Just what I was looking for! I want to protect the network at the WPA level (to completely keep out the curious) and use the captive portal for TOS. This isn't a public network, but it isn't entirely private, either. The idea is for contractors and consultants and such to be able to get internet access. They get the password from us, then have to agree to the TOS before continuing. I was thinking it'd be nice to have somebody enter their name before clicking "Agree and Continue", but it didn't show up the logs. This patch fixes that! Thanks so much! It would be nice to prevent them from leaving it blank, too. Maybe an option in the UI for "No authentication but still require (and log) a username"? :)

I mentioned problems when I enter on CP page as redirection URL jus: www.google.com I need to enter: http://www.google.de Then the redirection is working - if without http:// I got a loop. Not sure, if this is related to your problem.

Last time I used captive portal (pfSense 2.0, before release of 2.0.1) the browser went to the login page on the access after the voucher expired. Are you expecting the browser to go immediately to the login page ON voucher expiry?

Hi, I am developing freeradius2 package and I tested with CP. Take a look at my documentation - there I tested some features/attributes with CP: http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#Accounting_with_Captive_Portal Acct-Input-Gigawords Acct-Output-Gigawords should be supported by CP - if I remember correct I found this somewhere in the pfsense code. But accounting isn't working correct at the moment. 1MB traffic in reality gets counted 6 times higher from CP. But this seems to be a problem of ipfw and not RADIUS. So 1MB in realy = 6MB on pfsense ;) That's easy to calculate I think ;)

Hmm…it is working but only without Simultaneous-Use in FreeRADIUS. Just leave the field empty. Then there is still the error in syslog but then there is no disconnection. But I am pretty sure that the problem is CP because I tried with another NAS (AP with DD-WRT) and there isn't such a problem/error. I posted this issue on pfsense mail list but we didn't find a solution. We discussed several problems there. Take a look at the conversation. http://lists.pfsense.org/pipermail/dev/2012-January/000118.html Why it isn't working with your VM environment...puh...I don't know. If I find a solution I will fix it. If someone tells me the solution, I will fix it. But at the moment I am out of ideas. First I would like to appreciate your great help. If I have money I will put a bounty on this, I am afraid I can't afford it.. I noticed that PF 2.1 is now running snapshot, I will give a try later. maybe there is some lucky? Anyway, thanks a lot ~~

@stramato: guys this happened to me and i don't know how to fix it. Mine was working perfect (CP + Active Directory authentication through RADIUS) then my local DNS server (another physical computer) hung one time. After restarting my local DNS server, when I use Captive Portal, the clients seem to have messed up DNS or something. I tried pinging internet addresses from the client and they seem to resolve DNS, but when using a browser, they can't seem to resolve DNS. I can't really use another DNS server, as my local DNS server hosts a bunch of intranet websites. Did you tried to reboot pfsense?

Ok thank you for your advice, I will look into a procedure for setting up vouchers this week hopefully. I saw some good procedures googling around. That is something I was concerned about, was free loaders in the parking lot or nearby areas, the wifi is up high with a antenna I custom made and the signal goes a good about 75 - 100 yards on a wifi test using airmagnet. So I will definitely look into locking it down some more. You will hear from me later this week I am sure.

This is very good news :)

I think this answer/customization is more suited for portal.pfsense.org Presently, the answer is no.

Thanks for your feedback. Now I know what your problem was like. Thanks for sharing this info!

It needs development, i am unsure which other products can do this, but you might try even commercial support(portal.pfsense.org) to see what you get.

I forgot to mention I am using intergrated freeradius server to authenticate the users

@cmb: The "Pass-through credits allowed per MAC address" could potentially work for that. Only problem is you'd have to put a hard limit on all CP sessions equal to 1 hour to force users off after an hour for that to function. There isn't a great way to accomplish that without some custom development, you could hack it in to force only the pass-through credit users off within 1 hour. . thanx, i try this but its not option. i work on this, and if you have more idea, i realy appreciate that. thanx agin

Just prefix first post subject with [Solved].

I created a simple HTML page as a custom portal, using the <form>code that is on the Captive Portal page as an example.. i uploaded it and i get this error that i dont know what to do about: Jan 5 15:31:12 php[46101]: /index.php: Captive portal could not determine client's MAC address. Disable MAC address filtering in captive portal if you do not need this functionality. I just have a username and a password on the form, nothing about MAC.. how do i get back to the original portal page now?</form>

Replied to you on that other post for you wonder and forum history.

Find how to use XML-RPC with pfSense.

@cmb: We do actually have support for wildcard hostnames in a private build right now, it's still under development and being tested, but it appears to work nicely. It just snoops all the DNS responses, and if you allow *.example.com it allows every IP that's returned via DNS for *.example.com. No extra overhead in doing additional DNS lookups or anything else crazy like that. When or whether that hits the open source side, I'm not sure yet. @deltaend: Does pfSense support setting up a password protected proxy system so we can program TeamViewer and other allowed programs to byass the captive portal by going through the proxy with a username/password? Could probably do that with Squid. I love you guys.  Hopefully wildcards gets some attention for the next release build as this is very important for captive portal builds. Regarding setting up Squid to bypass the Captive portal, it doesn't appear as if that works.  If I have both Captive portal and Squid on the same interface, Captive portal will always require authentication before allowing itself to be used as a proxy.  If I try to set up a virtual interface and bridge it with the WAN, Captive portal will throw a warning and won't turn on saying that it can't be activated on a bridged connection.  So, short of having two firewalls, I don't see another way to make that work.