Hi, this is the wiki for the pfsense freeradius2 package and the documentation how to do self registration with freeradius + CP + MySQL. Perhaps it could help you. https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#CaptivePortal_Self-Registration:FreeRADIUS.2B_MySQL Out of the box it will not work with pfsense CP nor with freeradius2 package. The "problem" is the self registration and password change.

Hi jjeff1, when you go to DIAGNOSTICS –> CaptivePortal you can see the users which are connected. You see the start time when the first successfull authentication was made by the user and you can see a column which shows you the last activity of this user. If a user turn off its computer the this MAC address is still authenticated on CP. It will first disconnect after idle or hard timeout. I recognized some problems with idle/hard timeout on my CP. It does not work and I can see users still authenticated even if their last activity was days ago. So you could check this first to make sure if you really have 750 concurrent connections or if it consists old ones. (Restarting CP will kick all connected/authenticated users). If a user enters a wrong password can be seen on DIAGNOSTICS --> System Logs --> Portal auth. There you can see all successfull and wrong authentication attempts. I would suggest you some other things or possibilities: Give every teacher its own username/password to find out what teacher gives out its credentials. Further disable "allow concurrent connection". This will make sure that only the last recent user will be authenticated so only one connection per username/password is possible. The teacher will contact you if he will be kicked always because a student connects with its iphone. Another possibility could be to use vouchers. Create vouchers for 1 week and disable "allow concurrent connections" on CP. Every teacher will get his own voucher so if one teacher gives out his voucher to students then only on concurrent connection is possible and you can find out what teacher hands out his credentials. The third possibility could be to install freeradius2 package on pfsense and connect CP with freeradius2. Then create username/password and if you don't want to give every teacher his own credentials then freeradius2 offers you the possibility to set a number of concurrent connections for this username. So if you have 20 teachers then set this numer to 20 and you will make sure that not more than 20 students can use these credentials concurrently. This will unfortunately not tell you the teacher who gives the credentials out. Hint: If you are using the simultaneous connections option of freeradius2 then you need to disable the option on CP of course. Another possibility to stop iphones and so on could be to use squid and block the user agent of these devices. Every browser uses its own user agent string. So if you are using IE and your computers and firefox then just allow these user agents or check out what user agent the safari browser on iphone users and then block this user agent. This could be an custom setting on squid to block Internet Explorer 8: ##### Create the ACL which blocks user agent of Internet Explorer 8 with ACL name "block_internet_explorer" acl block_internet_explorer browser MSIE 8.; ## deny web access for the ACL "block_internet_explorer" # http_access deny block_internet_explorer;

No. Lusca is based on squid2. Squid3-dev use latest 3.3.8 stable version.

Wow, danke. That is certainly correct, NOT a pfsense Bug. :) Really much thanks to share the information for the package programming. Nice weekend. CAT

Hi, I do not have a solution but I would be also interested in one. This redirect could happen if for example a request could not be resolved within 5s or 10s. I am interested in this, too, when doing maintenance on an upstream router so that the users know that what is going on. Thanks!

Hi, I've been trying use captive portal with radius auth using Windows server 2008r2 existing NPS, this NPS been use for my wireless with radius auth too, but it seem with this PfSense (with same config), i couldn't make it work. really appreciate it if anyone could help. Cheers!

Humm. Right. I looked it up in the manual (the PHP source ). @Gertjan: Edit the file - remove everything between <captiveportal>and</captiveportal> didn't work for me neither. Had the same message as you. This time I tried it out myself before replying …: This works: all was reset when importing this: <captiveportal></captiveportal>

When you submit via javscipt it doesn't send the submit value so you have to add it as a hidden value. Here is the code:

@jarves: How do I direct users to the captive portal? I have windows dhcp server which serves ip and also a cisco router which acts as dhcp. What would be the changes on the windows dhcp and cisco dhcp side? Despite the two DHCP servers on your network, the thing that makes the CP work is the gateway. Tell your DHCP server (one of your choice) to send the IP of your pfsense machine as the gatweay to your dhcp clients.

"per AP" is "per Interface" is "per zone", right ? I used this code (in a Munin plugin) to count all users on all zones, I guess it will be easy to adapt it a little bit for your needs: #!/usr/local/bin/php -q require_once("/etc/inc/util.inc"); require_once("/etc/inc/functions.inc"); require_once("/etc/inc/captiveportal.inc"); /* read in captive portal db */ /* determine number of logged in users */ $count_cpusers = 0; /* Is portal activated ? */ if (is_array($config['captiveportal'])) { /* For every zone, do */ foreach ($config['captiveportal'] as $cpkey => $cp) { $cpzone = $cpkey; /* zone selected -> count users and add */ $count_cpusers += count(captiveportal_read_db()); } } echo $count_cpusers; ?>

Good thing to here ! Btw: did your never thought about making your network more - simple -.

I share the same goal and have managed to accomplish something similar. The major difference is that I am not using VLAN tagging. I couldn't ever get it working on DD-WRT. I am using Merlin WRT on RT-N66Us (for stability and performance). While I haven't gotten 802.1q style VLANs working, I do have port based VLANs working. See this thread for details.http://forums.smallnetbuilder.com/showthread.php?t=12750

Thanks Gertjan… My backup was from version 2.0.3. What i did i just extract the mac address for the pass-through clients, create a new zone and manually encode those mac addresses. Thanks again

You can do this using CARP. @ar4uall: Hey guys, I don't know if this is possible or not, or if there's a genie out there that did it. Situation, i have a PfSense box with Captive Portal authenticating users to a NPS on 15 airports, meaning 1 box and 1 NPS per airport. Now pilots travelling from an airport to another don't want to re-authenticate at each airport they travel to. Is it possible that once they authenticated to a 1st box, that 1st box replicates the authenticated user to all the other ones so the user does not need to re-authenticate again?! ??? Thanks you very much for your time. ;)

I had this idea also but the only way i figured it out is to setup multiple virtual ssid on each accesspoint and also multiple virtual lan interfaces in the pfsense config and creating tunnels between both of them. That would allow us to have multiple captive portal "zones" wich will have thier own vouchers, and download/upload speed setting. That being said, i think i will need some help doing all that configuration. I am using dd-wrt (both d-link and linksys) accesspoints and i spend a whole day trying to figure out how to connect virtually a pfsense interface with a specific ssid on my access point without success. does somebody have a similar configuration?

Those errors come out usually when you forward HTTP(port 80) traffic to SSL(port 443) traffic. Probably need to be checked what the forwarding rules generated are doing there to tell for sure. Normally, apart overhead there is no problem with that.