@comeback1106:

I get this  squid does not work with CP, but how can resolve this.

You can! Get the pfSense and squid sources from Github and start coding.

So I never got that process in the OP to work.
It seems that all config data is stored in the XML config file, changing the HTML files on disk doesn't do anything.

I then tried  some other hack that involved disabling the captive portal and then re-enabling it using cron. That didn't work either.

I just wanted a normal captive portal login during the day, and after hours, a simple page showing the AUP and a button to accept it and get online.

But this did:

Install and configure freeradius; create 2 users, one for normal guest access, one for after-hours access. The normal account has a password we change periodically and only give to known guests. The after-hours account has a simple password, but is restricted in radius to only be allowed to login after hours. Configure captive portal to use radius for authentication. Create custom captive portal login screen with a bit of javascript which hides an entire DIV. During the day it shows a DIV containing the normal captive portal login form. After hours, it hides that DIV and displays another one which shows a different login form, using the after-hours username/password as hidden fields, and a plain ACCEPT button. In morning, I reboot the firewall to boot everyone who might be using the after-hours login still off the guest network.

Since the after-hours radius user is restricted to certain login hours, even if someone does a view source and gets the account info, it won't help them.

Only downside is it relies on the time on the client being correct, but I'm willing to live with that.

I can post the source of the captive portal login page if anyone is interested.

When all users show as unauthenticated, your custom CP code is broken.

That is how all users appear when the No Authentication mode is used.  Your custom page can just have them, for example, click a terms and conditions checkbox and press Access the Internet.

It's a perfectly valid config but there's no login name to put with the CP entry so it uses unauthenticated.

Ok, well problem solved.

Issue was i didn't put the proper interface on pfsense cp & and nps radius client…

Had to be all LAN, even though CP is to be used on the wifi... :P Login from AD works now.

Dear Jim,

adding the IP to the allowed addresses does solve the problem - thank you very much! I wonder why I did not find this based on intuition, but the answer is also somewhat obvious: This was not required in the previous version and thus, one does not think about it.

Regards,

Michael

It just does NOT work that way. Please, actually read on how this works. I already linked it here: https://forum.pfsense.org/index.php?topic=93479.msg518607#msg518607

Sorry for not making this clear: im using the local user not radius for authentication

Thank you for pointing me to the right section .. i can see who are logged in now. Much appreciated.

I would not use VLAN 1 (I'd use all untagged ports on, say VLAN 2 through 4094) but that looks much better if replacing the existing firewall with pfSense is not an option and you just want to use captive portal.

Thank you guys. I will take a look.

This html code https://github.com/pfsense/pfsense/blob/master/usr/local/www/services_captiveportal_vouchers.php#L510
is present in your browser ?
Line "510" is executed ?

A browser cache problem ?
The image file $g['theme']}/images/icons/icon_plus.gif => /themes/pfsense_ng/images/icons/icon_plus.gif exists ? It has the correct owner and rights ?

No, nothing changed in the past 58 days  ::)

Thanks. I manage to figure that out  :)

Oh, I am so sorry. I should mentioned it before. Mine is 2.1.5-RELEASE
And I found correct command.

No.  Captive portals have to be navigated with a web browser.

Break the internet on purpose and you sometimes break the internet.

I can live with that.  Nothing good ever comes easily.  Thanks, Derelict!

Fixed:

I had multiple routes behind a VPC and behind an elastic IP.  the Elastic IP handled incoming, but the outgoing went through an invisible nat outbound.

The server would answer on the EIP, but the response was sent through a different public IP,

AWS doesn't allow hard binding to the public IP< so that was out of the question.  I remove the ECS away from the VPC and assigned the EIP to itself, and gave it another interface for database access.

Problem resolved.

@chris4916:

1 - Providing your WAN IP (furthermore this IP being in the RFC1918 range, meaning not being your real external IP) is useless and not required

Very true.
But be aware for that a new kind of user that exists: the one that checks

Block private networks
When set, this option blocks traffic from IP addresses that are reserved for private networks as per RFC 1918 (10/8, 172.16/12, 192.168/16) as well as loopback addresses (127/8).  You should generally leave this option turned on, unless your WAN network lies in such a private address space, too.

and
uses a IP WAN like 192.a.b.c (or 10.a.b.c) as WAN  ;D

CP + proxy -> completely broken. Plus, completely off-topic in this thread.

I removed the three installed packages ( freeradius2 , syslog-ng and vHosts ) and the error is gone.
Then I installed the packages one at a time and restarted pfSense, after I installed the package vHosts (v. 0.7.5) the error reappeared.

pfSense has detected a crash report or programming bug. Click here for more information. ... Crash report details: PHP Errors: [24-Apr-2015 16:21:22 Europe/Rome] PHP Strict Standards:  Non-static method PEAR::isError() should not be called statically in /etc/inc/captiveportal.inc on line 2216 [24-Apr-2015 16:21:28 Europe/Rome] PHP Strict Standards:  Non-static method PEAR::isError() should not be called statically in /etc/inc/captiveportal.inc on line 2229

Follow the lines of code in the file captiveportal.inc ( from 2216 to 2236 ) where the error occurs

2216    if (PEAR::isError($racct->start())) { $retvalue['acct_val'] = 1; $retvalue['error'] = $racct->getMessage(); // If we encounter an error immediately stop this function and go back $racct->close(); return $retvalue;         }         // Send request         $result = $racct->send();         // Evaluation of the response         // 5 -> Accounting-Response         // See RFC2866 for this. 2229 if (PEAR::isError($result)) {     $retvalue['acct_val'] = 1;     $retvalue['error'] = $result->getMessage();         } else if ($result === true) {     $retvalue['acct_val'] = 5 ;         } else {     $retvalue['acct_val'] = 1 ;       }

I think the package VHosts ver. 0.7.5 must be updated to work with the new version of PHP 5.5.23

Writing a small PHP file that parses a CSV file, and imports it in local user manager.
The CSV is the exported user list from your AD.

Syncing password might be the only issue where one has to think.