Easily possible, no. Anything is possible with custom development. That's not an easy or quick process though.

@Alan87i:

Bummer
Any word on when that might happen?
Is your radius2 package running on 2.1?

Do you know if I can accomplish what I want too do with M0nowall?

They want to release pfsense 2.1 on world IPv6 day - someone in june as far as I know.
For pfsense 2.1 all freeradius2 binaries needs to be recompiled and .pbi packages needs to be build. The compilation of the binaries did another forum user for me who has more knowledge about that.

I didin't ask him about that till now because he seems to be very busy if I follow his other posts.

Monowall:
You can try the CP of monowall with freeradius2 package. perhaps it will do accurate accounting but I don't know.

I unchecked "Reauthenticate connected users every minute" option in Captive Portal and now the time counter is worked well as I desire.
:) Thanks @Nachtfalke for your help.

@jameson:

http://doc.pfsense.org/index.php/Captive_Portal_Vouchers
http://forum.pfsense.org/index.php/topic,41658.0.html

Sorry, can you explain better?
because it still doesn't work.

Thanks for help,
Bruno

http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#FreeRADIUS_Plain-MAC-Auth_as_802.1X_request_with_Captive_Portal

Using freeradius2 package and 802.1x mac auth.
Create a user for each pc's mac address.

I have just set this up on a test machine. And it works  as far as the bandwidth limits per mac address. But The usage limit is bugged for me anyways.
A few mistakes I made along the way.
in CP  the IP for the radius server= use the lan ip of the pfsense box. I tried 127.0.0.1 and it doesn't work.
MAC address format leave on default then just copy and paste mac's for each new user from the dhcp status page. All users will have the same shared secret that you put on the CP page.
On CP page top set an idle time out say 60 minutes or so then get rid of the hard time out. leave it blank.
Accounting updates I've tried both but start stop should work fine for speed control.

well I'll try IT
thanks  for your help :)

@anatolidt:

hadi, alan,

do you experience this always or only sometimes, maybe when your box was running for a long time?
What packages installed?
On my testbox only pfblocker and pfflowd installed, squid-reverse removed.
nothing special…
Can't be hibernation mode that irretates pfsense...

I"m using mac auth and noticed this with a fresh reboot setting the DL limit too 1 gb per month then after it lost connection from downloading a 1.2 GB file , all I had to do was refresh a page and I was back on the net.
No other packages except freeraduis2.
I figured i was setting something wrong.

I think you can install a local syslog server, but I would not play with this on a security appliance unless the core devs plan to implement writing logs to disk. But maybe this wouldn't be such a bad idea since pfs 2.0 was aimed for hdd install and you get plenty of space today at minimum which is totally unused. On the other hand, when switching to ssd this changes again…

I've been messing with this with two laptops wired too the lan /switch in line.
The only way things sort of work is with these settings

FreeRADIUS Plain-MAC-Auth as 802.1X request with Captive Portal

FreeRADIUS configuration
        Disable Plain-MAC-Auth on FreeRADIUS => Settings
        Enter the MAC address of the host in the following format (11-22-a3-bb-44-af) in FreeRADIUS => Users
        Enter the password for this MAC address. We will choose blaaa in this how-to. Read the following steps fo fully understanding!

Captive Portal configuration
        Enable RADIUS MAC authentication
        Enter the same shared secret here you choose above in FreeRADIUS => Users. This field must not be empty! This is not the shared secret which is used for communication between NAS(CP) and the FreeRADIUS server. I used blaaa as I wrote above.
        MAC address format. In general you can leave this on default or any other option because FreeRADIUS is converting the MAC address (Calling-Station-ID) into the correct format. To be 100% correct choose here ietf

The one problem I seem to have noticed Is the speed limits .  Have to set this in CP , And in radius I set a different speed for each laptop.
Both run at the same speed The default CP setting.  If I set this to 0 I get nothing. If I uncheck the box in CP I get nothing. As in no connection through the WAN.

Another question
With this setup on the LAN say I have an OPT1 interface with a static route too another lan . Does CP limit the connection speed through this connection as well?
Thanks
Allan

Are you asking "Can a web page distinguish a "public VLAN" user from a "802.1x allowed user" so that registration or authentication can be invoked?
If that is the question then I suspect the answer will generally be "no". But there might be some specifics of your particular configuration that would allow that distinction to be made.

I'm sure it would be of interest to people, maybe not at this instant, but I would recommend posting it regardless as I'm sure someone will find this at some point and want to see it.

There are some APs out there that work in a bridge mode where they don't forward on the client's MAC. I have a couple of them, EDIMAX somethingorother model. It's impossible to use more than one client from behind it in AP client mode from what I could tell.

Yeah but you can 'implement' authentication with mac-address/ip of the device.

@canefield:

Q1: lends Captive Portal itselfs to do this? Should I use another program/package?

CP can be used in such a scenario, however if you expect this to be a permanent setup, you might also want to look into using PPPoE as alternative.

Check the posts by luke240778 to see the kind of issues that you might encounter.

@cmb:

that's not true, it means the system's routing table and will use its default gateway.

Then my original question still stands. I have outbound NAT rules for both WAN and OPT.
The OPT->* firewall rule allows Captive Portal users to access the internet. However Internet access only works if I set the rule to use the WAN gateway (or the failover gateway group). It does not work if the rule is set to use the default gateway. I must remove the BACKUP gateway from the OPT interface settings in order for Internet to work with the default gateway in the rule.

0 checksum would just be hardware checksum offloading. Can capture from the destination to get the checksum that's actually on the wire.

Oh I just noticed your captive portal is way over on the left side of that diagram, I assumed it would get dropped in where the AP is. That's not possible, it's not possible to use any CP when it isn't inline in the network path to the Internet.

@dhatz:

Well, there has to be some in-line device that coordinates this type of functionality, unless the WAP itself has what's needed (e.g. some people do the CP functionality in Linux-based APs).

If you really want this to be: Cisco LWAPs -> L2 switch -> DSL line, then you'd need to check what options those WAPs offer you.

that's how I  have it .. they are not LWAPS thought not lightweight, cisco ap - l2- switch - dsl line … I just can't put a cp server in every location, cisco aps 1200 series don't offer hotspot. anyhow thank you for your help.