People have devices that constantly request web pages and they just sit there and run and run and run before the user navigates the portal. It could be hours or days.

What does this output when run from behind the portal? openssl s_client -connect wifi.cityofaltonil.com:8003 -showcerts

Good advice ^^. Also, sometimes clients get confused and simply reload the portal page. After they hit login is there a CP entry created (Status > Captive Portal. Also check the Portal Auth log).  After they hit login did you try manually navigating to other sites?

i check this now it is working thanks all

Probably a client connection to a '443' (https) not using a https 'talk'.

As describe in this post : https://forum.pfsense.org/index.php?topic=43675.msg515428#msg515428 there seems to be an issue in the Freeradius2 Implementation in pfsense. I solved the problem as follows : 1. in Freeradius-LDAP enabled Authentication and Authorization. 2. Set Group Membership Filter for AD : (|(&(objectClass=group)(member=%{control:Ldap-UserDn}))) Saved Configuration 3. Inserted in radius Users File first line : DEFAULT LDAP-Group == "AD-Group Users have Access", Auth-Type := LDAP 4. in freeradius sites-enabled/default authorize-section disabled the ldap part ( here  line 207-210 : #redundant { ldap ldap2 disabled #} You have to disable this everytime the freeradius configuration changes and is saved ! 5. restart freeradius  :)

@Derelict: I don't think the portal cares how many users are using the same credentials.  All my users show as "unauthenticated" and it works fine. Who honestly cares if passers-by use the network? Toss a limiter on it to curtail torrenting and help keep one device from being able to hurt you. The nasty stuff like DHCP pool exhaustion can be done without going through the portal anyway. A better answer is a WPA2 passphrase. Thank you and you are right. I might end up using a WPA2 passphrase and an unauthenticated captive portal to display the AUP upon login and make use of the limiter.

@Derelict: …. It works great. 2.1.5. Same thing for 2.2.4. I just generated some vouchers, activates auto-add-mac support etc and started authenticating using vouchers. Everything works as advertised. I saw lines like: Oct 28 08:39:43 logportalauth[38194]: Zone: cpzone1 - Voucher login good for 120 min.: SNWfCebPBQS, 0c:77:1a:xx:13:35, 192.168.2.40 …. Oct 28 10:39:44 logportalauth[33421]: Zone: cpzone1 - EXPIRED SNWfCebPBQS LOGIN - TERMINATING SESSION: SNWfCebPBQS, 0c:77:1a:xx:13:35, 192.168.2.40 The device "0c:77:1a:xx:13:35" was disconnected and removed from the MAC white list.

Nice  :) I hope you can read English. You shouldn't add an executable (who would use an undefined executable, found on the net ??) but at least share the source code and the steps how to build the program. (je pourrais te répondre en Français s'il le faut, car j'y habite  ;))

Check out this subject - posted just a couple of hours before : https://forum.pfsense.org/index.php?topic=85695.0

Ah …. I remember that one  ;) But was was a year (two ?) ago.

Hi, I also using an OPT1 interface for my Portal. I didn't use any 'limiters' on my Portal, so accessing the net, one authenticated, is as fast as accessing the net using the LAN interface. I also tend to say : I'm using the default settings. So, the question is : what did YOU change (without telling us) ? How did you set it up ? Undo your changes …

If you're asking what I think you're asking (You might want to rephrase your question otherwise), then this has been asked numerous times and almost always with the same answer. Searching the forum will give you pretty much all the replies you need. https://forum.pfsense.org/index.php?topic=100963.0

The NTop or NTopNG packages can give you detailed historical traffic information, if that's what you're after. You can get the IP address and sometimes the machine name and even OS type, depending on circumstances. You could match the IP against the authentication logs to find out who your hog is.

I think this is not possible, nearest you can do is non transparent proxy setup with authentication , on providing profile to various users with squidguard (if you require filtration), may be in this mode even captive portal can be used (not sure but worth trying).