Just nmapped our captive portal here… And its not doing this.

nmap -P0 10.0.0.80

Starting nmap 3.93 ( http://www.insecure.org/nmap/ ) at 2006-03-24 12:49 EST
All 1668 scanned ports on 10.0.0.80 are: filtered
MAC Address: 00:00:24:C1:F7:71 (Connect AS)

Nmap finished: 1 IP address (1 host up) scanned in 36.169 seconds

actually I had to use Auth-Type== local, instead of system which is defult… in that case it will fall through all local modules installed

yep u are correct, everywjhere exept the part tha MAC addresses are sent during Accounting-Start…. all other junk thta I dont care about is sent when Accounting-Stop is sent :-(

ok, sounds good, but that is not going to ahppen any time soon :-(

Not at the moment.

Alright, good to know  :)

@Gertjan:

@jeroen234:

most browsers block the popups

Why not explaining on your main Portal web page that users should/could use IE->Utils->Blocking popup windows->Parameters to block publicity-> [[b]add the opt1 IP : i.e. 192.168.2.1] so they would receive a 'disconnect' windows, from pFsense only.

That wouldn't work, as depending on which page the user tried to access the captive portal popup page appears to be from that side and not the pfSense. Try going to google.com when not authenticated. you would have to allow popups from google. next time you hit it by going to myfavouritesite.org and you would have to enable popups from that site…doesn't work. I would rather like to see a single line small frame at the top of the next page after authentication to give the user the possibility to click "open logout popup" along with a note as most browsers allow the popup when the user clicked on it.

for what i typed you do not need vlans
every accesspoint can do this for the access point is the data from normal clients and the vpn clients the same
both are using opt1 but the data of the vpn users is protected in  a tunnel between the vpn server and the client and running on top of the normal opt1 ipadresses

with this you have normal clients surfing  using the portal on interface opt1
and the protected clients are surfing with a vpn conection to the vpn server of pfsense on opt1
but the vpn server is also conectebol from the lan or the wan interface

the data of normal clients on opt1 every one can read
the data of the vpn clients on opt1 is only readebol for the vpn server an the vpn client

You could do something like that by using an external radius server and a frontend to create temporarily users in that one that get deleted after a given amount of time and let pfSense check against that. However you'll always need a user and password combination but to simplify things the user and pass could be the same pin.

:D  finally got it working…  created a firewall rule to permit dns traffic... seems to work ok now :)  Thanks to everyone for their sugestions  :-*

@jeroen234:

i have this to but
by me its not the fault of pfsense
i use a wds link between 2 accesspoints and this is the problem the ip from the secend ap is sent wen you use the portal and not that of the client that usees it afther the login
so 10.141.254.251 get access but the client 10.141.254.241 don''t get it and get the login page again
this is a problem of the wds link

mebe you have a problem simelur to this

Yes, is this the problem. I use Pfsense back of AP in WDS mode. I see the log of captive portal and assign pass for the ip of the last WDS link. What is the metod for resolve this. One is use a wireless adapter card (not a ethernet card), other method is make my WRT54G AP in mode client Bridge ( if possible this?). I have another alternative?

Only can say "it should" but waiting for your confirmation along with some info from you on the steps at http://doc.pfsense.org/index.php/Chapter_10:_Example_Configurations ;D

Ive seen some cases where you add the HTML table "string" where it has absolute position in all pages that users are opening, so there is no pop ups, but then its annoying

if you are cheking MAC & IP combination what is exacty the pint of it? Because normally the IP would be issigned rendomly to anyone unless you have staticly assigned IPs to the MACs but then you alredy know that the client is what it is because DHCP by itself cheks the MAC and gives it an IP

Well unless you want to fight agains spoofing in that way, but then it wont work too…

What do u want at the end?

Ahh, thanks for the heads up.  I browsed to http://pfsense.er33t.net/tutorials/cp_config/ and I will download the .sfw manually so I can track the download progress.  I couldn't imagine why a html file took so long to d/led!

Okay, I'll be syncing m0n0wall 1.21 capitve portal in a bit.

Thanks for the info.

Is your Wireless bridged to another interface?
Is it working with same configuration if you disable the captive portal?
Also please consider upgrading to 0.95 (newest version while typing this).