what modification?

please help…

Hi, I am also looking for script so that once my user login, they able to change their captive portal password. By the way I am using FreeRadius. Please assist. Thank you

@jimp:

There is support in pfSense 2.0 for vouchers that are time limited. That may be what you want.

can't wait for this :)

No idea if I use DNS forwarder, to resolve my URL…. ?

If my captive portal "HTTPS server name" is "mywifi.local", how can I activate an SSL certificate from namecheap.com ?

I ask, because during the activation process you need to receive an email at something like "admin@mywifi.local"…I guess I'm missing something, help please.

Thanks

Are you sure there is a problem here?

I'm not running pfSense, but the docs <http: tinyurl.com="" yc6yrvp="">say pfSense's Captive Portal feature supports RADIUS.  The RSA Authentication Manager, the authentication server needed to support RSA SecurIDs – hardware tokens or software token-emulation apps -- includes an 802.1x-compliant RADIUS server, built around the Juniper Steel Belted RADIUS. (The RSA RADIUS server supports both PAP and EAP authentication protocols, including POTP, TTLS, PEAP, and EAP15.) See: <http: www.rsa.com="" node.aspx?id="1166">and <http: www.rsa.com="" node.aspx?id="1167">.

Looks like a match! All the pieces are in place, so if it doesn't work, it can't be a major challenge to make it work.  (I'm a consultant to RSA so I know the SecurID world best. but I'm certain both the free and commercial versions of WikiD <http: www.wikidsystems.com="">are also fully RADIUS-compatible. I would be surprised if any commercial two-factor authentication system does not today support RADIUS.)

Suerte,
          _Vin

@vronp:

Hi all,

I understand the pfsense Captive Portal feature is similar to the Cisco "authentication proxy".

Has anyone tried or does anyone know if it would be possible to authenticate with a commercial or open source software token (WiKiD or SecurID) instead of going through a browser login/password combination?

thanks,
Dave</http:></http:></http:></http:>

If I not misunderstood, the firewall rule will be apply to any traffic after they pass the Captive Portal (including MAC/IP pass-through) I've not search for any official document about this but from my configuration, how I solve some issue, I assume CP block all port for unauthenticated traffic. After that the firewall rules applied.

Edit. I think I'm just get your point :-X You want to apply different rules based on "user" or just for "Guest"…I don't think I have that solution right now, but I'm planning to do so but with separate network segment for Guest only.

If you need specific customization, that you think are not present, there is paid support/development on portal.pfsense.org.

Though i think you can implement something with Radius  and 2.0.

I've found some workaround solution. Since my pfSense enabled both CP and transparent Proxy. I just go to Skype -> Option -> Connection. empty all check boxes. Choose proxy type as HTTPS and fill in my pfSense LAN IP and Squid listening port (I've change to something other than 8080 or 3128) and Skype can successfully connected.  ;D

This is not a good solution since some user may notice and try these IP/port on IE proxy setting. I'm now thinking about having the other dedicated proxy server to take care all of skype connection and control the HTTP filtering there. The problem is how to indicate which traffic is from skype. May be regex on MIME type should work.  8)

PS. I've try this on MSN but MSN allow proxy setting through IE only. There is SOCKS5 option which I never try yet.

Up please

Dear Briantist,

I´m so thankfully .. maybe I forgot this option "File Manager", such as the same thing that I tried before.

File Manager input files in /var/cb/cpelements, but when I tried to refresh login page simply Images aren´t work.

But finally everything works =) really really thanks.

Now CP works w/ images and css.

Closed case.

Regards,
Heitor Lessa

We do something similar at my university.  However, for security I'd try a different approach:

LAN - Wireless AP's
WAN - Actual connection out through modem
OPT1 - Internal network.

This is what I use at this school and it works great.  Just set up a RADIUS server on any machine on the internal network and point the captive portal at it for RADIUS auth.  Setting up IAS is pretty easy, and NPS is even easier if you feel like moving to Server 2008.

Quick note - double check your ports that you're using in IAS.  W2k3 doesn't use the same ports that pfSense does by default and that messed me up for a bit on my first setup.

Combine it with decent traffic shaping and consider Snort to fulfill your "we tried to stop them" legal requirements for p2p prevention.

If you don't need squid on that interface, just disable it from listening on that interface. If you do need squid, but it's running transparently, try blocking access on that interface to port 3128. Of course in both cases I'm assuming you're running CP on an OPT and that it would be feasible to block only those users on that interface.

You create an alias containing all the IPs of your "internal" users.
Then create an alias containing the IP-range of your "external" users.

Set the DHCP to assign unknown users an IP out of the "external users" range.
All your internal users are configured on the DHCP server to always get the same IP.

When creating a firewall rule you can define to which gateway you want to send traffic.
Now create two rules.
One for the internal users and one for the external users.

Of course if an external user assigns manually an IP out of the "internal users" range he can use the other WAN.
But from the way you describe it (since you allow guests on the same network than employees) security isn't that much of a concern for you.