Hi, @Bashlory said in Automating Authentication Profiles for Splash Page: The aim is to easily create login details for guests staying in a small hotel, valid for the duration of their stay. Yeah. And while you're at it, use the hotel's PMS so that during check-in the accounts gets created and activated, and during check-out the account is destroyed. I managed to implement such a thing with pfSense, it worked well. And true, the receptionist doesn't need to have access to pfSense or anything. pfSense and the captive portal have several option to identify the visitors : user/password or vouchers, you can also use the package FreeRaduis to do basically the same thing, with much more control over how long, how much etc. Even OTP is possible. Btw : I had to edited the way how FreeRadius config files were created, so it uses the SQL database in stead a flat text file for user identification. Now I could "inject" new users, password and other details into the SQL database from other sources in the network, like the PMS adding and deleting users without having to change FreeRadius settings in pfSense. The down side was : I had to manually edit the package source files, and create the facility for the PMS to drop user info into the database, something that has to be taken care after every update on both sides. Not really a problem for me, as I can do it remotely. And most and for all : it 'my' pfSense, and it's 'my' hotel, I'm in control, and I need no one to take care of things when there are issues, I just need my hands and head. And yes, some basic PHP (Python, shell script etc) is not an option here. Actually, you have to know how things really work before you start changing them. I finally choose to have logins user names like 101, 102 103 104 etc, our room numbers. The small booklet in the room the "room directory", on the first page, right after the "Read me first" I mention a room unique password. I never change these passwords. This works great for many years now. Actually, it's just perfect since pfSense was created (forked) , a decade ago. I advise you to go for the most important atomisation design rule : "Keep It Simple". @Bashlory said in Automating Authentication Profiles for Splash Page: valid for the duration of their stay. Not really needed, because, when a clients leaves, they won't be able connect any more ;)

I did changed it to "Interim" still not working this is my configuratio,: [image: 1587741634747-e8adabf3-d9df-4b66-b264-8c8d6b2098bd-image.png] [image: 1587741644686-81fc90da-4a01-438c-af79-171abd7e10e0-image.png] [image: 1587741657727-87c1b397-8a44-4701-99fa-47a0c00de923-image.png] [image: 1587741669895-a5270edb-cb1c-4c8a-8de9-0145cabfe6cd-image.png] [image: 1587741687109-481ff2d6-7a3c-424a-8993-c59e3211b672-image.png]

@velbon said in Syslog Not showing Devices added/deleted on Captive Portal: user A That would be a user A that has the rights to login into pfSense and can actually visit the page where a MAC can be deleted. When I visit this page, Services > Captive Portal > cpzone1 > MACs to add a MAC, I see this in the syslog (not the pfSense System log page, a real syslog ) 04-24-2020 10:26:30 Local5.Info pfsense Apr 24 10:26:34 nginx: 2001:470:1f13:5c0:2::c6 - - [24/Apr/2020:10:26:34 +0200] "GET /services_captiveportal_mac_edit.php?zone=cpzone1&act=add HTTP/2.0" 200 6878 "https://pfsense.brit-hotel-fumel.net/services_captiveportal_mac.php?zone=cpzone1" "Mozilla/5.0 (Windows NT 6.1; rv:75.0) Gecko/20100101 Firefox/75.0" 04-24-2020 10:26:21 Local5.Info pfsense Apr 24 10:26:26 nginx: 2001:470:1f13:5c0:2::c6 - - [24/Apr/2020:10:26:26 +0200] "GET /services_captiveportal_mac.php?zone=cpzone1 HTTP/2.0" 200 6694 "https://pfsense.brit-hotel-fumel.net/services_captiveportal.php?zone=cpzone1" "Mozilla/5.0 (Windows NT 6.1; rv:75.0) Gecko/20100101 Firefox/75.0" Btw : 2001:470:1f13:5c0:2::c6 is the IP of my PC. I was actually logged in etc ... here : Apr 24 10:26:11 php-fpm 31452 /index.php: Successful login for user 'admin' from: 2001:470:1f13:5c0:2::c6 (Local Database) edit : so, your captive portal can also user their access credentials to enter the pfSense GUI ??? Don't tell that that is true ....

