@darnoldvcs If pfSense have native saml support,the user can make the most of captive portal with other 2FA,such as casdoor and other SSO solution.
The pfSense can be the NAC.

@Gertjan Thank you for your response and effort, it all makes sense then.. I will try out the different DNS overrides and see how that will go.

@Gertjan Thanks

@johnpoz Thanks, I will do some more exploration today. I know that in the downloaded zip of the certs there is the:

cert1.pem
chain1.pem
fullchain1.pem
privkey1.pem

The import into I pfSense only asked for the cert and private key. When I import into other applications like Synolgoy they ask for private key, certificate, and intermediate key chain.

More fun on a Saturday...

Solved it. Needed to use "fullchain1.pem" for the certificate field. Problem went away. It was your detailed walk though example that lead me to think to this.

Thanks again @johnpoz

Hi,
After few days of tests, the firewall's solution works.
I'm still searching of to do that with FreeRadius and Groups.

Not exactly, I mean you connect using OpenVPN, so you did the first authentication user+password against a freeradius.
That is what I'm doing now, an external freeradius authenticates "password+OTP" with a freeradius perl module.
OpenVPN clients can connect to vpn server and when they are connected a captive portal asks for the second authentication factor.
The main problem is that the openvpn client won't asks for a second auth, it only accepts user+password, so the workaround is use a "password+OTP" string on the password field.
That can be done beause you know Google Auth OTP before the auth process, but with a SMS, email, ... sent you won't know that second "password" unless you did the first auth.

BTW, I managed to connect to a captive portal disabling MAC filtering.

@Gertjan said in Captive portal for OpenVPN clients to implement a MFA:

@elbuit

Isn't this a chicken and egg problem ?

If you want to connect to the captive portal, your VPN client has to connect first.
For the VPN client to be able to connect, you have to connect to the captive portal first.

OpenVPN : if you want several choices to identify, you could consider using Freeradius as an authentication service for the OpenVPN server.
Not the client btw. The OpenVPN client can only connect to a OpenVPN server.

See here : Authenticating OpenVPN Users with FreeRADIUS

LDAP can also be used.

@gertjan Thank you! That was the answer! I set the hard tie out to 30 minutes, 1 passthrough credit per mac address, and a 24 hour waiting period before they get another free credit.

@kabeda said in Is voucher in url still available?:

I still don't know

So you know what you're looking for.

$_GET['voucher']

Open source ... heard about that one ?
So, go here : https://github.com/pfsense/pfsense/tree/RELENG_2_6_0

Then click you way to /src/usr/local/captiveportal/index.php
Look for, search, Ctrl-f "$_GET['voucher']" on that page.
It's there 😊

Next test : on your pfSense, you have the console access.
Use it.
Use option 8.

grep "GET\['voucher'\]" /usr/local/captiveportal/index.php

You'll find the same thing.

Btw : when you use vouchers, it's important that you have this https://github.com/pfsense/pfsense/blob/master/src/etc/inc/captiveportal.inc#L156 in your own portal (html) page.
You can add PHP into your html portal page.

7ddeeee5-e9a5-49bd-ba4e-c955e20eab41-image.png

Hi,
I think I finally found how to do it.

first, in
/user/local/www/services-captiveportal.php

find and add what are in remarks

if ($a_cp[$cpzone]) { $cpzoneid = $pconfig['zoneid'] = $a_cp[$cpzone]['zoneid']; $pconfig['descr'] = $a_cp[$cpzone]['descr']; $pconfig['cinterface'] = $a_cp[$cpzone]['interface']; $pconfig['language_cp'] = $a_cp[$cpzone]['language_cp']; // get the language from the config // Check if is not set then get the global language if (!isset($pconfig['language_cp'])) { $pconfig['language_cp'] = $g['language']; } // Check if is not set then get the global language $pconfig['maxproc'] = $a_cp[$cpzone]['maxproc']; $pconfig['maxprocperip'] = $a_cp[$cpzone]['maxprocperip'];

and

$newcp['descr'] = $_POST['descr']; $newcp['language_cp']=$_POST['language_cp']; // get the language from the post variables $newcp['maxproc'] = $_POST['maxproc'];

