In the first place, stop sticking your CP on LAN where things like domain controllers reside. Putting CP on trusted LAN is just bad idea (TM). The DC should be connected to the same switch like everything else on the LAN and the switch goes to pfSense LAN interface. While the DC is routing and NATing, this will never work. CP goes to dedicated interface.

You are indeed a hero member added the mine type and worked straight away  :)

Thanks Demco. That does indeed fit the issue so I will try this out and see if it helps.

@Derelict: Note that if you have more than one AP or wired + wireless clients you need isolation in the switch.  Asymmetric VLANs can do this.  Cisco PVLAN edge is even better (easier to configure). Another solution exists, while still using 'no-brain' (non-expensive) switches. I (still) use inexpensive Linksys (Cisco now) AP's - ejected the original firmware and installed DD-WRT. The secret is : use 'ebtables' (yep, that not iptables.) #!/bin/ash insmod ebtables insmod ebtable_filter ebtables -t filter -A FORWARD -s 0:0:0:0:0:0/0:0:0:0:0:0 -d Broadcast -j ACCEPT ebtables -t filter -A FORWARD -s 0:0:0:0:0:0/0:0:0:0:0:0 -d 00:0f:b5:fe:4e:e7 -j ACCEPT ebtables -t filter -A FORWARD -s 00:0f:b5:fe:4e:e7 -d 0:0:0:0:0:0/0:0:0:0:0:0 -j ACCEPT ebtables -t filter -A FORWARD -j DROP 00:0f:b5:fe:4e:e7  = The MAC of my Portal Interface NIC (DHCP) broadcasts are permitted. Traffic TO and FROM the portal NIC are permitted. These rules enforce: A client who is connected by Wifi on AP "1" cannot not communicate with any other clients that are connected on other AP's (AP "2", "3", etc). All connections are only permitted TO the gateway, the pfSense Portal Interface NIC.

@comeback1106: I get this  squid does not work with CP, but how can resolve this. You can! Get the pfSense and squid sources from Github and start coding.

So I never got that process in the OP to work. It seems that all config data is stored in the XML config file, changing the HTML files on disk doesn't do anything. I then tried  some other hack that involved disabling the captive portal and then re-enabling it using cron. That didn't work either. I just wanted a normal captive portal login during the day, and after hours, a simple page showing the AUP and a button to accept it and get online. But this did: Install and configure freeradius; create 2 users, one for normal guest access, one for after-hours access. The normal account has a password we change periodically and only give to known guests. The after-hours account has a simple password, but is restricted in radius to only be allowed to login after hours. Configure captive portal to use radius for authentication. Create custom captive portal login screen with a bit of javascript which hides an entire DIV. During the day it shows a DIV containing the normal captive portal login form. After hours, it hides that DIV and displays another one which shows a different login form, using the after-hours username/password as hidden fields, and a plain ACCEPT button. In morning, I reboot the firewall to boot everyone who might be using the after-hours login still off the guest network. Since the after-hours radius user is restricted to certain login hours, even if someone does a view source and gets the account info, it won't help them. Only downside is it relies on the time on the client being correct, but I'm willing to live with that. I can post the source of the captive portal login page if anyone is interested.

When all users show as unauthenticated, your custom CP code is broken. That is how all users appear when the No Authentication mode is used.  Your custom page can just have them, for example, click a terms and conditions checkbox and press Access the Internet. It's a perfectly valid config but there's no login name to put with the CP entry so it uses unauthenticated.

Ok, well problem solved. Issue was i didn't put the proper interface on pfsense cp & and nps radius client… Had to be all LAN, even though CP is to be used on the wifi... :P Login from AD works now.

Dear Jim, adding the IP to the allowed addresses does solve the problem - thank you very much! I wonder why I did not find this based on intuition, but the answer is also somewhat obvious: This was not required in the previous version and thus, one does not think about it. Regards, Michael

It just does NOT work that way. Please, actually read on how this works. I already linked it here: https://forum.pfsense.org/index.php?topic=93479.msg518607#msg518607

Sorry for not making this clear: im using the local user not radius for authentication Thank you for pointing me to the right section .. i can see who are logged in now. Much appreciated.

I would not use VLAN 1 (I'd use all untagged ports on, say VLAN 2 through 4094) but that looks much better if replacing the existing firewall with pfSense is not an option and you just want to use captive portal.

Thank you guys. I will take a look.

This html code https://github.com/pfsense/pfsense/blob/master/usr/local/www/services_captiveportal_vouchers.php#L510 is present in your browser ? Line "510" is executed ? A browser cache problem ? The image file $g['theme']}/images/icons/icon_plus.gif => /themes/pfsense_ng/images/icons/icon_plus.gif exists ? It has the correct owner and rights ?

No, nothing changed in the past 58 days  ::)

Thanks. I manage to figure that out  :)

Oh, I am so sorry. I should mentioned it before. Mine is 2.1.5-RELEASE And I found correct command.

No.  Captive portals have to be navigated with a web browser. Break the internet on purpose and you sometimes break the internet.

I can live with that.  Nothing good ever comes easily.  Thanks, Derelict!