Hi, @inghaj said in Login Page Customisation: but every time I disable and reenable the Captive Portal it gets overwritten! Because the page you design yourself, and uploaded, is stored in the main config file. So, again, you should design your own 'httml' page, and upload it. Check the captive portal settings page again, and the pfSense manual. Start by checking "Use custom captive portal page" and read the text being shown carefully. [image: 1587594966836-f01a63f0-09d5-487c-9c1e-9a6300296d26-image.png] To get a starting point : connect to your captive portal, you'll see the default login page. Ask your browser to show you the html ^^ Also, have a look at the official Netgate videos.

@sana said in pfSense avec daloRadius pour configurer la limitation du quota de téléchargement: daloRadius pfSense daloRadius @sana said in pfSense avec daloRadius pour configurer la limitation du quota de téléchargement: Mais lorsque j'ajoute certains attributs pour la limitation de la bande passante ou la limitation des quotas de téléchargement, Added to pfSense ? On the daloRadius side, these must exist also.

@themistocle221 said in Captive Portail on cloud: Si oui quel technologie utiliser pour faire la liaison entre le serveur pfsense distant et les utilisateur local. Hummm. You should 'bridge' (L2 only) the link between the local users and the RFC 1918 style IP uses by pfSense 'in the cloud'. That is : no router(s) between your users and pfSense. This excludes, among others, a VPN uplink. The real answer is probably : the question is to difficult, the answer will be worse. A portal should be handled and setup locally. Btw : you are aware of the fact that you're posting in the English section of the forum ? [image: 1587194720603-5e246443-9a8a-4f82-a61c-d94a44adc53e-image.png] In that forum the most incredible questions are asked, only being surpassed by the answers, if possible.

When "sql" is used, the test.log should confirm this : @anand_phulwani said in Captive portal + FreeRadius: How to use same user login on limited number of devices concurrently.: radiusd -X >> test.log You'll be seeing lines being loaded at startup like : including configuration file /usr/local/etc/raddb/mods-enabled/sql including configuration file /usr/local/etc/raddb/mods-config/sql/main/mysql/queries.conf including configuration file /usr/local/etc/raddb/mods-enabled/sqlcounter including configuration file /usr/local/etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf including configuration file /usr/local/etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf including configuration file /usr/local/etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf including configuration file /usr/local/etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf .......... .......... simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" which are used for connection counting. These (0) files: users: Matched entry DEFAULT at line 1 (0) files: users: Matched entry DEFAULT at line 387 (0) files: users: Matched entry x at line 390 Line 1 : DEFAULT WISPr-Redirection-URL := "https://www.google.com/" Fall-Through = Yes and line 387 : DEFAULT Simultaneous-Use := 2 Fall-Through = Yes Line 390 : my user : "x" Cleartext-Password := "x" When the user logins in, using this option in the portal settings : [image: 1587017143215-5a1fc198-7d94-487d-85e5-883f4442403f-image.png] the number of connected users is counted : (10) sql1: Executing select query: SELECT COUNT(*) FROM radacct WHERE username = 'x' AND acctstoptime IS NULL and it's the result of this query that is used against "Simultaneous-Use". ( I guess )

By the time a user reaches Captive Portal they already have an IP address. You can't reassign them address after Captive Portal login. It's too late. To assign IP addresses to a user via RADIUS on a local network you need L2 access control like 802.1x -- in your switches/APs, not the firewall.

Hi, This works for me : In the captive portal settings : [image: 1586766787032-339a85b0-51c4-4f4d-93d7-efa65d66d29f-image.png] and [image: 1586766818375-357d3ba8-d917-4464-9392-b397718182a6-image.png] This is a user setting a FreeRadius : [image: 1586766756615-13a4f8a3-0e75-4dcb-a21c-5c78273f8a09-image.png] a speed test confirms the half mega bit speed.

Hi, You want to 'reset' the TTL info in the coming-back traffic, initiated by the portal visitors, to 1, so it should be discarded by the next hop, or, the device acts as a router / shares the connection. All returning packets have to be somehow mangled. That would actually work I guess. But first you have to write that stateful firewall, or modify an exiting one, that actually permits you to do so. Look here, from 2005 : https://lists.freebsd.org/pipermail/freebsd-net/2005-April/007098.html edit : pfSense, the captive portal, uses ipfw. All you need is that user-land program.

