hi again Derelict, thank you for the reply.. i already tried reverting the landing page to the default page.. however, it still producing the same error.. i already tried adding the privileges for the user, which is enable the captive portal login,but it still doesnt work..

The service status there is only for the web server process that serves the portal page. So the question is what's happening to the lighttpd instance that runs CP. There should be something about lighttpd in one of the logs (probably system) somewhere. It wouldn't be a captive portal related log.

thank you very much, i still need to modified my html page.. haha, and thanks for the link, i will check it out later ;)

Hi,

I'm using the same version: 2.1.5-RELEASE (i386)

Right now, I count 7 iDevices on my portal network. I asked, a,nd found 6 IOS 8 devices. Btw: using one myself right now.

The only difference with my setup and yours: I do not use radius neither "squid3 as a transparent proxy and squidguard to filter urls". Be carefull with "extensions" they can make things better, or break it altogether.

@simply:

What table are the user accounts supposed to be stored in ?
My greatest desire to store all user info on the DB.
Thanks for the reply.

DB? Table?
Yes, LDAP can use databases. It's up to you to configure a database backend for your LDAP Server!

I use the OpenLDAP build in database, no fancy backends.
Here are some relevant LDIF Files:

dn: ou=users,dc=bewoelkt,dc=lan ou: users objectClass: top objectClass: organizationalUnit structuralObjectClass: organizationalUnit dn: ou=groups,dc=bewoelkt,dc=lan ou: groups objectClass: top objectClass: organizationalUnit structuralObjectClass: organizationalUnit dn: uid=jho,ou=users,dc=bewoelkt,dc=lan objectClass: top objectClass: radiusprofile objectClass: inetOrgPerson cn: jho sn: jho uid: jho description: Radius User Joerg Hochwald userPassword: PWhere radiusReplyItem: WISPr-Redirection-URL+='http://www.bewoelkt.net' radiusReplyItem: WISPr-Bandwidth-Max-Down+=1024 radiusReplyItem: WISPr-Bandwidth-Max-Up+=1024 radiusReplyItem: WISPr-Location-Name+="FFM01" radiusReplyItem: WISPr-Location-ID+="01" radiusReplyItem: WISPr-Max-Daily-Session+=3600 radiusReplyItem: Simultaneous-Use+="0" radiusReplyItem: Max-Daily-Session+='3600' radiusReplyItem: MHS-INT-Site+="Default" radiusReplyItem: myHotspot-Group+="Guest" radiusSessionTimeout: 7200

Just include the Radius Schema in /etc/ldap/slapd.conf:

# Radius include include /etc/ldap/schema/radius.schema

Now create a file (schema.conf below) with the following content:

include /etc/ldap/schema/radius.schema

And import the Schema to your LDAP Server:

slaptest -f schema.conf -F testdir/ ldapadd -Y EXTERNAL -H ldapi:/// -f testdir/cn\=config/cn\=schema/cn\=\{0\}radius.ldif

The Schema above works fine with pfSense. Just did some tests with 50k Users (imported via LDIF).
There is only one problem: The RADIUS didn't return all radiusReplyItem configured in the example above. But I didn't find the time to dig into that issue. All relevant infos are parsed :)

For mySQL: You will find a lot of good howtos via Google (Remember, this is your friend) ;-)

Not in the portal itself but probably in the firewall advanced rules for the rule that passes outbound sessions.

In advanced options you have things like:

Maximum state entries this rule can create
Maximum number of unique source hosts
Maximum number of established connections per host (TCP only)
Maximum state entries per host

No comment on whether this will enhance or degrade the user experience.

/var/etc

No.  The CP is a man in the middle.  HTTPS is designed to prevent the same.

I don;t have time to look at captiveportal.inc today.  Try it without vouchers.

Also if you are using a custom portal page try using $my_redirurl instead of $redirurl for redirection.

You probably need to make VLAN 10 a LAN on pfSense and put all the clients behind it.  To activate the captive portal requests to port 80 need to be sent to the pfSense interface.  This usually means it needs to be the default gateway of the clients.

If you put the pfSense WAN on VLAN 1 and LAN on VLAN 10 and let pfSense handle all the DHCP for VLAN 10 it would get you there.  You should also be able to forward DHCP to another server if required.

You'll also probably want to disable NAT in pfSense (switch to manual outbound and delete all the NAT rules.)

is there is any answer

@Gertjan:

And, here it where it all starts:
Look in this directory : /usr/local/captiveportal

Even more important:
Get yourself a decent editor like Notepad++ or even better: UltraEdit.
A FTP client that supports SFTP. Activate SSH access to your pfsense box (if not already done).
Most if not all files are pretty self documenting.

pfsense itself (the GUI): /usr/local/www

thanks!
I'll be using vim-lite though.

@Derelict:

Yes.  Users that don't need the captive portal on one interface, users that need to go through the portal on another interface with the portal enabled.

Or you could put them all on one interface with passthrough MAC address entries for the NICs that don't need to go through the portal.  Two networks with different access policies is how I would go.

Ok thank you very much for your sugesstion. I will try with with MAC address passthrough first, because it sound more fit-able to my network condition. If not work, i will try with the other solution 2 NIC.

What was the configuration issue?  Can you post the resolution?  I am also having a problem with 2.1.5

@Derelict:

Static DNS on the clients perhaps?

YES!!! That was the problem!!!

Static DNS entries in client machines! After I removed them, CP starts working! Great!

THANK YOU!!

@kapara:

….
iphone will not redirect at all!

Strange.
iDevices are always the fastest devices that show up the portal authentication page (I use a local user setup). Using 2.0, 2.1.1 up until 2.1.5
Never ever had any problems with those, because they will, as soon as the Wifi connection is up, throw out an Apple test URL that provokes the auth page being showed.
The "help - I can not connect" question is very rare at our local reception desk (Hotel).
People just connect.
Then, often, they can't login because it asks for a 3 digit "room number" (remember, this concerns a hotel - with doors and key the mention this number) like "202". They phone the redeption ….
The password is being indicated on the login screen ( !! ) they should retype or copy it. It's 'climat' btw.
They can't find it ......
(I guess intelligence dropped heavily last years in France ... I think .... I still don't get it ;) )

On the other hand, I know some setup have difficulties to show the portal page, which is normal as client lauch their conection with an initial https://….  request. This is normal.