you can auth captive portal "directly" at AD.  you'd have to add NPS as a server role on your windows server (network policy and access service).

there's a sticky post on this subsection of the forum https://forum.pfsense.org/index.php?topic=63791.0
                                                                                                                                  ^^^ at the bottom of that post is a link to a PDF that contains pictures/screenshots of the whole process

Turns out the problem is the DNS servers entry in DHCP server for WIFI interface. Seems to be working if I use the system default DNS servers.

Sorry for the confusion.

SOLVED problem
THANKS

wouldn't that just make it overly complicated?

why don't you just handout vouchers that are valid for X hours ?

lookup radius / freeradius for more intel on that

Thanks for the reply, this seems like a pretty strong game killer for captive portal.  One of the main reasons I need to white list devices includes xbox live, and psn (student dorms).  The PS3/PS4/360/XBone devices do not play nice with the captive portal at all.  In fact the XBone requires you to sign in to xbox live before you can browse the web it seems, thus obviously you can bring up the captive portal page.  I am considering trying to whitelist the xbox live and psn networks by host name to see if that helps…

EDIT: but of course while that will allows the devices to sign into the gaming networks, it wont allow other sites and services to work on those devices...

@gasaraki:

OK, I have the captive portal working with radius authentication. Now the next step is adding https to that captive portal. I have a cert added in the cert manager, went to captive portal, turned on https and pointed to my cert. Boom, captive portal stops working. Am I missing something? Is there something wrong with the cert that it's not telling me even though everything looks ok?

Does pfSense trust your entire certificate chain?  If not, you may need to install some intermediate and/or root CA certificate(s) as well.  I know we had to do that for our GlobalSign issued certificates.

I rebooted the system and configured it again and now is working properly…
Thanks

Hello

Thanks for your  answer.
In the first case we was just transfering our old 2.03 configuration into  a new machine with 2.1 installed. It is one Wan net and three subnets  ( 4 network cards in total ) Immidiately the day after we got messages from the users that the AIRBUS maintenance site could not be properly loaded. When we looked at it was like bits and pieces were left out. When we put his computers MAC in pass list everything works fine. But we do not want to open full internet access to these people as they dont need it.
I tested this on our second 2.1 pfsense site and got the same result.
After that i tested www.aftonbladet.se this one gets totally broken on 2.1 but loads ok in my 2.03 site.
However this morning i did the same test with www.yahoo.com and this one does not work neither in 2.03 or in 2.1.
These sites may load other additional pages i suppose but as it works in 2.03 with aftonbladet. se ( who also loads tons of other pages ) it should normally work
in 2.1 as well.

best regards
Toby

I pushed a fix that might possibly help this in case it was not a config issue.

It will be replaced.

Just adding this thread here

loopthread.PNG
loopthread.PNG_thumb

You could always redirect them to something other than your main page.  Maybe a "You are now connected to the Internet" page or something.

Also seems like your eMarketing team is being sort of whiny.  They could always just discard the hits from the DHCP scope in question.

Are you using "per user bandwidth restrictions"? And/Or "Bandwidth Up" / "Bandwidth Down" values on the allow hostname?

An Update….

I've now been running using allowed IP rather than allowed host for some time without any problems at all.
So there is an issue with the DNS lookup process that updates the ipfw tables.