and

$section->addInput(new Form_Select( 'cinterface', '*Interfaces', explode(",", $pconfig['cinterface']), get_configured_interface_with_descr(), true ))->addClass('general')->setHelp('Select the interface(s) to enable for captive portal.'); // add the input in the form $section->addInput(new Form_Select( 'language_cp', '*Language', $pconfig['language_cp'], get_locale_list() ))->setHelp('Choose a language for the Captive portal'); // add the input in the form $section->addInput(new Form_Input( 'maxprocperip', 'Maximum concurrent connections', 'number', $pconfig['maxprocperip'], ['min' => '0', 'max' => '100'] ))->setHelp('Limits the number of concurrent connections to the captive portal HTTP(S) server. This does not set how many users can be logged in ' . 'to the captive portal, but rather how many connections a single IP can establish to the portal web server.');

then in /usr/local/captiveportal/index.php
after

header("Expires: 0"); header("Cache-Control: no-cache, no-store, must-revalidate"); header("Pragma: no-cache"); header("Connection: close"); global $cpzone, $cpzoneid; $cpzone = strtolower($_REQUEST['zone']); $cpcfg = $config['captiveportal'][$cpzone];

add

$lang = $config['captiveportal'][$cpzone]['language_cp']; // get the language from the config putenv("LANG={$lang}"); setlocale(LC_ALL, $lang); textdomain("pfSense"); bindtextdomain("pfSense", "/usr/local/share/locale"); bind_textdomain_codeset("pfSense", $lang); // apply like done by pfsense

That's all it works for me, I don't know how to show the changes with github.

@gertjan
btw, I change mode to "last login" in the captive portal setting then it work fine for me, clients should re-enter the code at the time DHCP lease.

@gertjan said in OpenVPN in captive portal:

Btw : what is your pfSense version ?

edit :

Who/where is the VPN server ?

@andoniar78 said in OpenVPN in captive portal:

Pass-through MAC

e55af6a3-4fb1-4801-bcb5-2fa953527897-image.png

If you have a device with aa:bb:cc:dd:ee:ff, then there won't be any captive portal login page, the connection will be transparent, like if there was no captive portal at all.

@gertjan said in My captive portal:

@bamb

If you enable the logout page in pfSEnse, you are only half way.
The browser on the device should also accept and show the popup window.
Guess what : most users disable them ;)

A good plan B is : have the users auto logged out if they don't use the connection any more.
Set the soft time out to 15 minutes or so.

Indeed, that is a good plan B.

@vanlier said in Captive portal shows blank page:

Here is the situation before activating captive portal:

clients connect to wifi
they get a 192.168.50.x ip address from dhcp with dns 192.168.50.254
they can browse the internet (dns resolution and internet access are working)

Important test ! Good to know.

@vanlier said in Captive portal shows blank page:

Here is the situation after activating captive portal:

clients connect to wifi
they get a 192.168.50.x ip address from dhcp with dns 192.168.50.254
nothing happens

Using the 'default' build in login page, right ?
You can't say that 'nothing happens' : you can't 'see it', but something happened.
Every OS on planet earth will throw out a http:// request as soon as it obtained a DHCP lease.

Check here : Status > System Logs > System > GUI Service
Every OS using it own http request.
For my iPhone it's :

7e36196f-217b-4a17-9877-daf6a1b8770f-image.png

This is the page that it want to download :
http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html
Better known as :
http://captive.apple.com/hotspot-detect.html
Click on it and you'll see what happens.
You should see this :

001ff859-b0db-45f1-9b9e-0bc6908dd1b0-image.png

If the html page doesn't contain "Success" then the device start to presume a captive portal is might be present.
Now, the OS launches a stripped down web browser, bot the full fledged IE, Chrome, Edge, Firefox, but a small bare bone browser. It's launched with the same web destination : http://captive.apple.com/hotspot-detect.html
First, again, "captive.apple.com" will get resolved (was already found during the same test, some ms before).
Then the browser connects to the IP on port 80 (remember : http), and asks for the page /hotspot-detect.html

On the pfSense side, this "some destination IP : port 80 " request gets redirected to the internal login portal web page server on port 800x" with the help if a firewall rule (pfSense 2.6.0 : ipfw rules - the newer pfSense uses pf now).
The portal page web browser does just one thing : it redirect the requesting browser to
(your case) http://192.168.50.254/index.php?zone.....

