Awesome, I might need this (not exactly, but same code area), because I want to present a after login page but also a clickable link to the initially requested page, or even open it in a new tab (with JS). Thanks a bunch.

Any news on this?

Sorted, many thanks Removing the cookies resolved the problem and I now get the box back again. When I click to disconnect the connection does actual now disconnect.

change_password.php <form action="captiveportal-cmd.php" method="post" name="frm_data" class="login"> Captivportal Change Password. **cmd.php** if(!isset($_POST['auth_user']) || ($_POST['auth_user'])==null || ($_POST['auth_pass'])==null|| ($_POST['new_pass'])==null|| ($_POST['conf_pass'])==null ){ exit();   } $user = $_POST['auth_user']; $old_pwd = $_POST['auth_pass']; $new_pwd = $_POST['new_pass']; $conf_pwd = $_POST['conf_pass']; echo ' if($_POST['from']=="first_login"){ echo shell_exec("sh captiveportal-first_login.sh '$user' '$old_pwd' '$new_pwd'"); } else{ echo shell_exec("sh captiveportal-password.sh '$user' '$old_pwd' '$new_pwd'"); } echo '   '; ?> **password.sh** #!/bin/bash base_users="/usr/pbi/freeradius-amd64/local/etc/raddb/users" username=$1 next_changepassword=date -v +90d +%Y-%m-%d input=$1" "$2 oldpassmd5=md5 -s $2 | awk -F ' ' '{print $4}' newpassmd5=md5 -s $3 | awk -F ' ' '{print $4}' #newpassword=$3 result=$(grep -i '"'$1'" Cleartext-Password := "'$2'"' $base_users | awk -F '"' '{print $2" "$4}') size=${#result} #echo "Input : $input" if [ "$size" == "0" ] then echo '' else if [ "$result" == "$input" ]         then ## Check Old Password check_allpwd=`cat /home/log/pwd.log | grep -w $1| wc -l | awk -F ' ' '{print $1}'` first_oldpwd=`grep -w $1 /home/log/pwd.log | tail -1` check_oldpwd=`cat /home/log/pwd.log | grep -w $1:$newpassmd5 | wc -l | awk -F ' ' '{print $1}'` if [ "$check_oldpwd" != "0" ] then echo '' else sed -i ''  s'/"'$1'" Cleartext-Password := "'$2'"/"'$1'" Cleartext-Password := "'$3'"/g' $base_users echo $1:$newpassmd5 >> /home/log/pwd.log grep -wiv $username /home/log/log_changepassword > /home/log/tmp ; mv /home/log/tmp /home/log/log_changepassword echo $1:$next_changepassword >> /home/log/log_changepassword #delete first_oldpwd if [ "$check_allpwd" -lt 5 ] then sh captiveportal-av.sh > /dev/null else sed -i"$1" '1d' /home/log/pwd.log rm /home/log/pwd.log$1 sh av.sh > /dev/null fi #echo `date` User [ $1 ] Change password from [ $2 ] ==\> [ $3 ] with no error. >> /home/log/success.log echo ' '; fi else echo `date` User [ $1 ] Change password from [ $2 ] ==\> [ $3 ] with error. >> /home/log/error.log echo '' fi fi **av.sh **``` #!/bin/sh readStatus(){ x=$(cat /home/log/Status) } readStatus while [ $x != "Ready" ] do sleep 2 readStatus done echo Busy > /home/log/Status sh /usr/local/etc/rc.d/radiusd.sh restart > /dev/null sleep 1.5 echo Ready > /home/log/Status ```****</form>

OK tHANK YOU  ;D

Why should I take a look I know how it works. NO PHP WILL BE EXECUTED ON THE SERVER until the client makes an http request. Whatever is in that php script it is completely up to the client what is done with it. What is so hard to understand? I'm out.

@The: I tend to put www.apple.com in as a host name passthrough. Works fine then. This could be one of the ten or hundred different URL's hard-coded in iOS. When you have the change the random "www.apple.com" is used, the iOS thinks it is connected to the net …. and the pfSense Captive portal will still block the portal client to visit any other site Just wire-shark your portal connection, you probably will not even find a "www.apple.com" (DNS) request .... so why allowing it ?

Thanks Gertjan… I've been to busy lately.... What I'm doing now... I'm just making sure the config file is actually getting written... that's until I get an SSD... Ill do as doktornotor says... I was actually trying to thank Gertjan not Doktornotor...

@Gertjan: @Chrisiesmit93: . Can I kick users authenticated through RADIUS (MS Active Directory) from CLI or a .php script on another host and/or webserver? 'kicking' means 'disconnecting' means the Captive Portal firewall rules should be modified. So something has to execute on pfSense to 'kick'. Putting a script on another system won't do 'the job'. Btw : Userid's are stored into a SQLLIGHT3 database on the pfSense file syem (see source for the "how to access and retrieve"). Thank you! This is wat I searched for! :)

People have devices that constantly request web pages and they just sit there and run and run and run before the user navigates the portal. It could be hours or days.

What does this output when run from behind the portal? openssl s_client -connect wifi.cityofaltonil.com:8003 -showcerts

Good advice ^^. Also, sometimes clients get confused and simply reload the portal page. After they hit login is there a CP entry created (Status > Captive Portal. Also check the Portal Auth log).  After they hit login did you try manually navigating to other sites?

i check this now it is working thanks all

Probably a client connection to a '443' (https) not using a https 'talk'.

As describe in this post : https://forum.pfsense.org/index.php?topic=43675.msg515428#msg515428 there seems to be an issue in the Freeradius2 Implementation in pfsense. I solved the problem as follows : 1. in Freeradius-LDAP enabled Authentication and Authorization. 2. Set Group Membership Filter for AD : (|(&(objectClass=group)(member=%{control:Ldap-UserDn}))) Saved Configuration 3. Inserted in radius Users File first line : DEFAULT LDAP-Group == "AD-Group Users have Access", Auth-Type := LDAP 4. in freeradius sites-enabled/default authorize-section disabled the ldap part ( here  line 207-210 : #redundant { ldap ldap2 disabled #} You have to disable this everytime the freeradius configuration changes and is saved ! 5. restart freeradius  :)

@Derelict: I don't think the portal cares how many users are using the same credentials.  All my users show as "unauthenticated" and it works fine. Who honestly cares if passers-by use the network? Toss a limiter on it to curtail torrenting and help keep one device from being able to hurt you. The nasty stuff like DHCP pool exhaustion can be done without going through the portal anyway. A better answer is a WPA2 passphrase. Thank you and you are right. I might end up using a WPA2 passphrase and an unauthenticated captive portal to display the AUP upon login and make use of the limiter.