OK, thanks. I'll be able to check that.

You can authenticate the CP users agains a RADIUS server. You can use freeradius to connect it to your AD or you chose Windows RADIUS server.

And - if I remember correct - you can authenticate the CP against the pfsense "local user database" which can be connected to your AD. But I am not 100% sure if this is correct. When you use pfsense you can go to SYSTEM –> User manager --> Server and check the opions there.

I know there are some threads covering this topic. probably best would be to search for "captiveportal" and "active directory".

Thank you Nachtfalke.

I check my Nas/Clients and now it works.

Actually my mistake was hoped that the interface connection.

=)

I think this is not possible.

If pfsense is not the gateway for your clients your clients will not send any traffic to pfsense but just bypass pfsense and send it to fortigate.

Not sure if it is working with on NIC on pfsense but if pfsense is your DHCP then the clients should use pfsense as the gateway.
Allow all ports in the firewall for the clients and then the clients do hagve full access through pfsense but need to authenticate on CP.
After that pfsense will route all traffic to the fortigate firewall/router.

You can disable NAT on pfsense so that there is just routing.

Another possibility could be that you try to run pfsense in bridge mode. So no routing and no NAT on pfsense.
pfsense is just another "client" on the LAN. But the gateway still needs to be pfsense and pfsense will redirect it to fortigate.

Yeah just had a very quick play.

What a shame it can't have user groups.. :(

TT

I thing have the same problem, try this:
@alltime:

One thing I might also add, we simply added our DNS server addresses to the Allowed IP list and that resolved our problem.
We were experiencing exactly what you are.

@Nachtfalke:

Whe you want to connect internet from LAN to WAN then you must do the following:

Enable the CaptivePortal on interface LAN (and not the WAN interface).
The clients on the LAN network must use the pfsense DNS forwarder als DNS Server or it will NOT work.
On LAN interface you must at least allow the port 8000 which is the CP.

I enable only on LAN interface, 8000 allowed. This didn't help me.

@alltime:

One thing I might also add, we simply added our DNS server addresses to the Allowed IP list and that resolved our problem.
We were experiencing exactly what you are.

Thanks a lot! This helped me!!!! :D
Very big thanks. Problem solved.

Hey Des,
You are right. I'm using it right now. I don't feel too secure with my Proxy Port (3128) is available to the public (I'm w/ a WiFi deployment.) So I want to block direct connection to it so that the DNS Forwarder service will kick in and land them right to my Captive Portal Auth Page.

restartcaptiveportal(file in phpshellsessions folder)

require_once("captiveportal.inc");
captiveportal_configure();

this worked for me with extra log entries but kicked all users out

the ssh command is

pfSsh.php playback restartcaptiveportal

The OP refers to a situation where the new CP user tries to initally load an https URL (for instance, https://google.com as opposed to http://google.com)

You could redirect his initial connection to e.g. https://google.com to your own https server ("impersonating" google.com in order to further redirect him to your CP login page) but unless the user's browser has loaded your CAcert, it would result into various scary-looking warnings by his browser about "problems with the security certificate" recommending to him to close the page.

likely you're breaking DNS by not using the DNS forwarder or permitting the DNS server IPs

You can use aliases.

As far as I know this optin just means which IP address should be sent to your radius server when there are packets coming from CP.
http://freeradius.org/rfc/rfc2865.html#NAS-IP-Address

My solution is ;

Allow my dns server in the Mac Pass through list.

And everything is working now

There are timecounters included into freeradius.
The one is the "db.daily", "db.monthly" and so on. This can be used without sql database and is just counting the time the user is connected.

Another possibility is to use the same counter module but a sql database to do the counting:
http://abechik.wordpress.com/2007/03/15/freeradius-disconnected-user-when-time-limit-exceed/

But it is always for the connected time but not the offline time of the user. Perhaps you can do some tricks on the sql database to solve this.

No bandwidth limits in CP, I will try your tip and let u know, thanks!!!

it isn't html but it might help you out?

  if (!empty($_GET['act'])) {     echo "Hello world!"; //Your code here   } else { ?> (.. your html ..)   } ?>

you'll need another machine with mysql p h p & apache  and a radius manager such as daloradius which can generate the prepaid usernames and passwords. with a download and/or upload quota
a dd to that pfsense 2.02 which fixes a bug in the captive portal accounting.