2f7a3e58-2899-4c32-9b94-f94427ceeef0-image.png

It also adds a 'zone' parameter, and 'redirect' parameter.

The result will be of course : the captive portal login page shows up.

So : to make this work, one thing needs to work for sure : DNS.
The captive portal firewall rule works, that is for sure. If not, Netgate and FreeBSD will go out of business tomorrow.

[https://docs.netgate.com/pfsense/en/latest/troubleshooting/captiveportal.html](link url)

Btw : you already know that the 'default' pfSense 2.6.0 needs portal patches, right ?

@vanlier said in Captive portal shows blank page:

Disable mac filtering

That's of if you want to 'break' things.

@vanlier said in Captive portal shows blank page:

Set various redirect urls

https://www.google.com works fine.

@vanlier said in Captive portal shows blank page:

add firewall rule allow any any on interface "guest"

The GUI firewall rues ? None is needed (I guess ?), the authentication will still work.
But as soon as authenticated, yoy can go no where.
Use the default LAN pass all TCPv4* rule to begin with.

@vanlier said in Captive portal shows blank page:

However when opening the same page with the pfsense ip in the guest subnet (http://192.168.50.254:8002

Invalid request.
The ?zone=xxxx parameters needs to be present.

These :

7e93c7cc-43b6-4993-b5b5-f95007ac3f26-image.png

don't work for you ?

@ertegun

You just allowed (white listed) all the IP addresses, starting from 192.168.60.1 to 192168.60.254, or, the entire /24 network. Your entire captive portal network ?

All these devices that get an IP in that network assigned, will pass through the portal without seeing any login page or what so ever.

You might as well shut down the captive portal completely : that works also great.

The issue (if I recall well - 2.6.0 is a long time in the past for me) was : pfSense 2.6.0 only passes TCP traffic, not ICMP, neither UDP. That was a big bug, and breaked a lot.

As said on the first line, above :

@moelharrak said in Captive portal block whatsup:

After upgrade to 2.6 captive portal is blocking whatsup (audio and video, chat works fine), I did test other app like instagram and it's works fine.
when I disable the captive portal, whatsup goes back to work normal.

See also : UDP/ICMP is not working after upgrade to 2.6.0

I guess it's still a question of : install the System patches package, then apply all the patches listed in this package.
Done.

@gertjan I understand. When I mentioned that I preferred a minimum downtime of 15 days, it is because I see no sense in users logging in daily, since they already belong to the institution. In the case of a hotel it is different, because people stay for a few days and leave. In my case, I wanted sessions to be disconnected only when users took vacations or I no longer belong to the institution.

Anyway, now I understand the process. Now I'm just going to decide which way to go. Thank you very much for the clarification !!!

@cxcx_avjj

Hummm.

After a success login, I simply redirect the user to the known :

95300287-8e35-4a7f-823b-a26585729c92-image.png

as that would make the user understand he is 'online'.

But I could also redirect to a "home made", locally available web page, like the portal login page.
This file should be uploaded with the Services>Captive Portal>CPZONE>File Manager
Be aware : the prefix "captiveporal-" will get prefixed.

Take a look at what this button shows you :

c3c27d9a-d1d4-4fb1-9c2d-c7c7bc0515fc-image.png

You will see the login page.
And more important : the URL used, with the port number, as it is not port 80 (http) or 443 (https). Probably a 800x port.
And the zone ID used with a parameter called 'zone'.

So, this is posisbile :
ec125b9e-23a2-4703-86f7-640e3760853a-image.png

Where :
https://portal.yourzone.tld = your captive portal URL - I'm a https access
:8003/ The port of this 'cpzone1 ID access
captiveportal-recap.html My home made file called 'recap.html'
?zone=cpzone1 My zone ID of this portal zone

The "recap.html" html can have use PHP !
And because you can use PHP, and the recap.html is called with the "?zone=cpzone" parameter, you can now access whatever you want !

Take /usr/local/captiveportal/index.php as an example. You'll see how it extract the zone argument.
If, for example, you use vouchers, you can test vouchers for time left : Status > Captive Portal > CPZONE > Test Vouchers
Just take a look at /usr/local/www/status_captiveportal_test.php and you'll know how to extract the time from a given voucher.

