@Gertjan:

Your AP has its DHCP server shut down, router-mode is shut down, etc ?

Yes, it is in AP mode. It offers quite a few modes.

AP Mode
AP router
Client Router
WDS Bridge
WDS Router

and I think a few others, at any rate its in AP mode.

Also, the Mac addresses are shown in PFsense DHCP lease lists, however when the captive portal is on with the Mac pass through, it lets every device passthrough with the first logged in user.

@Derelict:

Any AP does.

If that one is not it is either in a router mode, not an AP mode, or is for some reason proxying ARP or something of that nature.

In either case you are probably going to get a faster reply asking on a forum specific to that product.

I didn't know those existed lol, will do.

It depends on how the solution was made.

What we'd like to see is:

1. Captive Portal adapted to use all settings from the User Manager, including defined Authentication Servers
2. Additional RADIUS settings moved from Captive Portal to the User Manager Auth Server RADIUS options where possible. Some settings may be specific to one portal and not others, but an admin could always define multiple RADIUS server profiles in the user manager to get the same effect, which is essentially what they're already doing now.

In doing that, Captive Portal would naturally pick up LDAP support as an authentication source without actually adding or touching any LDAP-specific code. The problem is adapting all of the RADIUS options in CP to the User Manager and making sure they are used in the correct context.

That is not currently a feature of FreeRADIUS on pfSense, and there are no plans for it.

You might have better luck asking for help on a FreeRADIUS forum/mailing list/subreddit/etc, because anything you need to change would be specific to FreeRADIUS and not pfSense.

Month or two is probably not something you want to task your firewall for.

Yes, that can be increased.

Whether it is enough depends on how much device churn you are expecting.

jimp this is the test for free radius i did when i get the above failed radius message. i am also sending the test result.

user:  shaheedullah
Password: school
sgared secret : cmc


New learnings sir! :D :D :D
I actually didn't know that I can view the voucher number including the time remaining per voucher.

As I randomly checked 10 vouchers from the previously generated voucher, all are fine. Maybe, there were some which are considered invalid.

Anyways, thank you so much sir's for your help!

@yfarouq:

@jimp:

Not nearly enough detail here.

What did you upgrade from?
What did you upgrade to?
What version of the FreeRADIUS package do you have installed now?

Im at pfsense 2.3.4 version, and Im still working with freeRadius2. I had tested FreeRadius3 but the same issues

Please answer all of the questions there. the first two are asking about pfSense versions before/after.

I try Radius 3 also, but it seems to be the same.

I try to check with the Log, but it shows nothing

Under normal conditions it will start automatically. You will have to provide more detail about your specific configuration, including:

Which FreeRADIUS version? If it's 2.x, uninstall that and install 3.x and try again. How is FreeRADIUS configured? You mentioned MySQL, is it supposed to use that? What other options do you have enabled? Show any radiusd log messages from the system log during boot time

If nothing else, you can install the service watchdog package and have it babysit FreeRADIUS to keep it running.

@Gertjan:

Check the backup file you imported.
They are there ?
The file should have a name like config-your-host-and-domaine-20170718085441.xml and is VERY well readable by a human.
If they are NOT in the file, well ….

Just checked and it does have the users.

<md5-hash>531501fb668ac7198544acf912d9c624</md5-hash> <name>qwerty</name> <expires><authorizedkeys><ipsecpsk><uid>2009</uid> <user><scope>user</scope> <password>$#$%^&#%TFSDDFDSR#$</password></user></ipsecpsk></authorizedkeys></expires>

Anyway I'm good as long as the accounts are no longer active.

Cheers!

Hi dude. Did you resolve your problem? Can you share?

Push up …

Any Ideas?

Hi

Thanks, but the ipfw command not working, I have try all commands of this topics

https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting#Zones

[2.3-RELEASE][admin@]/root: ipfw -x guest show
ipfw: Context 0 is invalid
[2.3-RELEASE][admin@]/root: ipfw -x zone1 show
ipfw: Context 0 is invalid
[2.3-RELEASE][admin@]/root: ipfw
ipfw: usage: ipfw [options]
do "ipfw -h" or "man ipfw" for details
[2.3-RELEASE][admin@]/root: ipfw -x zonel show
ipfw: Context 0 is invalid
[2.3-RELEASE][admin@]/root: ipfw -x LAN_GUEST show
ipfw: Context 0 is invalid
[2.3-RELEASE][admin@]/root: ipfw show
ipfw: Context is mandatory: No such file or directory
[2.3-RELEASE][admin@]/root: ipfw -x context list
ipfw: Context 0 is invalid
[2.3-RELEASE][admin@]/root: ipfw_context -l
ipfw_context: Command not found.
[2.3-RELEASE][admin@]/root:
[2.3-RELEASE][admin@]/root: ipfw_context -1
ipfw_context: Command not found.
[2.3-RELEASE][admin@]/root: ipfw -x LAN_GUEST show
ipfw: Context 0 is invalid
[2.3-RELEASE][admin@]/root: ipfw -x 2 show
ipfw: setsockopt: choosing context
[2.3-RELEASE][admin@]/root: ipfw zone list
ipfw: Error returned: Unknown error: -1
: Invalid argument

do you know why ?

The plan is to both have a time limit for the users and to limit the amount of traffic for the users.
Regarding the timing issue, I know that this is difficult when not having a users database to authenticate against. The only way would be to use the device's Mac addresses and to check when they logged in for the first time and then measure the time from then…

Regarding the amount of traffic, I currently use ntopng to monitor and count the traffic the users are generating and as soon as they reached the 400 MB, I add their IP address to the firewall's block list. That's not a really convenient solution, as it involves manual tweaking where I thought ipSense could help...

Are anonymous hotspot really that rare that there's no support needed for such features?
(I think the free WiFi hotspots are becoming more and more common ... I think that the CP in pfSense would be even more attractive if there were more options for anonymous users... But's just my opinion. I still find it a great product and I can get what I need ;-) )

Regarding the suggestion with FreeRADIUS: This would be a great solution, but I have to create the users (i.e. the Mac addresses) first in order to be able to authenticate against the user database. As I don't know the Mac addresses of the customers, this is quite difficult... Best would be if such users be generated on the fly by the RADIUS server...

Didn't we already go over this in this thread.

https://forum.pfsense.org/index.php?topic=133348.0

That you could just create a firewall rule to block access on your wifi router 2 network, and that you didn't need to nat it, etc. etc.