Yes I understand that. But is there anyway to have a Pass-through MAC for a limited time? Some hacks? Thank you for your help, Antoine

I managed to delete it and get back to working.. but this basically doesnt solve the problem. Doesn't anyone else out tehre have a customsed login and error page that both work ? and the error page show the error message from radius server?  Invalid credentials.. and MAC address invalid and so forth.

Thanks for the reply.. another thing in the meantime.. my Website is currently hosted else where.. am i able to have the CP login page on my site (www.mysite.com/login.html) for example ?  Can the CP settings on pfSense redirect user to login page that is on my site? I want to build and host my own webserver shortly.. but if i can get this working noe it would be great.. so i can use google analyitics on it.

Ok.  I appreciate that.  That is what I expected.  I'll just use router ACLs and be done with it.  Thanks!

If you'll be using CP then you shouldn't run transparent Squid on that same pfsense system. I guess it's a matter of personal preference, but I'd prefer to run disk-intensive software like Squid on a separate system anyway, with its defaults tuned to be a "server". Others prefer to have an all-in-one system, running a dozen services (e.g. antivirus, caching proxy, URL filtering, reverse proxies etc). IMHO a reasonable compromise would be to run a couple of VMs on the same physical server.

@filip_pag: Is it possible to create user account to access internet that is fixed to one MAC or IP address? for example user: jerry jerrys MAC: xx:xx:xx:xx:xx:xx / IP: xxx.xxx.xxx.xxx so jerry can log in only from devince with that MAc/IP Do you mean that the access should only be allow if: Username + mac + IP are correct !? This cannot be done in just one step. I do not know any possibility to solve this in just one check. MAC <-> IP matching: enable DHCP and static MAC entry create a firewall rule for this IP which allows traffic and disallows other traffic from other IPs Enable Static ARP entries on DHCP for username/password check you can use different things: CaptivePortal Squid in non-transparent mode with user access Perhaps it will be possible with squid or CP and freeradius2 package as user backend. Setup a username/password entry in freeradius and add a custom "Check-Item" attribute for the client IP address. This will look like that: Framed-IP-Address == 192.168.10.125 So if the NAS (CaptivePortal or Squid) send the "Framed-IP-Address of the host to the RADIUS than you can do a check against this attribute (Framed-IP-Address) and if the IP is wrong then the user will be rejected. You can do this with the MAC-Address, too if CaptivePortal or Squid is sending this: Calling-Station-ID == 00:11:22:aa:bb:cc But be careful, both attributes need to be CHECK-ITEMS and must not be REPLY-ITEMS to work !!! You can use both checks together, too. Hmm - if I read this again, then it could be possibly feasible to realize that in just one step  ;)

I am using DMA Softlabs Radius Manager software along with my RADIUS server.  This software has a User Control Panel which you can setup and the user can login, see their account details and change things like their personal details and password. I suggest you take a look at this.

@kapara: I use it for a customer with 8 offices.  I host it in vmware environment in a datacenter since availability is crucial.  there are also hosted solutions which would cost about $50 per month…... Hey Kapara, Are you using it along with pfsense CP?  I am finding that it seems pfSense sends wrong data to the radius.  I guess a flaw in pfSense.  After a days usage and testing my user in radius manager shows traffic usage about 10 times higher that what the acutal usage was.  I had a traffic analysis software running on the machine.  I dont want to have to switch to mikrotik as i like pfsense, but i really need that pfsense sends correct accounting info to the radius.

Going back to the subject of protecting the CP against abuse, I noticed the "Maximum concurrent connections per client IP address" ($maxprocperip) setting. A quick look at the source code (captiveportal.inc and system.inc) suggests it sets lighttpd's  evasive.max-conns-per-ip directive. However, if the $maxprocperip "Maximum concurrent connections" field is left empty in webGUI config, it doesn't create a lighty evasive.* directive at all in /var/etc/lighty-Captive*. I can't find any other way to enforce the "Default 4 connections per client IP, with a max of 16" so it seems like a small bug to me (either fix the comment in the webGUI, or put a value in $captive_portal_mod_evasive in system.inc)

I'll do more tests here and feedback when possible.

In that case you suggest cp or firewall rules?

Looks that way, perhaps even if just its root directory was named captiveportal-something (then it would be in every URL regardless of the end name)

@dhatz: AFAIK on a CP-enabled interface all external traffic is refused by default (before successful login), except those IPs and hostnames which are explicitly allowed (aka "walled garden"). Taking a quick look at the source code, it seems to me that in the hypothetical scenario you describe, access to both sites would be allowed. of course. hostname  resolve to ip and add to access

I figured out why it isn't working - iOS doesn't look for captive portals when you connect to a secure network. As soon as I made a virtual WAP with no encryption needed, the login page popped right up. I'm not sure whether I want to think of this as a "feature" or not since I'd like to see our iOS devices be able to use "auto-login". Looks like this is definitely more of an apple issue.

If your DHCP configuration doesn't set your pfsense box as a DNS server then captive portal won't work.