How do you know what voucher is used ?
Well, your 'recap.html' can obtain the IP your device is using.
With this IP, and the "connected users database" (see /etc/inc/captiveportal.inc - this file is a must-read-and-understand) you can get the user login code, which is the voucher code.
With the voucher code you can obtain the time left.

Want to know what the default popup logout window does - or how to log out a user?
Again, go have a look at /etc/inc/captiveportal.inc

So, yes, the sky is the limit.
An yes, this goes beyond what you can find in the GUI.

@timboau-0 said in Traffic Quota reset period (Caravan park use):

Each 'site/user' can login using their site number and a password

Probably better to use a unique number like a reservation number.
If you use a "site" (place) then you have to deal with overlapping between clients.

Freeradius makes it possible to put a "Expiration Date" on every created user so you don't have logout ueser yourself. You can clean up the 'users' list at the end of the season, and enter new ones when reservations come in.

A reservation number would be unique, and will be invalidated when the client leaves, as arrive and leave dates are known upfront.
This will also take care of traffic quota per user : everybody uses it's own traffic quota counter

Daily traffic quotas can be reset 'every day' :

24409d3c-c3a3-4145-912c-81d6067f78c1-image.png

I have a cron task that reset the daily 'used' counter every day at noon :

8ce20f01-a374-4ca9-97cd-86af32cd6180-image.png

I may have resolved this. I had the captive-portal zone configured as
captive-portal-page-head.png captive-portal-accounting-start-stop.png
I changed Send accounting updates
captive-portal-accounting.png

Now, when I submit the SQL query,
SELECT radacctid,username,acctstarttime,acctupdatetime,acctstoptime,acctinterval,acctinputoctets,acctoutputoctets FROM radacct
multiple times, I see ( in long format again )
query name value
<int> <chr> <chr>
1 1 radacctid 1
2 1 username ec:92:de:1b:16:4d
3 1 acctstarttime 2023-03-31 15:07:43
4 1 acctupdatetime 2023-03-31 15:10:55
5 1 acctstoptime NULL
6 1 acctinterval 60
7 1 acctinputoctets 257562
8 1 acctoutputoctets 10413921
9 2 radacctid 1
10 2 username ec:92:de:1b:16:4d
11 2 acctstarttime 2023-03-31 15:07:43
12 2 acctupdatetime 2023-03-31 15:11:56
13 2 acctstoptime NULL
14 2 acctinterval 61
15 2 acctinputoctets 283941
16 2 acctoutputoctets 11085058
17 3 radacctid 1
18 3 username ec:92:de:1b:16:4d
19 3 acctstarttime 2023-03-31 15:07:43
20 3 acctupdatetime 2023-03-31 15:12:57
21 3 acctstoptime NULL
22 3 acctinterval 61
23 3 acctinputoctets 530469
24 3 acctoutputoctets 20836789
25 4 radacctid 1
26 4 username ec:92:de:1b:16:4d
27 4 acctstarttime 2023-03-31 15:07:43
28 4 acctupdatetime 2023-03-31 15:24:06
29 4 acctstoptime NULL
30 4 acctinterval 60
31 4 acctinputoctets 530469
32 4 acctoutputoctets 20838821

The accountupdatetime value increases across the 4 queries and the acctstoptime is NULL ( the session is still active ). The values of acctinputoctets and acctoutputoctets are ( monotonically ) increasing.

@turntheterribletank said in maximum daily usage time error following update to 23.01:

You're setting Accounting Interim Interval to 600

AFAIK : because I'm using accounting with my captive portal settings :

58b2ae93-2be5-4e23-9630-566a7e5921bf-image.png

Strange that you have these fields set to "0" when the same fields are empty on your FreeRadius user settings page.
I don't have these "0" parameters.

The presence of the Exec-Program-Wait = "/bin/sh /user/local/etc/radbb/scripts/datacounter_auth.sh Test daily" doesn't look good at all.
See what the script does.
Check for yourself if a file like
/var/log/radacct/datacounter/daily/max-octets-Test
exists.
If that's so, and it contains '0' then yeah, when the user logs in he will already have generated more then "0" bytes so he'll be logged out right away.

@assistenzanet95

You have some digging to do in the past, here, on this forum.
If I recall well, when 2.6.0 came out, there was an issue with the portal : only TCP was passed, no UDP, no ICMP.
Solution were posted, and there was even a system patch that came with the pfSense system patcher packge (?).