I had this working with Squid installed for some time… until something happened no idea... I had Squid uninstalled and did not worked, and now I have Squid running and is working so I don't blame Squid. Maybe a bug if hard time expiration = voucher time ( I can test it but not now, I had enough ). will see in time.

Well. Gertjan gave me the answer and a solution. I understand what I have done wrong and know how to correct it. Many thanks for the help!

See this message : https://forum.pfsense.org/index.php?topic=98324.msg548173#msg548173 - and just ask your : why did he asked if 'squid' is installed ?! Re-install your pfSEnse - install ONLY ONE package at the time. Do thorough testing … Find out yourself when things break. Now you know what package you should NOT install, because it break the captive portal  ;D I'll give you a hint : https://forum.pfsense.org/index.php?topic=98324.msg548173#msg548173

Hi, Here are some links I have bookmarked so you can read/study: http://sourceforge.net/projects/captiveportalplus/ https://forum.pfsense.org/index.php?topic=91257.0 http://blog.stefcho.eu/tag/captive-portal/ http://blog.stefcho.eu/pfsense-2-0-rc1-configure-captive-portal-for-guests-with-local-user-management/ http://blog.stefcho.eu/pfsense-2-0-rc1-customize-captive-portal-pages-and-implement-https/ http://blog.stefcho.eu/pfsense-2-0-rc1-captive-portal-with-radius-authentication-and-vouchers/

Yeah, adding IPv6 is completely useless, CP doesn't work with IPv6 at all.

not really i have 500+ users on the portal i was thinking, this can make some problems for users loading the CP. thanks for helping! SOLVED close this thread ^^

Sorry not to have best described my initial configuration and thank you Derelict it was the problem : for an unknown reason the auth mode was set to none and we also use vouchers (and I'm pretty sure auth portal appeared and was authenticating to ldap). I've just set auth mode to radius and now authenticated users appears correctly. Thanks for your help

After some time (and receiving a lot of incidents about users that report vouchers that are expired, although they aren't) I finally managed to upgrade our pfSense. I have created a clone of the VM, upgraded it to version 2.2.4 and have wiped all rolls. Then created a new roll of vouchers and started testing. On this system, no users are active. The following happens: when I expire a code the appears in the logging: Aug 24 16:06:08 logportalauth[92658]: Zone: guest - CSPZsCnnRiJ (70/61) forced to expire I then test the voucher again and it is indeed expired: Aug 24 16:06:12 logportalauth[92658]: Zone: guest - CSPZsCnnRiJ (70/61) already used and expired when looking in the roll view in the GUI it shows 8 vouchers of this roll are used, instead of one! (see screenshot 1) trying the next voucher in the roll says: Aug 24 16:13:41 logportalauth[61087]: Zone: guest - hDvRKFaqvqm (70/53) already used and expired expiring another voucher: Aug 24 16:17:42 logportalauth[61087]: Zone: guest - muhaudiXxhj (70/293) forced to expire now the roll view in the GUI shows 37 vouchers are used, instead of only two! (see screenshot 2) So it looks like more than one voucher code is marked as used when one is expired. This is the logfiles with our tests: Aug 24 16:06:08 logportalauth[92658]: Zone: guest - CSPZsCnnRiJ (70/61) forced to expire Aug 24 16:06:12 logportalauth[92658]: Zone: guest - CSPZsCnnRiJ (70/61) already used and expired Aug 24 16:13:41 logportalauth[61087]: Zone: guest - hDvRKFaqvqm (70/53) already used and expired Aug 24 16:16:19 logportalauth[61087]: Zone: guest - m4DeJG7EYrV (70/45) already used and expired Aug 24 16:17:08 logportalauth[61087]: Zone: guest - fjRWvZuqATw (70/37) already used and expired Aug 24 16:17:42 logportalauth[61087]: Zone: guest - muhaudiXxhj (70/293) forced to expire Only these codes were forced to expire: CSPZsCnnRiJ and muhaudiXxhj. As you can see other codes are also reported as used and expired. [image: capture1.png] [image: capture1.png_thumb] [image: capture2.png] [image: capture2.png_thumb]

why not just replace the ancient machine with this new pc your going to use as your captive portal?  1.2.3 came out what dec 2009 so at best your looking going on 6 year old hardware the thing is running on.. Time to replace!!  Not even taking into account all the concerns of running a firewall code from almost 6 years ago.

