@Derelict: Not really. It sounds like you want to prevent people from having access to your LAN assets until they are authenticated.  Captive portal doesn't do that.  802.1X does. If you want pfSense/captive portal to do it, you have to place the protected assets on one pfSense interface (LAN segment) and the users on another and control access with firewall rules on the interface to which the users connect. If they must be on the same LAN segment, pfSense can't help.  You have to use a managed switch and something such as 802.1x to control access at layer 2. Many thanks for your answer and very sorry to reply very very late. I have finally managed to setup captive portal, I must mentioned that it was with use of 802.1x and  separate interfaces. I tried Vlan approach on on pfsense's Lan interface but that was really taxing on my box. thanks

Hi there, I have same problem with captive portal and vlan wi-fi http://forum.pfsense.org/index.php/topic,70417.0.html contact me: nghongnguyen@yahoo.com

Same thing happened to me but my LAN was em0 and my WiFi was em0_vlan10. My fix was the create a vlan for the LAN and then add the LAN interface to that vlan so my LAN was em0_vlan5 and my WiFi was em0_vlan10. Everything is working correctly now. I'm glad your problem is solved I thought I should just throw this out there just incase some one reads this post later on.

There are many samples here on the forum. Here is a thread full of them: http://forum.pfsense.org/index.php/topic,26141.0.html

Many thanks to @ar4uall 1. I set Pfsense as the gateway for wi-fi clients, it still have problems if captive portal set on WAN interface, then all wi-fi clients cannot access internet if I set Captive portal on Vlan Wi-fi (talk later), then nothing happens, clients can access internet 2. The network is real in my company, and I'm testing pfsense. The network have Vlan 111 for wi-fi, and others vlan for office. I can't access the multilayer switch and router… 3. My PC doesn't have PCI slot, so I can't plug in NIC :(

To solve this I removed the line "require_once("radius.inc");" from the /etc/inc/captiveportal.inc This disables the radius support for the captive portal but I don't need it anyway. It's a crude way of going around the error but it's effective and quick. Maybe it gets solved in the future.

Gertjan, This is happening again at the same college campus. Now with: /index.php?redirurl=/w/1.0/arj?auid=398774&c.build=30303 In the error logs. My question is, how can one log what client IP is requesting these redirects? The lighttpd.log log is empty and I see in the lighttpd config we have: #accesslog.filename          = "/dev/null" Which looks to me like the default could be /dev/null. I can't see an option in the web interface to turn on access logging and I don't want to mess with the config files. How can I log IPs going through the captive portal?

http://forum.pfsense.org/index.php/topic,69558.0.html Have a look at my topic ;)

@Nachtfalke: Sometimes I had the feeling that ist really does not flush the users when restarting CP from services but I am not sure. What I know is that it works if you edit one CP zone and click SAVE on the bottom of the page. Then it took ~1 min untill I get many "TIMEOUT" messages on PortalAuth on System Logs. So perhaps when clicking on the restart button on services page it took 1min, too!? Hi, Edit Cp zone>Save works for me too but i guess Restart from "status>services>restart CP" is best way to flushed out. Thanks for your kind Response! :) i appreciate your help.

Found this other post on same subject, and a few others on the archived, none of them as ever been answered… Is this a Tabu subject? http://forum.pfsense.org/index.php/topic,61246.msg330140.html#msg330140 *** 511 *** read's no reply's Pretty sure this is the king of feature a lot of WISP's would be looking for. I might have to do an external app to be able to achieve this, but PfSense already can replicate configs, why not active users. Planning on buying support, is this the kind of question i would be answered if i am a paying customer? Thanks for any reply at all. Regards.

The CP is still running, squid is active on another IF which the radius server isn't connected to. And only active on 1 IF, i don't see any weird squid errors anymore.

That little browser in an ios device isn't actually a "browser" as such. They call it the "Captive Portal Assistant" (CPA) and it exists only to help one log in to a captive portal. The problem with ios devices is that they all want to see a certain web page within Apple before they will tell the user they have an Internet connection. Even if they actually have a connection.  That web site is http://www.apple.com/library/test/success.html You can browse to it- it just says the word success.  The way to eliminate a lot of ios/captive portal problems is to white list http://www.apple.com/library/test/success.html Some people take the easy way out and just whitelist apple.com This may not be your problem, but I thought I would toss this out.

I think I have added a "nohttpsforwards" checkbox to my test system.  At least it seems to work here.  Here is my description: Disable HTTPS forwards If this option is set, attempts to connect to SSL/HTTPS (Port 443) sites will not be forwarded to the captive portal. This prevents certificate errors from being presented to the user even if HTTPS logins are enabled. Users must attempt a connecton to an HTTP (Port 80) site to get forwarded to the captive portal. If HTTPS logins are enabled, the user will be redirected to the HTTPS login page.

NVM its fix as Jimp suggested from this post http://forum.pfsense.org/index.php/topic,57632.msg307926.html#msg307926. I think the Nas is sending wrong time. or its the device (an old nokia cell phone). here is a log when it happen. php: rc.prunecaptiveportal: Radius accounting debug: Start: 1386328206 Stop: 1386298766 Session time: -29440 after fix adding + line in /usr/local/captiveportal/radius_accounting.inc **  $session_time = $stop_time - $start_time; $session_time = ($session_time >= 0) ? intval($session_time) : 0;** setting it tp zero when unsigned acctsessiontime in sql no have zero. dont know if it is the same in db counters have to test it yet with account having time limit.