oh my logic was poor - all the users sessions will have that same 'unique' ID.

Not sure it matters though.

@dansgul Hi Sir sorry to interrupt.

We have the same problem Sir and I already apply 'Fix Captive Portal handling of non-TCP traffic after login' the Reboot my pfsense but still don't work.

This is my case Sir.

"I really need help with my issue. I have a Active Directory LDAP and I bind it on my pfsense(Working good) then I configure my Captive Portal on my pfsense.

My problem is after I login my user credentials(LDAP AD) I can't access internet. BUT if I disable my Captive Portal my internet is working good and I can browse any sites.

P.S. My DNS and DCHP is on my window server."

@rm said in Captive Portal certificate issues:

I might be out of luck.

You have a certificate, so you have( you rent ) a domain name.
Depending on the registrat you have, you can use the acme.sh pfSense package to obtain a domain name for your portal https access : no more need for Comodo, no more need to install the cert each year.

Let's say you domain name is "my-network.tld".
use acme to ask for a certificate with these two SANs :
pfsense.my-network.tld
portal.my-network.tld

Now you can use this cert for the GUI access, and the captive portal access.
I presume you access your captive portal from 192.168.2.0/24 and this interface will got grant access to the pfSEnse GUI. A captive portal 'should' be using its won interface, and this should not be LAN ( It is possible, true )
The standard LAN 192.168.1.0/24 has access to the pfSEnse GUI.

Un check OCSP stapling ( before you request a cart ) and issue solved.

@rm said in Captive Portal certificate issues:

MY test site seems accessible so hopefully the CA hosts above will be reachable

Be careful. OSCP requests from a browser are cached by the browser. So when it seems to work, the info used was available locally. When the cache times out, the request is made again.

@guntery

Like https://www.youtube.com/watch?v=RS0nMVxPznY ?

It's not as simple as the classic local auth with the build in captive portal web server.
I've tried it ones, long time ago, just to see how it works and if I could make it work.

See also here : https://forum.netgate.com/topic/137979/what-happened-to-pre-authentication/2

Looks wrong to me but code in that area is already being overhauled significantly and is going to be irrelevant soon, so it may be moot.

@michmoor said in Captive Portal stopped working suddenly:

.... for that.

Not needed. And ok anyway.

@michmoor said in Captive Portal stopped working suddenly:

but the symptoms are the same as others reported

Just for me, to check, to what forum messages are you referring to ?

What you can do at any time if you suspect an issue :
Don't reboot yet.

Inspect with 'ipfw' the tables guestwifi_auth_up and guestwifi_auth_up
Every MAC + IP must correspond with this list :

aa7fb9cd-2abe-43a2-91ef-044990b9c5d9-image.png

If you see in the GUI a connected client that is not present in the two ipfw tables, there is an issue.

@michmoor said in Captive Portal stopped working suddenly:

I did have the option "Preserve users database" checked.

This means that, upon boot, the list ( the data base file where all the connected users are stored )is used to create the corresponding entries in the two tables guestwifi_auth_up and guestwifi_auth_up.
At that moment, the devices using their MAC, and the IP, can pass.
If, for example, the device changed it's IP, well, the, yeah, it's blocked. But the client should be able to login again.

@michmoor said in Captive Portal stopped working suddenly:

Once I unchecked that and rebooted it

This is what was the default behaviour in the past.
Upon boot, the ipfw tables guestwifi_auth_up and guestwifi_auth_up. are empty, and the "connected users database" ( this file : /var/db/captiveportalcpzone1.db, an PHP SQLite file ) is reset to zero (zero file length ).

Btw : please confirm : You have installed the System_patches pfSense package, and activated the path I mentioned above ?
If not, pfSense 2.6.0 (and CE probably) is pretty broken. And not for the last days or so, but since you upgraded to 2.6.0 or 22.01.
I do think you did, as :

@michmoor said in Captive Portal stopped working suddenly:

00999 1719125 469279395 allow tagged 1

Looks like you did, but I'm not sure.

Also : if everything was working fine before, and nothing changed (no major upgrades) then the issue is most probably 'not pfSense' or the settings. Something else changed.

and, update also pfSense itself, it' "2.6.0" these days.

