@Docwyatt2001: A combination if RADIUS and vendor specific entries can do this… VLAN's based on SSID.. Then have them come into an intermediate network where they can access the portal. Cisco definately can. Linksys can't as far as I know. Its more a dot1x thing than pfSense. By choosing the SSID paired with AD credentials (PEAP), you can have it forced into the network you need, otherwise no access. Then give your users the private SSID, and the guests/visitors/etc the public SSID. Thanks for this..  I know my ASA can't help with this..

Can the 2k server resolve addresses?  You can have dhcp and dns managed elsewhere without problem, but the proper holes need to be poked to allow for it.  You could always try another DNS server like opendns, poke a hole through for it and see how that works to take 2k out of the equation. nb

or you can add his mac address in Services > Pass-through MAC, i am doing this and working fine with me, especially for the TV satellite receivers that clients uses.

I thought at first as well that you need to have the local DNS forwarder for the CP to work. You dont. You can use any DNS server you want. The client just has to be able to resolve names even if not authenticated.

@lightsareout: Where exactly is the index.php file stored.  I'm working on a school project and have tried to upload a different file through the GUI and it messed up the whole box and had to re-install pfsense.  So where can i go and manually configure the login page? Thanks! I believe the files are stored (after being decoded from the XML) in /usr/local/captiveportal/  But you should use the web interface to change them or they will not be stored in the config.  I have successfully build several highly customized login pages using the supported method.

Thanks you, I look this

I agree with the radius. I use the radius setup to manage 10 different networks, and it works very well for me.

@Monoecus: I think that the first version is fine for you. The drawback with both versions is that you do not have any traffic shaping on the OPT with pfSense 1.2.1. However, as you need Shaping only on the LAN for now, that first version is safe. In case you need Shaping on all Interfaces, wait for the version 2.0. For the access points. Just make sure that they cannot connect to LAN, by blocking access to LAN. It is important to use traffic shaping for LAN and guest users. I need to limit guests to 30% from total bandwith AND use traffic shaper to distrubute fair these 30% to all guest users. So I will use Option 2 until version 2.0 comes out. Thanks for the help!

yes you are right, i was thinking little bit about this, and it is because of NAT, so i turned it off and enter static routes in wireless router, and check Disable MAC filtering in captive portal and now works … and now, i see that you are talking about NAT. it works now thanks

Ok, I got it to work. I did check and twig settings till it work! i will upload my config.xml file, but i think the reason it works was that on the firewall->rules tab, the '! WAN Address' was not working so I put '! Network' and "192.168.0.1 / 24". Now the DHCP is nolonger giving 10.10.10.xxx ip to the pc's on the 192.168.0.1/24 network. Thank you.

Thanks for reply, i found the problem, I am using wan port of my wireless access point, is this way the wireless client dont received DHCP address from pfsense server, i change to wireless access point lan port, and captive portal work. I tried to use multiwan and captive portal, but read at forums that doesnt work, i will try a way to get solve this problem. I need load balance and failover, but in my case captive portal is the most important. Thanks

What exactly does this incompatibility look like? Does captive portal just cease to work, or does trying to run CP and multi-WAN cause serious problems with routing, throughput, what-have-you? I foolishly neglected to notice this incompatibility and tried to run both at the same time, and I had all kinds of strange problems. I rolled back the changes to a functional setup, but I'm kind of curious what was happening. Thanks, Dave

@http://www.pfsense.org/index.php?option=com_content&task=view&id=40&Itemid=43: Captive Portal Captive portal allows you to force authentication, or redirection to a click through page for network access. This is commonly used on hot spot networks, but is also widely used in corporate networks for an additional layer of security on wireless or Internet access. For more information on captive portal technology in general, see the Wikipedia article on the topic. The following is a list of features in the pfSense Captive Portal. * Maximum concurrent connections - Limit the number of connections to the portal itself per client IP. This feature prevents a denial of service from client PCs sending network traffic repeatedly without authenticating or clicking through the splash page.     * Idle timeout - Disconnect clients who are idle for more than the defined number of minutes.     * Hard timeout - Force a disconnect of all clients after the defined number of minutes.     * Logon pop up window - Option to pop up a window with a log off button.     * URL Redirection - after authenticating or clicking through the captive portal, users can be forcefully redirected to the defined URL.     * MAC filtering - by default, pfSense filters using MAC addresses. If you have a subnet behind a router on a captive portal enabled interface, every machine behind the router will be authorized after one user is authorized. MAC filtering can be disabled for these scenarios.     * Authentication options - There are three authentication options available.           o No authentication - This means the user just clicks through your portal page without entering credentials.           o Local user manager - A local user database can be configured and used for authentication.           o RADIUS authentication - This is the preferred authentication method for corporate environments and ISPs. It can be used to authenticate from Microsoft Active Directory and numerous other RADIUS servers.     * RADIUS capabilities           o Forced re-authentication           o Able to send Accounting updates           o RADIUS MAC authentication allows captive portal to authenticate to a RADIUS server using the client's MAC address as the user name and password.           o Allows configuration of redundant RADIUS servers.     * HTTP or HTTPS - The portal page can be configured to use either HTTP or HTTPS.     * Pass-through MAC and IP addresses - MAC and IP addresses can be white listed to bypass the portal. Any machines with NAT port forwards will need to be bypassed so the reply traffic does not hit the portal. You may wish to exclude some machines for other reasons.     * File Manager - This allows you to upload images for use in your portal pages. Limitations * Can only run on one interface simultaneously.     * "Reverse" portal, i.e. capturing traffic originating from the Internet and entering your network, is not possible.     * Only entire IP and MAC addresses can be excluded from the portal, not individual protocols and ports.     * Currently not compatible with multi-WAN rules. We hope this will be resolved in 2.0.

I find that on 1.3 (2.0) when you wipe all you schedule entries and reboot it frees CP and all is happy.  This is not the case w/ 1.2 Is there any plan to fix this know issue?  As both features are awesome (CP and schedules) and it is hard to pit one against the other as for their usefulness.

Oh - OK. After being smacked down on the contribs.org forums so many times, I guess that I am just a little defensive. Thanks again - Library Mark