not really

i have 500+ users on the portal
i was thinking, this can make some problems for users loading the CP.

thanks for helping!

SOLVED
close this thread ^^

Sorry not to have best described my initial configuration and thank you Derelict it was the problem : for an unknown reason the auth mode was set to none and we also use vouchers (and I'm pretty sure auth portal appeared and was authenticating to ldap).

I've just set auth mode to radius and now authenticated users appears correctly.

Thanks for your help

After some time (and receiving a lot of incidents about users that report vouchers that are expired, although they aren't) I finally managed to upgrade our pfSense.

I have created a clone of the VM, upgraded it to version 2.2.4 and have wiped all rolls. Then created a new roll of vouchers and started testing.

On this system, no users are active.

The following happens:

when I expire a code the appears in the logging: Aug 24 16:06:08 logportalauth[92658]: Zone: guest - CSPZsCnnRiJ (70/61) forced to expire I then test the voucher again and it is indeed expired: Aug 24 16:06:12 logportalauth[92658]: Zone: guest - CSPZsCnnRiJ (70/61) already used and expired when looking in the roll view in the GUI it shows 8 vouchers of this roll are used, instead of one! (see screenshot 1) trying the next voucher in the roll says: Aug 24 16:13:41 logportalauth[61087]: Zone: guest - hDvRKFaqvqm (70/53) already used and expired expiring another voucher: Aug 24 16:17:42 logportalauth[61087]: Zone: guest - muhaudiXxhj (70/293) forced to expire now the roll view in the GUI shows 37 vouchers are used, instead of only two! (see screenshot 2)

So it looks like more than one voucher code is marked as used when one is expired.

This is the logfiles with our tests:

Aug 24 16:06:08 logportalauth[92658]: Zone: guest - CSPZsCnnRiJ (70/61) forced to expire
Aug 24 16:06:12 logportalauth[92658]: Zone: guest - CSPZsCnnRiJ (70/61) already used and expired
Aug 24 16:13:41 logportalauth[61087]: Zone: guest - hDvRKFaqvqm (70/53) already used and expired
Aug 24 16:16:19 logportalauth[61087]: Zone: guest - m4DeJG7EYrV (70/45) already used and expired
Aug 24 16:17:08 logportalauth[61087]: Zone: guest - fjRWvZuqATw (70/37) already used and expired
Aug 24 16:17:42 logportalauth[61087]: Zone: guest - muhaudiXxhj (70/293) forced to expire

Only these codes were forced to expire: CSPZsCnnRiJ and muhaudiXxhj.
As you can see other codes are also reported as used and expired.

capture1.png
capture1.png_thumb
capture2.png
capture2.png_thumb

why not just replace the ancient machine with this new pc your going to use as your captive portal?  1.2.3 came out what dec 2009 so at best your looking going on 6 year old hardware the thing is running on.. Time to replace!!  Not even taking into account all the concerns of running a firewall code from almost 6 years ago.

index.html contains this form:

@hartung:

First my personal android phone was always redirected to the portal page (of course, it is in the MAC pass through list) restarting the captive portal and even restarting the entire pfsense did not work.

If it is on the list, it will 'fall though' and the Portal login page will never show.

So, be ready for some digging.
Use THE tool : https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting

List table 1,2,3 and 4. Two of these contain all the MAC addresses that can pass through.
Your Phone is on the list ?

I guess, when the portal page pop up on your phone, the MAC isn't present in the (2) tables anymore.

@hartung:

Today, my phone was again able to pass through without any problems, now some other phones and machine here in the office were not able to pass through (all on pass through list), while others still seem fine. Since a couple of minutes, my phone ist again not bale to pass through. My boss for example has two iphones (yes, two) one is still working, the other is also keeping redirected to the portal. Happens on different systems, windows, OSX, android etc.

What are you using to bridge between pfSense (the NIC) and your wifi devices ?
An AP ?
Is it in bridge mode (NOT router mode) ?
All devices have good IP's listed on the DHCP server on pfSense ?

Here it worked :
On pfsense box free radius + CP. Freeradius binds to a separate LDAP server.

I will try to help you when you'll have posted more infos.