index.html contains this form:

@hartung: First my personal android phone was always redirected to the portal page (of course, it is in the MAC pass through list) restarting the captive portal and even restarting the entire pfsense did not work. If it is on the list, it will 'fall though' and the Portal login page will never show. So, be ready for some digging. Use THE tool : https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting List table 1,2,3 and 4. Two of these contain all the MAC addresses that can pass through. Your Phone is on the list ? I guess, when the portal page pop up on your phone, the MAC isn't present in the (2) tables anymore. @hartung: Today, my phone was again able to pass through without any problems, now some other phones and machine here in the office were not able to pass through (all on pass through list), while others still seem fine. Since a couple of minutes, my phone ist again not bale to pass through. My boss for example has two iphones (yes, two) one is still working, the other is also keeping redirected to the portal. Happens on different systems, windows, OSX, android etc. What are you using to bridge between pfSense (the NIC) and your wifi devices ? An AP ? Is it in bridge mode (NOT router mode) ? All devices have good IP's listed on the DHCP server on pfSense ?

Here it worked : On pfsense box free radius + CP. Freeradius binds to a separate LDAP server. I will try to help you when you'll have posted more infos.

There is this: http://wiki.freeradius.org/modules/Rlm_smsotp Although my personal preference would be to use an app, like one of these instead of an email: http://motp.sourceforge.net/#6 The otpverify.sh script is used with a FreeRADIUS server to generate a one-time six-digit password. The app runs on the phone and generates the password which the user can use only once to authenticate. Personally, I've built a FreeRADIUS machine which uses the optverify.sh/Mobile-OTP combination in conjunction with Active Directory. An 'ldapsearch' script scrapes the AD schema for members of the relevant AD group (eg: CPUsers), creates the associated PIN and secret, emails the user these details and populates the FreeRADIUS users file with the relevant data. The radius server then uses the otpverify.sh script to check the passcode generated by the mobile app. It is, however, essential that the radius server and the mobile phone/tablet in question are synchronized correctly time-wise. Not quite SMS, but it works.

Yes tux. thanks for the offer to share your knowledge. I'd really want to integrate captive portal to an sms gateway. This will enable clients receive login credentials (username and password) based on the information contained in sms gateway. bob

https://redmine.pfsense.org/issues/4746

Sorry i forgotten i dont have a domain.

I prefer the last of your potential solution. We have an apartment house with more than 120 users with different price models. RADIUS and daloRADIUS is flexible to build customer groups. It was the best solution what I found. It really works. All other solutions have some limitations. Further daloRadius is a separate web solution which can be used by our staff without a risk. There are some disadvantages: You need another Linux or Windows server to install RADIUS and daloradius You need time to find out how to install. you have a further point of potential failure. I use pfsense with CARP (redundant). But if RADIUS or MySQL behind RADIUS fails the hotspot doesn't work anymore. Pfsense has no fallback to regognize a RADIUS error and pass through users in this time. I will try to replicate MySQL and to use Pfsense package RADIUS with two databases. But this needs know how. As you see there is no easy solution with one installer software.

@bqbqr: … Seems like the right thing to do for keepin my user list .. no? You can keep your user list from the 'old' XML file: It's a copy and paste thing between files ;) XML files are human readable and have a simple structure.

raduis is a bit hard for me. i can use voucher but im using cp for public network. i just saw in our mall that freewifi, enter portal without voucher. no authentication. just portal page "accept". and after an hour i can't login again. banned for 24hours. thanks again.