When done, see this thread : https://forum.netgate.com/topic/171351/needed-configuration-for-captive-portal-mac-authentication-using-freeradius-macs-tab/2?_=1649259637873 which looks like your question "Needed Configuration for Captive portal MAC Authentication using Freeradius MACs tab".
I'm not sure that what has been said over there is also valid for old version like 2.5.2.
Maybe it is. Maybe not.

@danicavini
Thanks, i will try it !

@gertjan Thanks for the reply, I know this is a old version... We have a quite long qualification process

I have already tried the radiusd -X some time ago but it was so verbose that I didn't find anything usable. I will give it another go and continue searching for a fix

Thank you again !

@kapvcop said in How tracking a user:

for example, User, Mac-address xxx, on that date, connected to the service

Go have a look at Status > System Logs > Authentication > Captive Portal Auth

@kapvcop said in How tracking a user:

I don't know if it is possible, for example, to force the person to use his email to validate her entry

pfSense permit you to create your own login page, a html file that can contain also PHP.
Store the email as the :

<input name="auth_user" type="text">

so the mail will also get logged.

Be aware : IPs can be forged, like the MAC, and very often people don't type in their email address correctly, or use something else ;)

edit :

There is a way to validate the email address.
Make your own login page ( the "Portal page contents" - see Captive portal settings), and ask for the mail. Hide the password on this page so the user can't enter one except his mail address. When the user validates, the login will fail, and the error login page ( "Auth error page contents" ) will get shown.
On this page the portal user sees the email again, and can now enter a challenge code.

I advise you to use the FreeRadius page, so you can store the email and the randomly generated challenge code in the back end SQL database. This challenge code will be the password that the suer should receive by mail, and will get asked on the second, error page ( "Auth error page contents" ).
So, yeah, use the FreeRadius package, so you don't have to interface with the internal pfSense user manager.

Be aware : you will have to modify a pfSense script file ( this one /etc/inc/captiveportal.inc ).
And worse, you have to know how to add rules into ifw, the firewall used by pfSense for the captive portal. The thing is : when the user initially connects to the portal, everything is blocked. You will have to open ports : 110 (POP),143 (IMAP) ,993 (IMAPS) and 995 (POPS).
Have a look here.
You also need the manual of ipfw used by FreeBSD..

Inform the user that only mail clients are supported, not web mail access, as web mail would imply that you have to open port 443, as this is the port every https web servers uses. Doing that will render you captive portal useless.
With these 4 ports open, clients can receive the mail you've send with pfSense upon first page validation, to get the challenge code.

Implement this and consider that you passed a above average firewall admin exam.

Take note : upon pfSense update, the "/etc/inc/captiveportal.inc" will get overwritten. You will have to re implement your "ipfw rule creation" where you aloow ports TCP 110,143,993 and 995 (probably a PHP line or two).
Be assured, yu can use PHP? it's worlds most simplistic scripts language, and looks like BASIC that everybody used in the eighties/nineties.

@gertjan As always, thanks for the response and thoughts.

Since we were still having issues we did move to 22.01 (aka 2.6.0) last night since (a few hours before you responded) since I saw substantial changes to captive portal. I did see the UDP/ICMP issue and applied the system patch too.

The issue only comes up every couple weeks so we'll have to give it time to see if it keeps happening.

I appreciate the warning on the limiters. We do use them, but can live without them for a while.

--Andrew

Thanks a lot for the tip
Regards
Pierre

@jenskiebee said in will not appear the sign-in webpage on IOS:

think

I use the pfSense captive portal for a hotel.
I do not instruct people - hotel clients -how to connect - I give very few information.
I presume they all know that hotels have captive portals. That is, no one even knows its a captive portal. It's just a wifi network called "MyHotelWifi", so people connect (think about it : they are actually that stupid .... )

I do not know what device they use, it could be the latest iPhone Pro 13, the green version, or some ancient Welcome device from Amazon. A PC with any OS, a tablet ? I don't care.
All these devices, as they are all 'portal aware', do the same thing : upon connection to the portal network, mostly Wifi, but it works just fine with a wired connection, the device should use the very default DHCP negotiation.
If the device is suing static IP settings, it's game over. The portal won't work, as does classic networking most probably (that is, it could work, but settings must be right).
When the network layer is set up, the magic happens.
This magic is part of the device, the OS used. A captive portal is not a pfSense thing, it's supported and handled by the device the client uses ( !! )

