Ok, did a little digging and this does what I need it to do. Sort of: https://forum.pfsense.org/index.php?topic=63531.0

Ideally it would still be useful to implement bandwidth restrictions only when usage reaches a certain threshold. I suspect there is nothing in the traffic shaping rules which will do this, but thought someone might like to prove me wrong.

Not to mention https://doc.pfsense.org/index.php/Using_Captive_Portal_with_FreeRADIUS#Amount_of_Bandwidth

@sine_kitt:

Hi i want to know , is there a way that users can manually logout from captive portal..users get logout popup window once they authenticated with CP…but imagine if they accidentally closed that page..what shall we do then...i closed the connection to CP for that user on status --> captive portal.....but after that user wont get any captive portal authentication page till i restart the service from pfsense...

What about setting the idle-time out to 5 minutes ?
If users come back within 5 minutes, they have access to the net because their device is still on the "permitted list".
If they come in later then 5 minutes, they WILL have the auth page again.

Their is no real need to have people being logout out by themselves. Every minute the list with logged in clients is purged if needed (timed out).
You control the time out.

You can see (test) so by watching the portal log and captive portal status page.

Or this, maybe:

$auth_list = radius(strtolower($user),$paswd,$clientip,$clientmac,"USER LOGIN", $radiusctx);

You could also strtolower() the password, but that would just be to let people log in with capslock on.  If you do you need to make sure you also strtolower() the password before you save it/hash it/etc in whatever RADIUS is using as a backend.

Back in the dialup days we used to have some logic that would lowercase the password and try again if the initial login failed and the entered password wasn't mixed case.  Kept the phone from ringing unnecessarily.  Today, that would just give the assholes two tries for every attempt.

Just use the "After authentication Redirection URL" to point your users to a page containing a message.

It's also possible a captive portal config section was imported from 2.0.x or before into 2.1 and not a whole config. That will happen if the configuration wasn't properly migrated to the zone structure. It may need the entire <captiveportal>section removed (or at least anything outside of the cpzone tags)</captiveportal>

The key thing here is I do not want to segment the network here, I just want to prevent access from this interface without authentication.

As in I want the DHCP server on the existing LAN to handle machines that communicate the pfsense box.

Hi,
    This message "Error: This computer wasn't used to login initially" is from the portal auth log. It seems that when the DHCP server reuses an IP address and reassigns it to a different host/mac-address, the IP/MAC pair does not match what's in the online users list for this user. I did put a timeout of 6000 for users to be disconnected from the portal though, but it seems they are not being removed.

Bom dia,

Gostaria de saber como calcular o Magic Number , na parte da criação dos voucher no pfsense,

Preciso mudar os caracteres do voucher para que seja criados apenas com numeros,

ai com isso preciso mudar o Magic Number para serrem validados no captive portal,

Thank´s

Yes.  Setting the NAS-Identifier differently for each CP instance should enable to to steer RADIUS in the right direction.

You can use it in the users file as a check item.  It will have to match along with the username and password or the RADIUS server will send an Access-Reject.

bob    Cleartext-Password := "hello", NAS-Identifier == Teacher-NAS       Reply-Item += "Reply Blah Blah"

Or something like that…

Yes - I see your point.
For them to go no cert error connecting to your network, your network address would have to be the url they entered in the address bar.
Go figure the odds.

@Derelict:

If your clients are not using the pfSense interface for DNS you need to whitelist the DNS servers.  See the Allowed IP Addresses Tab.

Very true.
But …. a client that uses a "Free Portal network" should obtain an IP (and gateway, and DNS, and ntp serveur, and ... etc etc) by the DHCP server.
I already met clients who 'locked' their IP statically .... and then came over seeing me telling me that the "portal isn't working". ... yeah, right .....
Client that lock their DNS servers statically will be treated equally. Its fine for me, but if the want to urf on the net, they have the option: 1) switch to default or 2): don't surf.

All this because their is a rule that says: "guests" should conduct as the "host" proposes ;)

If you turn on HTTPS logins in the captive portal and the user attempts to connect to a secure site and you forward them to the portal instead, there is nothing you can to do prevent the certificate error.  Think about it.  They tell their browser to connect to https://www.google.com/ and they get some certificate from your pfSense instead that has a completely different CN.  Certificate error - always.

If you have HTTPS logins enabled and the user attempts to connect to an HTTP site on port 80, the CP will redirect them to the proper HTTPS port on the server name defined in HTTPS Server Name in the portal.  It is up to you to obtain a certificate signed by something in the client's root certificate store and get it installed in the portal.  If everything doesn't exactly match, certificate error generated by the browser.

HTTPS Server Name
This name will be used in the form action for the HTTPS POST and should match the Common Name (CN) in your certificate (otherwise, the client browser will most likely display a security warning). Make sure captive portal clients can resolve this name in DNS and verify on the client that the IP resolves to the correct interface IP on pfSense.

The only way to guarantee certificate errors will not be generated by your portal is to enable HTTPS logins with all the proper certificates and hostnames and to be running 2.2-RC with the "Disable HTTPS forwards" option checked.  You won't get cert errors any more but initial attempts to HTTPS sites will still hang.

There is nothing, NOTHING that can be changed in pfSense or any other captive portal to "fix" this.  Captive portals break the internet by design.

ETA: https://www.startssl.com/ for free (really) certificates.  And you'll get an S/MIME cert for email (also free) in the process.  You, naturally, have to have control of the domain(s) under which you obtain certs.