I'm a noob when it comes to this so I had trouble setting up the internal Freeradius server too.  But I got it working by doing the following which I cut and pasted and mangled from another thread I found.  What was getting me was I didn't set up my client, just had the server running and added users - gotta have that client configured too…lol.

1.  Install the latest pfSense snapshot.
2.  Install the FreeRADIUS package (not available on the embedded platform).
3.  Go to Services/Captive Portal and enable RADIUS Authentication.
4.  Configure your Primary Radius Server IP Address = LAN port IP on pfSense box.
5.  Configure Shared Secret = your secret word.
6.  Click SAVE - very important or your settings won't take.
7.  Go to the Services/FreeRADIUS, select the Client Tab, then configure your client.
    Client IP = LAN port IP on pfSense box, Shared Secret = your secret word that you entered above on line 5.
8.  Again, click SAVE after your client is configured.
9.  Click the Users Tab and add your usernames/passwords to FreeRADIUS.
10. Did I mention, click SAVE after each user is added.

Okay, you should be good to go at this point.
Daxx

@egarnel:

It would be neat to have the ability to be able to serve up different portal content based on originating network though

see this topic for how to set that up

http://forum.pfsense.org/index.php/topic,5368.0.html

Uff!!!

Finally I got.

After many testing parameters, I obtained success results with this code:

// Testing (VSA) WISPr         $racct->putVendorAttribute(14122, 2, "Sao Paulo, SP", $type = string);         $racct->putVendorAttribute(14122, 1, "isocc=BRA,cc=55,ac=11,network=LinktelHotSpot,ha=Office", $type = string);

The result log message done:

WISPr-Location-Name = "Sao Paulo, SP"         WISPr-Location-ID = "isocc=BRA,cc=55,ac=11,network=LinktelHotSpot,ha=Office"

It is cosmetic only.

can somebody point me to a nice (step by step  ::)) instruction out there on how to setup cp?
tnx!

This can be done depending on you php skills.

if you look at /usr/local/captiveportal/index.php and add some extra code after line 167

portal_allow($clientip, $clientmac,$_POST['auth_user']);

along the lines of

if ($_POST['auth_user'] == userX){     header("Location: http://blahX.com"); }else{     header("Location: http://blahY.com"); }

I think this will work with radius or local users but not pass through MACs or IPs

That seems to have worked great,.

Redirects work!
Per Ip subnet redirect to custom login page works also

Thanks!

-Mark

dit you connect pfsense to a lan port of the netgear?

make sure that the client is using youre pfsense box as default router

Found it

/var/etc/captiveportal.html

Yes that complicates it a lot more.  After CP Auth a firewall rule is installed and at this point all normal CP checks are completely ignored and then a periodic cleanup script is run to cleanup sessions, etc.

Hello,

I have discovered is that if indicate him I to my computer where this the page of my captive portal:

Http: // 192.168.2.1:8000

It leaves me to accede to it and I can Authentication, then when I it my wireless net works perfectly.

This way that the problem this one in which when a machine detects the wifi, it connects for DHCP is it tries to open any web … it me does not work because the web page of the captive portal is not opened in browserof the machine in question the page of beginning of the captive portal.

Can you help me?¿?? I need taht my computer acces to captive portal!

Thanks

P.D.: SORRY FOR MY ENGLISH

I am thinking about using the following :

table <wan1loggedusers>{ } table <wan2loggedusers>{ } ... As much as there are wans table <wannloggedusers>{ } pass in on <laninterface>from <wan1loggedusers>to any route-to { <wan1interface><wan1gateway>} keep state pass in on <laninterface>from <wan2loggedusers>to any route-to { <wan2interface><wan2gateway>} keep state ... As much as there are wans pass in on <laninterface>from <wannloggedusers>to any route-to { <wanninterface><wanngateway>} keep state</wanngateway></wanninterface></wannloggedusers></laninterface></wan2gateway></wan2interface></wan2loggedusers></laninterface></wan1gateway></wan1interface></wan1loggedusers></laninterface></wannloggedusers></wan2loggedusers></wan1loggedusers> does pf accept a table as "from" parameter ?

The idea is to have a combobox in the captive portal with the following options :
Choose for me
Wan1 - <wan service="" provider="" name="" and="" bandwidth="">Wan2 - <wan service="" provider="" name="" and="" bandwidth="">… as much as there are wans
WanN - <wan service="" provider="" name="" and="" bandwidth="">Then two things can happen :
if the user selects "Choose for me" the captive portal code selects one based on current number of users and the weight associated to this wan.
if the user selects a specific wan he his routed to the wan he selected.

the wan information will be another section in the xml config file and the current wan number of users is stored in a temporary file in the ram disk or the harddisk...

What you think about this ?

I had to print and read the whole pf faq and study some other literature to come up with this solution.

Edit : I have almost ready code (a pascal test-drive code) to check if this can work.
the code is able to :

Add an loggin user to the pf tables of an wan (binding his traffic to a WAN) Give to the user an ammount of bandwidth in this WAN (dinamic) based on a table (If the wan is overloaded, split bandwidth evenly between users) [This uses dummynet, so, i dont know if works on pfsense]

if this code works (Can be compiled to freebsd) we can do two things : Convert it to PHP or use it as is.

the code will be released under the same licence as pfSense (Whatever this means).

Edit2:
The code compiles and works, the binary uses the following parameters

routemein <userlogin>-login <wan>to log an user into a wan

routemein <userlogin>-logout

to logout an user from a wan

the following files are needed :

/tmp/routemein/users.table
format :
<id><active><login><ratedown><rateup><currentwan><ip>/tmp/routemein/wans.table
format :
<device><alias><ratedown><rateup><weight>in those files any line starting with a # followed by space will be discarded as comment

theres auxiliary files, /tmp/routemein/lock wich prevents two instances from colliding (needs a more complex lock mechanism, i will pursue it later), and the file /tmp/routemein/current-users.<device>.table (one for each wan) that is used to store info about the users bound to wich wan.

im trying now to allow the dummynet feature to be disable (leaving only the pf code) or vice-versa (only the dummynet code). I think this will allow this thing to run on both pfsense and monowall. But i dont know if the dev´s really thinks my code is usefull…</device></weight></rateup></ratedown></alias></device></ip></currentwan></rateup></ratedown></login></active></id></userlogin></wan></userlogin></wan></wan></wan>

@doush:

I dont know about pf but in m0n0 there is an option which u can set  a UL and DL rate for all the users in the CP. But everyone gets the same band (it also has problems about unsymetrical bandwidth asignements like 150 DL 128 UL, systems halts after a period of time and GUI doesnt respond ).

So basically pf team is not considering anything like it ? (we are using DHCP so not possbile to queue per IP)

If not, is there any freeradius server GUI where you can assign band per user from the GUI ?

Thanks

What version of m0n0 is that? I switch to PF because I found that it was easy to limit bandwidth on the wifi segment. If I can do that on m0n0wall, i'd love to know where but I've searched and never seen it.

Josh

EDIT found it. thnx

I have that issue to, seems like a widespread issue for the Beta release for 1.2-BETA-1.  But after copying those files works great :).  Thanks.

If you have encryption setup, I would guess it isn't decrypting right, that is where I would start.