I just reported the same problem here http://forum.pfsense.org/index.php/topic,62465.0.html with a possible fix. Lets hop :)

Thanks

@sheepthief: Success! 1. Initial problems were down to me having the login page as a sub-subdomain of the wildcard domain. 2. The more interesting problem I encountered after fixing item 1, was that at the login page Opera and Safari threw up certificate warnings, whereas Firefox and IE didn't. ;) than its fine. => yes, thats a problem. I don't know if an "official" certificate registrar ever offers such multilevel wildcard domains (ok, CaCert.org would but that registrar ist maximum only implemented in Firefox as I know) for complete "documentation": that is the CRL URL defined in certificates.   For instance Google:       URI: http://www.gstatic.com/GoogleInternetAuthority/GoogleInternetAuthority.crl mmh, when I tried to get cert and ospf uri per request: $ echo -n | openssl s_client -connect www.google.com:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout -subject -issuer -ocspid -ocsp_uri subject= /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com issuer= /C=US/O=Google Inc/CN=Google Internet Authority there is no URL ^^… seems that OCSP ist an additionional CRL to make it more "secure" (looking ^^). ok, other site as example... here it works: $ echo -n | openssl s_client -connect www.amazon.de:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout -subject -issuer -ocspid -ocsp_uri subject= /C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=www.amazon.de issuer= /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa 10/CN=VeriSign Class 3 Secure Server CA - G3 http://ocsp.verisign.com ok, Verisign, you pay much more than at other registrars… so you also should got more out ;) CRL than this way: $ echo -n | openssl s_client -connect www.google.com:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout -text | grep -i crl             X509v3 CRL Distribution Points:                 URI:http://www.gstatic.com/GoogleInternetAuthority/GoogleInternetAuthority.crl

The Mod_evasive issue is fixed with 2.0.3, that seems to have solved many of the CP problems we were having, in combination with the DHCP timeout changes suggested.  I haven't had a CP issue for several weeks now. Thanks Josh

I see we have different versions and configs. I am running pfSense 2.1-BETA1 snapshot - this has the CP "zone" feature. Also, I have authentication set to "Local User Manager / Vouchers". Thank you for showing your working config of radius authentication. I have radius package installed and so will set it up the same and see the result.

That is sent to the captive portal auth log, so if you setup a syslog server to keep those records as long as the law requires, it should suffice. Though tying a user's external traffic to their internal IP is tougher, for that you may need to setup and keep netflow records for the same time period.

in Captive Portal, you should check "Disable concurrent logins"… when you checked this option, if a user named "frank" logins at his pc, after that if the same user logins at a different pc, earlier session automaticallu closed, and the last session will be current. this means that, somebody can login only once at the same time by using the same username... But if you want that a user can login at maximum 4 pc by using the same username, then in freeradius you should use Simultaneous-Use attribute… @tripplex: how can i change the number of users that can be logged in the captive portal to use the internet.  right now i has no limit so for example if  i create a user acoount= frank: frank can only be logged in once if anyone tries to use his credential it will give them an error message stating that frank already logged in please use a different username and password. something like that somone please help me  :( :( :(

I have been using pfSense 2.0.3 and in this version there are no zones. in /var/etc, lighty-Captiveportal.conf file exists. but as far as I know, captiveportal automatically creates lighty-CaptivePortal.conf file according to the settings on captiveportal.inc and system.inc… The settings about auto-creation of lighty-Captiveportal.conf file, exist in system.inc file for that reason I added the evasive.silent="enabled" line to the system.inc file....bu it didn't work and didn't recognize the evasive.silent @clart: try putting it at end of file in; /var/etc/lighty-ZONENAME-CaptivePortal.conf where ZONENAME is the name of CP zone to apply to.

can anyone help me i want to limit the amount of user that can be logged in the captive portal at a time

doesnt work for me too i saw this post before I post :)

@marcelloc: The steps are: enable captive portal enable squid3 select patch captive portal on squid and save config got to captive portal gui and save config again This way, captive portal rules will forward squid connections to captive portal page if not authenticated. It works great with or without squid transparent proxy enabled including bandwidth restriction! This not working on latest 2.1 snapshot, should it be? I am accessing here (un-authenticated) bypassing the CP using the proxy IP and port setup in firefox

I think I've more or less figured things out for myself.  I would appreciate any input if there's a better or easier way to do this. I started with a fresh install of pfSense.  I disabled all packet filtering because I don't want it doing any of that.  I setup the captive portal following Nexudus's instructions to work with their system.  I bridged the WAN and LAN ports.  I then assigned the bridge to its own interface and assigned it an IP address.  Then, on the client machine, I made the bridge IP address the default gateway. That seems to do the trick. When I try to browse the Internet I get stopped by the capture portal.  I can authenticate, then I'm online just like I'm supposed to be. Now I just have to get this configured to work with the Watchguard.  I've got to figure out how to block Internet access that isn't filtered through the capture portal because someone out there will be clever enough to manually set their default gateway to bypass the pfSense box. If there's a better approach to all of this please let me know, but I think this will work.

thanks a lot.. it will force me to define 60-70 ip addresses (voip, card reading terminals, ip telephones, ip fax devices) in Allowed IP addresses… Thank you again for your help.. @Nachtfalke: If you add the hosts to "Allowed IP addresses" or "MAC bypass" then this host will bypass CP and does not need  to authenticate. The rest depends again on your firewall rules. "Allowed IP addresses" can be defines in source or destination.

I reported the same allready in thread http://forum.pfsense.org/index.php/topic,60860.0.html and also in an older one with 2.0.2. The last activity date/time isn't updated (sometime for days). I attached a picture from today. I tried 2.0.3 beta versions and the current official final relase of 2.0.3. It isn't working. For emergency case I modified captiveportal.inc file to log wrong timeout times and I only accept timeouts if last activity is newer then login date. ??? Please fix this release. I hesitate to switch to 2.1 directly. Probably I would be better to do so.  

It's the same. You can't redirect HTTPS.

Found this: http://forum.pfsense.org/index.php/topic,34354.msg178417.html#msg178417

I solved my own problem by using the HTTPS name method mentioned in this post: http://forum.pfsense.org/index.php/topic,53846.0.html