After the DHCP sequence, you can see what the device (my iPhone) does :
( Status > System Logs > System > GUI Service )

03-21-2022 08:50:51 Local5.Info pfsense 1 2022-03-21T08:50:52.000000+01:00 pfsense.local.net nginx - - - 192.168.2.222 - - [21/Mar/2022:08:50:52 +0100] "GET /index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html HTTP/1.0" 200 1641 "-" "CaptiveNetworkSupport-428.0.0.0.1 wispr"

You can see the encoded

http://captive.apple.com/hotspot-detect.html

because I'm using a captive portal, the http (port 80) traffic gets redirected the captive portal web server (nginx) of pfSense, which runs on port (my case) 8002.
This will not return the expected word 'Success".
This means user interaction is needed, as their might be a captive portal.
No web browser was open at my iPhone, so the iPhone will launch a stripped down Safari instance, and repeats the URL.
Now the login page shows on my screen, as by magic.

Keep in mind : it is not the captive portal web server that pushes this info the the users device.
It's just a classic http url that got redirected to another url.
Because http accepts redirects, the OS follows the redirections, and shows the page.

You know : this will not work with https requests, as your browser will refuse redirects to other urls (that is, you browser will redirect, and also retrieve a certificate. This certificate should contain the domain name of the url).

I am using the https version of pfSense captive portal. This works because the initial http:// got redirected to a https:// page. This https:// is the local captive portal login page.
After successful login, the pfsense captive portal takes the "&redirurl" argument, which should contain the original url, and redirect (again) to it. The portal firewall is now open for this device, the initially request page shows up.

If the captive portal doesn't seem to work, look at troubleshooting Captive Portal.

On the pfSense side, there is one thing that should work perfectly well. It's the same thing that most admins think they understand well. Its the same thing that they "break" : DNS.
The default pfSense DNS settings will do just fine.

@undrblack

Without knowing the details :
When you remove the 'virtual' part, that is : running pfSense with 3 real networking interfaces, bare bone, your issue will be gone. I can imagine the vitual interfaces / switch can be set up many ways, some of them could be wrong ?
See also Virtualization ! if you have a Windows 10 (Pro) orMS SErver : use the build in Hyper-V : I've one running iwth Hyper-V, and it works fine. There is a detailed step by step setup guide in the doc.
When a client connects to the Wifi, can you see the DHCP server log 'lease' attribution on the right interface ? What was the IP/mask/gateway/DNS received on the client ? That info should correspond to with the pfSense portal NIC.
pfSEnse doesn't handle the the AP <=> Client radio (wifi) connection.
if the AP is an AP and router, the pfSense portal only sees the IP and MAC of the router, not the IP and MAC of the clients. Ones a first client is logged in, all the others will pass without seeing a login screen.

@gertjan Okay. this is another screenshot without power being off or reboot
Screenshot.png
You notice it was 6184 MB and it went back to 6 MB

@stephenkwabena

No actual commands.
I was using a mouse.

If you don't know how to look at a file :

@gertjan said in PFsense 2.4.4 FreeRadius Mac Address Authentication Qouta:

Have a look at /var/log/radacct/datacounter/daily/ - see the files yourself. That makes under stand things much faster.

or what it means, then IMHO : it's not worth looking.

You could use the pfSense GUI, or, go for a free program like WinSCP.

@johnpoz
Hello
You are probably right.
The reason i am using the wan port, is that the pfsense box is just added to the existing network and not using it as a firewall but captive server. There are diffrent servers running on the lan and i am not familiar with pfsense yet and, i suppose i get lot of trouble if i connect the box between ISP router and LAN. There was a lot of work and studying when the isp router was setup with openvpn and forwarding to diffrent servers. I assume if i connect pfsense in between i would need to forward everything through the pfsense.

Would it be better if i connect my local network to the LAN port and use it as a gateway for opt1 ? leaving wan disconnected?