6 10:03:39 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:39 +0200] "GET /hotspot-detect.html HTTP/1.0" 302 0 "-" "CaptiveNetworkSupport-346 wispr" 10-06-2016 10:03:36 Local5.Info 192.168.1.1 Oct  6 10:03:39 pfsense.brit-hotel-fumel.net nginx: 192.168.2.139 - - [06/Oct/2016:10:03:39 +0200] "GET /index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html HTTP/1.0" 200 1536 "-" "CaptiveNetworkSupport-346 wispr"

Btw : I'm using https portal authentication. This is just a detail.

I was able to get this resolved.  It turned out to be a problem with my switch.  I backed it up, defaulted it and restored the config and everything started working.

@itchy:

Can you provide some more details?

This has been taken care of a long time ago.
https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting
The firewall rules "ipfw" redirect all http requests to the internal web sever that displays the login page IF the user's device hasn't been granted access already.

If a user's device has been granted access, the firewall rules accessible in the GUI determine what happens.

edit : great : I'm actually saying the same thing as Derelict.

You would have to create another pool for your dhcp server on your cisco.

http://www.cisco.com/c/en/us/td/docs/ios/12_2/ip/configuration/guide/fipr_c/1cfdhcp.html

https://redmine.pfsense.org/issues/6421

Hi. First of all thanks for your responde

I used 1 minute idle time just as an example, but I have done much more testing with differents time and same result.

When authenticated MAC is not present on Captive Portal / ZONE /MACs because I'm not ussing MAC passthrough.

I'm asking to see if anyone have found a way to get it working because it become a problem for us. I have worked with other WiFi system (much more complex) like Aruba and I have never have this problem with MAC auth and Radius server.

We don't want to use MAC passthrough because we lost, for example, accounting information.

Regards,

Hi Gertrjan

thank you for replying, what you suggest would work i'm sure, but we have a policy where management of all assets is done on a specific Vlan (Vlan 20).
Unfortunately, I am unable to change that, policy, but as it happens, I resolved the issue earlier today, only just got home to update with the soultion.

I actually had done everythig correctly in pfSense, the problem was the guy who had set up the Cisco 3560, had applied all the three vlans to the trunk port as I had requested him to do, but he also had in the Cisco interface config the line 'switchport native vlan 20'.

I got him to remove this line and everything now works, so i've spent this afternoon setting up firewall rules blocking access to the and from the opt 1 vlan from the lan and wan for security, and blocking access to the management interface from the WAN and LAN interfaces too.

Tomorrow will be the big test day, but I quickly checked everything before I left and it seems to work perfectly, only access the webgui and ssh from vlan 20 and nowhere else.

Thank you again for the suggestion
Regards
Tony.

Hi,

Why ?
Your captive portal is on a boat or plane ?  :)

I advise you to check it out with a host name that changes often (some kind of DDNS host).

You'll be in for a surprise.

(you can see it in action here : enter SSH, and type

ps aux | grep 'filter'

You will find :

root      16520  0.0  0.1  23096  2708  -  Is    2Aug16      0:18.58 /usr/local/sbin/filterdns -p /var/run/filterdns-[ZONE]-cpah.pid -i 300 -c /var/etc/filterdns-cpzone1-captiveportal.conf -y 2 -d 1

which means :
Every 5 minutes, resolve all host names from the file "/var/etc/filterdns-[ZONE]-captiveportal.conf" and writes (changes) the IP's into the captive portal's "ipfw" (the captive portal firewall).

Also, check out this file

cat /var/etc/filterdns-[ZONE]-captiveportal.conf

(change [ZONE] for your zone name)
this is the list with the host names you entered into the list used by your captive portal.

So, the final answer to the question "How can I refresh the CP Allowed Hostnames IPs table" is : you don't, it already been take care off.

Have you tried to add the VPNs DNS IPs to the Allowed IP Addresses?

If that works then you may request a feature to pfsense CP for having a per MAC address Allowed IP Addresses.

I realize that the CP can not be active for the DC/DNS.  The DNS needs continues and full access to the internet to be able to resolve the addresses.

If CP were active the DNS will fail and therefore every machine pointing to that DNS will fail.

So not working CP in this DC/DNS is probably an intentional design in pfsense.

I guess that if I want to control some bandwidth in this server I will have to add its MAC address in the CP and some how hardwired the MAC to freeradius.  That is for another thread.

So the problem solved itself. Propably it needed a while to let the changes take effect at all clients.
Some web pahes still didn't redirect to cp login, but it showed up it's because of https…