Cmb thank you for your advise. Actually, i post the question because i wanted to know if the above can be done. Specifically, instead of IP i wanted the user to see a domain name. All of them are connecting with smartphones or tablets by the way. How is that possible?

After digging around, there is post on m0n0wall forum. It seems re-authenticate time interval could be changed in xml config file. http://m0n0.ch/wall/list/showmsg.php?id=312/54 We use FreeRadius and Rodopi billing software. We setup a test gateway and enabled captive portal using PFSense. We did not specify an idle timeout or hard time. We enabled "re-authenticate user every 1 minute". We cannot enable hard timeouts or idle timeouts for fear VOIP customers will get sideways. So our only option is to re-authenticate every 1 minute in order to terminate their service if they fail to pay their subscription. Since the billing system only runs once per day to cut off users (essentially just makes them absent in the RADIUS users file), is there a way to change this 1 minute to 1 hour or 1 day? If so, would I be making resource problems worse by forcing the gateway to track things longer? Yes, its a hidden option in the configuration (meaning you should backup your config, manually adapt it and restore the adapted config) <captiveportal><croninterval>secondsblah</croninterval> othercaptiveportalblah</captiveportal>

I have a new information: I found on radius server the logs about the autentication requests, and they seem all accept; Is it possible activate a debug log on pfsense cp? thank you Paolo

Actually the only thing that i had to change in order everything to work was to change my (&^%$&^%$#) ethernet cross cable. Now everything work. Thank you everybody for your answers.

I just reported the same problem here http://forum.pfsense.org/index.php/topic,62465.0.html with a possible fix. Lets hop :)

Thanks

@sheepthief: Success! 1. Initial problems were down to me having the login page as a sub-subdomain of the wildcard domain. 2. The more interesting problem I encountered after fixing item 1, was that at the login page Opera and Safari threw up certificate warnings, whereas Firefox and IE didn't. ;) than its fine. => yes, thats a problem. I don't know if an "official" certificate registrar ever offers such multilevel wildcard domains (ok, CaCert.org would but that registrar ist maximum only implemented in Firefox as I know) for complete "documentation": that is the CRL URL defined in certificates.   For instance Google:       URI: http://www.gstatic.com/GoogleInternetAuthority/GoogleInternetAuthority.crl mmh, when I tried to get cert and ospf uri per request: $ echo -n | openssl s_client -connect www.google.com:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout -subject -issuer -ocspid -ocsp_uri subject= /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com issuer= /C=US/O=Google Inc/CN=Google Internet Authority there is no URL ^^… seems that OCSP ist an additionional CRL to make it more "secure" (looking ^^). ok, other site as example... here it works: $ echo -n | openssl s_client -connect www.amazon.de:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout -subject -issuer -ocspid -ocsp_uri subject= /C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=www.amazon.de issuer= /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa 10/CN=VeriSign Class 3 Secure Server CA - G3 http://ocsp.verisign.com ok, Verisign, you pay much more than at other registrars… so you also should got more out ;) CRL than this way: $ echo -n | openssl s_client -connect www.google.com:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout -text | grep -i crl             X509v3 CRL Distribution Points:                 URI:http://www.gstatic.com/GoogleInternetAuthority/GoogleInternetAuthority.crl

The Mod_evasive issue is fixed with 2.0.3, that seems to have solved many of the CP problems we were having, in combination with the DHCP timeout changes suggested.  I haven't had a CP issue for several weeks now. Thanks Josh

I see we have different versions and configs. I am running pfSense 2.1-BETA1 snapshot - this has the CP "zone" feature. Also, I have authentication set to "Local User Manager / Vouchers". Thank you for showing your working config of radius authentication. I have radius package installed and so will set it up the same and see the result.

That is sent to the captive portal auth log, so if you setup a syslog server to keep those records as long as the law requires, it should suffice. Though tying a user's external traffic to their internal IP is tougher, for that you may need to setup and keep netflow records for the same time period.

in Captive Portal, you should check "Disable concurrent logins"… when you checked this option, if a user named "frank" logins at his pc, after that if the same user logins at a different pc, earlier session automaticallu closed, and the last session will be current. this means that, somebody can login only once at the same time by using the same username... But if you want that a user can login at maximum 4 pc by using the same username, then in freeradius you should use Simultaneous-Use attribute… @tripplex: how can i change the number of users that can be logged in the captive portal to use the internet.  right now i has no limit so for example if  i create a user acoount= frank: frank can only be logged in once if anyone tries to use his credential it will give them an error message stating that frank already logged in please use a different username and password. something like that somone please help me  :( :( :(

I have been using pfSense 2.0.3 and in this version there are no zones. in /var/etc, lighty-Captiveportal.conf file exists. but as far as I know, captiveportal automatically creates lighty-CaptivePortal.conf file according to the settings on captiveportal.inc and system.inc… The settings about auto-creation of lighty-Captiveportal.conf file, exist in system.inc file for that reason I added the evasive.silent="enabled" line to the system.inc file....bu it didn't work and didn't recognize the evasive.silent @clart: try putting it at end of file in; /var/etc/lighty-ZONENAME-CaptivePortal.conf where ZONENAME is the name of CP zone to apply to.

can anyone help me i want to limit the amount of user that can be logged in the captive portal at a time

doesnt work for me too i saw this post before I post :)

@marcelloc: The steps are: enable captive portal enable squid3 select patch captive portal on squid and save config got to captive portal gui and save config again This way, captive portal rules will forward squid connections to captive portal page if not authenticated. It works great with or without squid transparent proxy enabled including bandwidth restriction! This not working on latest 2.1 snapshot, should it be? I am accessing here (un-authenticated) bypassing the CP using the proxy IP and port setup in firefox

I think I've more or less figured things out for myself.  I would appreciate any input if there's a better or easier way to do this. I started with a fresh install of pfSense.  I disabled all packet filtering because I don't want it doing any of that.  I setup the captive portal following Nexudus's instructions to work with their system.  I bridged the WAN and LAN ports.  I then assigned the bridge to its own interface and assigned it an IP address.  Then, on the client machine, I made the bridge IP address the default gateway. That seems to do the trick. When I try to browse the Internet I get stopped by the capture portal.  I can authenticate, then I'm online just like I'm supposed to be. Now I just have to get this configured to work with the Watchguard.  I've got to figure out how to block Internet access that isn't filtered through the capture portal because someone out there will be clever enough to manually set their default gateway to bypass the pfSense box. If there's a better approach to all of this please let me know, but I think this will work.