Hi

I have a similar problem. I'm using captive portal with an external radius server. The radius is running ZeroShell. I was previously using only ZS on this particular installation but now I have the need to incorporate pfSense. The two machine are talking to each other without a hassle. Problem is that when I use ZS captive portal it will deny access to a user with no credit but when pfSense is that captive portal there is no denail of service, the ZS user account runs well into the negative. I've tried data limits, time limits and cost limits, non of them seem to make a difference to pfSense. I'm using the default login page, could it be the way that pfsense authenticates? in that it submits credentials and only queries of they are correct?

I have interum updates on, re-authenticate every minute, and use radius session time out. None of this is making a difference to the access of "unusable" accounts.
Perhaps I should replace the pfsense login page with the ZS one? the form submission is very different.

Help with this will be greatly appreciated.

Those pushing for a higher timeout know they're talking about absolutely zero internet traffic for 16 hours right?  It means the device is either powered off or is off the property.  All it takes is one internet packet to reset the 16-hour timer.

Oh, I see how I was not clear enough. I meant the management.

That setting should allow the VAST majority of multi-day guests to only have to navigate the portal once during their stay.  And, worst case, they have to navigate it again.

Yes, this was what I was aiming for. I see a lot less logins during the morning period.

Everyone is satisfied.

Your only other option is redirecting https to the portal and generating a certificate error on the client.  If their default home page is their bank, and they do the wrong thing and save the cert you present permanently, you can now MITM their bank.  No bueno.

I have built the computer and I am now running pfSense with the above setup and one interface for LAN and the other for WAN. The remaining NIC will not be supported until pfSense 2.2 comes around.

I do have a bit of an issue with DHCP leases/timeouts and Captive Portal timeouts , but it's somewhat fixed: https://forum.pfsense.org/index.php?topic=80255.0.

Are you sure that roll was generated and nothing has changed with the captive portal since?

If you generate a new roll do those vouchers work?

Thanks for the reply

@buntha:

….
how to Customize Captive Portal Page using php
Fatal error: Call to undefined function mysql_connect() in /var/etc/captiveportal_nbc.html on line 6

Customize the PHP server first :)

pfSense does NOT contain a PHP setup with mysql functions activated - because his PHP doesn't need mysql (neither mssql) functions.

So, the function mysql_connect() is flagged as absent.

Use the search function on this forum, use intelligent keywords like "mysql_connect" and you will find messages on this forum that explain you how to activate the mysql functions.

Hi.

Use a NIC (OPT2) with a portal acces for your 'guests'.
Put a AP in your LAN with WPA2 activatred. YOur emplyee uses this AP to connect to your LAN, no pfsense needed for that. And: he will be in the same subnet, so shareing rescources (Windows PCs, others) work straight away.

Or, share the same captive portal, bind the MAC of the PC of your employee to a reserved IP, and use firewall rules so that he can access local resources.

Btw: your portal interface is running on your
LAN ?
OPT1 ?

Be careful: if your portal interface is on your LAN (bas idea) and your Office network is also on the LAN, then 'guests' can easily access office network resources, because traffic doesn't flow through the pfsense firewall. They do not need to be connected to the portal Interface to access the local network segment.

@GruensFroeschli:

For such a setup you need to add these domains to the whitelist of the CP.
–> "Allowed Hostnames"

Thank you.
Issue has been resolved.

Not missing the point, its just that setting traffic quotas is rarely called for.
As an alternative, you could flash a suitable wifi router with Gargoyle firmware, it has this feature built in. Much simpler than trying to set up Radius for domestic use.

Adapted from http://davidwalsh.name/disable-autocorrect

Same problem only when wan connection failed

I have it working. Thanks!

Ok I think I solved it by simply disabeling all captive portals, restarting and enable them one by one so that the ports wouldnt overlap as they restarted. I also got a feeling that the problem itself could have been an issue where the non-encrypted site took the port and that it kept it while I enabled https so that when using https the port was already taken by the same captive portal site but the non-encrypted version so to speak.

Anyway, I noticed another problem that I seem to have in this version and that is that every time I rebbot the firewall I have to readd the .html sites for the captive portals. The files get deleted on a reboot. Anyway thats another problem for another day.

hello,
thanks for the reply.
with some tests I have already managed to create a PHP page where entering credentials, it is checked whether the user must change his password (with the table "resetpsw"). Searching the internet I found a code to establish a connection to mysql and change the password.
I do not know how to integrate this code in the login page and adapt it to run before the action $PORTAL_ACTION$ that authenticates the user.
thanks

@jhochwald:

More the Bandwidth parameter that we pass him via Radius and/or CP Settings.

Ah …..
This info is also present in the PHP array, loaded when PHP executes.

The PHP code that 'makes' this page "Status => Captive Portal" ( /usr/local/www/status_captiveportal.php ) shows you all the arrays and variables (and how to access them) you need to make your page.

You saw this message https://forum.pfsense.org/index.php?topic=69606.0and ?  ;)