There is this:

http://wiki.freeradius.org/modules/Rlm_smsotp

Although my personal preference would be to use an app, like one of these instead of an email:

http://motp.sourceforge.net/#6

The otpverify.sh script is used with a FreeRADIUS server to generate a one-time six-digit password. The app runs on the phone and generates the password which the user can use only once to authenticate.

Personally, I've built a FreeRADIUS machine which uses the optverify.sh/Mobile-OTP combination in conjunction with Active Directory. An 'ldapsearch' script scrapes the AD schema for members of the relevant AD group (eg: CPUsers), creates the associated PIN and secret, emails the user these details and populates the FreeRADIUS users file with the relevant data. The radius server then uses the otpverify.sh script to check the passcode generated by the mobile app. It is, however, essential that the radius server and the mobile phone/tablet in question are synchronized correctly time-wise. Not quite SMS, but it works.

Yes tux. thanks for the offer to share your knowledge. I'd really want to integrate captive portal to an sms gateway. This will enable clients receive login credentials (username and password) based on the information contained in sms gateway. bob

https://redmine.pfsense.org/issues/4746

Sorry i forgotten i dont have a domain.

I prefer the last of your potential solution.

We have an apartment house with more than 120 users with different price models. RADIUS and daloRADIUS is flexible to build customer groups. It was the best solution what I found. It really works. All other solutions have some limitations. Further daloRadius is a separate web solution which can be used by our staff without a risk.

There are some disadvantages:

You need another Linux or Windows server to install RADIUS and daloradius You need time to find out how to install. you have a further point of potential failure. I use pfsense with CARP (redundant). But if RADIUS or MySQL behind RADIUS fails the hotspot doesn't work anymore. Pfsense has no fallback to regognize a RADIUS error and pass through users in this time. I will try to replicate MySQL and to use Pfsense package RADIUS with two databases. But this needs know how.

As you see there is no easy solution with one installer software.

@bqbqr:

…
Seems like the right thing to do for keepin my user list .. no?

You can keep your user list from the 'old' XML file: It's a copy and paste thing between files ;)
XML files are human readable and have a simple structure.

raduis is a bit hard for me. i can use voucher but im using cp for public network.
i just saw in our mall that freewifi, enter portal without voucher. no authentication. just portal page "accept". and after an hour i can't login again. banned for 24hours.
thanks again.

Hi Everyone,
I have been looking for a custom logout page for 2.2.4 but I could not find one. What I've been using in my setup is this tutorial but it is only usable only for 2.1.5 "https://www.youtube.com/watch?v=xk60lg-9o3A". Can you share some ideas on this?
Thank you.

client[10.200.200.50/24]–-pfsense opt1[VLAN131 10.200.200.10/24]–-router LAN [VLAN131 10.200.200.11/24]–-rouer wan

All that is on the same subnet.  The only possible way that might work is if pfSense was a transparent bridge and Captive Portal can't work on a transparent bridge.

client[10.200.200.50]–-[VLAN131 10.200.200.10/24]opt1 pfSense opt2[VLAN130 10.100.100.10/24]–-router LAN [VLAN130 10.100.100.11/24]–-router wan

client has default gateway 10.200.200.10
pfsense has default gateway 10.100.100.11
NAT should be disabled in pfSense
router has default gateway of WAN plus a route to 10.200.200.0/24 gateway 10.100.100.10
router must perform NAT for 10.100.100.0/24 and 10.200.200.0/24

I am beginning to thing there is some kind of a db cache file in the PfSense Captive-Portal that is stuck or corrupted or not getting cleared.

That's about the last thing I would suspect.  portalauth.log should log something.  You can also run a packet capture on the portal interface and see what's going on.  You can do that from remote if you can get into the pfSense captive portal node in question.  Save the pcap, download it, and pull it into wireshark.

Hi

Thanks for your answer. Well PHP is not one of my best sides and therefore I am looking for help here. Maybe a template. I have tried
to edit the captiveportal.inc as suggested earlier in the thread but that screws up captive portal totally.
We are using 2.1.5 because we did not manage to get squid with SSL proxy to work correctly under 2.2. This works fantastic in 2.1.5 and is one of our most important functions.
So the question is still their. Can anybody give us a hint on how this could be done. In the best of worlds we would propose the pfsense team to implement this in the GUI :-)

Best regards
Toby