Already done by default : [image: 1586513433707-log.jpg]

@colleytech said in captive portal requires login again from ptp end: when you look at the active voucher list, your device mac will not be registered, instead, the mac of the M5 will be registered. Your "point to point" connection to the other side of the road introduced a router in the circuit. In that case, the portal only sees the IP and MAC of that router, not the IP and MAC of the connected client device. You're probable using some AP on the other side that is a client to your local Wifi acces point, and behaves as a router. I advise you to use AP's that use a Wifi distribuiton called "WDS".

@eroji said in Captive Portal shows 404 post login after upgrade to 2.4.5: It appears to be configuration problem, possible as a result of the upgrade The upgrade didn't change the configuration settings. What did change is the way how redirecting was applied. This is the way thing were done before ( 2.4.4-p3 and before) : First, if "After authentication Redirection URL" (= $cpcfg['redirurl']) is set, the redirect URL is set to that. If not, if the initial request ( == $orig_request) exists, the browser will get redirected to that site/page. If not, if a browser REQUEST URL contains "redirurl" as a parameter,, then that gets used. Test 1 forces the visitor to be redirected to the "After authentication Redirection URL" URL. With 2.4.5 that changed : First, if the initial request ( == $orig_request) exists, the browser will get redirected to that site/page. If not, if a browser REQUEST URL contains "redirurl" as a parameter,, then that gets used. If not, if ""After authentication Redirection URL" (= $cpcfg['redirurl']) is set, the redirect URL is set to that. So, "After authentication Redirection URL" only gets used if the first 2 test are false. Note : test 1 seems a bit awkward. $orig_request == $_REQUEST['redirurl'] is tested (grep) for the string "redirurl=(.*)", or it should contain an URL, not something like "redirurl= http://captive.apple.com/hotspot-detect.html" - I guess this test always fails .... Test 2 is (nearly) always going to be true because the visitors browser will use an initial test "http" URL - iPhone = http://captive.apple.com/hotspot-detect.html so, after ID ok, it should be directed to this URL ... Btw : this new behaviour, IMHO, is not what the description tells us : Set a forced redirection URL. Clients will be redirected to this URL instead of the one they initially tried to access after they've authenticated. test 3 will use the "After authentication Redirection URL" URL. I guess this will happen if the user is visiting the captive portal the explicit way, using an URL like http://1.2.3.4:8002/index.php?zone=cpzone where 1.2.2.4:8002 is your pfSense portal interface and port cpzone = the captive portal zone name. Note : the nginx redirection logic : if ($http_host ~* 1.2.4.4) { set $cp_redirect no; } if ($http_host ~* yourportal.pfsense.tld) { set $cp_redirect no; } if ($cp_redirect = '') { rewrite ^ /index.php?zone=cpzone1&redirurl=$request_uri break; } side note : if ($cp_redirect = '') { is bad and makes nginx throwing out a warning : a variable is used with initing it first. Somewhere higher up in the config this should be there : set $cp_redirect ''; end side note. For myself, I didn't notice this behaviour, because I'm using FreeRadius as an identification source, and in that case, the Redirection URL is taken from FreeRadius and handled the 'correct' way.

@Aubin any solve?

@Gertjan Thanks Mate!! after trying a lot of things, I removed the allowed IP address in the captive portal and it worked... Anyways, thanks for the help!

Your soonest HELP is highly appreciated

How is this captive portal related ? The captive portal is not a package, it's build in natively.

@Gertjan said in Hard timeout doesn't work: pfSense Ultimate Manual thanks for that (https://docs.netgate.com/manuals/pfsense/en/latest/the-pfsense-book.pdf) it shows a little more detail on the hard timeout. And mentions radius. It looks like it actually should work regardless of authentication method... I found under the CP authentication section there is a Session timeout check box for "Use RADIUS Session-Timeout attributes" If I disable this the hard timeout works with freeradius! cheers

@guntery said in Captive portal manual logout page address: uh? It logs out the user who goes to that page not all users. I stand corrected. Had to review the script and true, the caller gets logged out. Sorry for the noise ^^