What does this output when run from behind the portal? openssl s_client -connect wifi.cityofaltonil.com:8003 -showcerts

Good advice ^^. Also, sometimes clients get confused and simply reload the portal page. After they hit login is there a CP entry created (Status > Captive Portal. Also check the Portal Auth log).  After they hit login did you try manually navigating to other sites?

i check this now it is working thanks all

Probably a client connection to a '443' (https) not using a https 'talk'.

As describe in this post : https://forum.pfsense.org/index.php?topic=43675.msg515428#msg515428 there seems to be an issue in the Freeradius2 Implementation in pfsense. I solved the problem as follows : 1. in Freeradius-LDAP enabled Authentication and Authorization. 2. Set Group Membership Filter for AD : (|(&(objectClass=group)(member=%{control:Ldap-UserDn}))) Saved Configuration 3. Inserted in radius Users File first line : DEFAULT LDAP-Group == "AD-Group Users have Access", Auth-Type := LDAP 4. in freeradius sites-enabled/default authorize-section disabled the ldap part ( here  line 207-210 : #redundant { ldap ldap2 disabled #} You have to disable this everytime the freeradius configuration changes and is saved ! 5. restart freeradius  :)

@Derelict: I don't think the portal cares how many users are using the same credentials.  All my users show as "unauthenticated" and it works fine. Who honestly cares if passers-by use the network? Toss a limiter on it to curtail torrenting and help keep one device from being able to hurt you. The nasty stuff like DHCP pool exhaustion can be done without going through the portal anyway. A better answer is a WPA2 passphrase. Thank you and you are right. I might end up using a WPA2 passphrase and an unauthenticated captive portal to display the AUP upon login and make use of the limiter.

@Derelict: …. It works great. 2.1.5. Same thing for 2.2.4. I just generated some vouchers, activates auto-add-mac support etc and started authenticating using vouchers. Everything works as advertised. I saw lines like: Oct 28 08:39:43 logportalauth[38194]: Zone: cpzone1 - Voucher login good for 120 min.: SNWfCebPBQS, 0c:77:1a:xx:13:35, 192.168.2.40 …. Oct 28 10:39:44 logportalauth[33421]: Zone: cpzone1 - EXPIRED SNWfCebPBQS LOGIN - TERMINATING SESSION: SNWfCebPBQS, 0c:77:1a:xx:13:35, 192.168.2.40 The device "0c:77:1a:xx:13:35" was disconnected and removed from the MAC white list.

Nice  :) I hope you can read English. You shouldn't add an executable (who would use an undefined executable, found on the net ??) but at least share the source code and the steps how to build the program. (je pourrais te répondre en Français s'il le faut, car j'y habite  ;))

Check out this subject - posted just a couple of hours before : https://forum.pfsense.org/index.php?topic=85695.0

Ah …. I remember that one  ;) But was was a year (two ?) ago.

Hi, I also using an OPT1 interface for my Portal. I didn't use any 'limiters' on my Portal, so accessing the net, one authenticated, is as fast as accessing the net using the LAN interface. I also tend to say : I'm using the default settings. So, the question is : what did YOU change (without telling us) ? How did you set it up ? Undo your changes …

If you're asking what I think you're asking (You might want to rephrase your question otherwise), then this has been asked numerous times and almost always with the same answer. Searching the forum will give you pretty much all the replies you need. https://forum.pfsense.org/index.php?topic=100963.0

The NTop or NTopNG packages can give you detailed historical traffic information, if that's what you're after. You can get the IP address and sometimes the machine name and even OS type, depending on circumstances. You could match the IP against the authentication logs to find out who your hog is.

I think this is not possible, nearest you can do is non transparent proxy setup with authentication , on providing profile to various users with squidguard (if you require filtration), may be in this mode even captive portal can be used (not sure but worth trying).

@Gertjan: then this guy: (ie: http://www.google.com/) told me who to do it. Btw : are you letting the visitor authenticate to the portal ? Bringing people to ie www.google.com - a page they can not leave, seems awkward to me. Bringing people to a host (a server on a host) so they can authenticate seems complicated to me. Any, I guess you didn't tell us everything ;) Gertjan i am not sure what you meant to say exactly with the rest of your post, anyway, it was not Google that "told me HOW to do it", i did try it, yes, but i couldn't find exactly what i was looking for, so i just went to some other place on the web, where i was able to find someone that answered that request without too many turnings around, leave alone the need that some users here (DoktorNotor & co) have to just criticize and put evilness all around them, instead to contribute positively on something, why ohh why some people have to feel and behave that way toward others it's really beyond me, don't you think that someone posting a request for help maybe has already enough stuff to deal with? Honestly, what it's wrong with people like these ?? In regard of the system i did choose, a picture which once clicked forward to the next page, which in my specific case it would be a site hosted locally, not accessible from the web and which require local users wishing to access the www, to be first identified, so in case someone eventually do bad stuff around, it can very easily be pin pointed (as we do). This first initial page will serve to give the users, most of them with very little experience on a pc, an introduction on what to expect if they wish to make use of this long range wi-fi spot (maybe 5-10km?), it's a local community based project.