hi
thanks from Calvin Bui for this post, i found a way to create a login page that show only voucher filed.
i change this particular code to :

<div class="form-group"> <input name="auth_voucher" type="text" placeholder="Voucher" class="form-control"> </div> <input name="auth_pass" type="text" class="hidden" value="password"> <input name="redirurl" type="hidden" value="captiveportal-success.html"> <input class="btn btn-lg btn-success btn-block" name="accept" type="submit" value="I Agree">

Hello.

Thanks for the feedback.

I managed to solve by creating a record in the radcheck table, with the information of Session-Timeout and Idle-Timeout.
Only then does pfSense disconnect expired users.

Gracias.

@viktor_g Hi Victor! The webui certificate has < 398 days but the Freeradius certificate is 10 years. I will try setting up a new Freeradius cert with < 398 days lifetime to see if that resolves the issue. Thank you!

@ghassen said in Allowed-hostnames not working.:

I have disabled both the DNS Resolver and Forworder if that's what you mean.

And then how is client on your captive portal suppose to look up www.google.com then? Do you hand them external dns that you allow through captive portal?

@Gertjan stated - working dns is a MUST for captive portal to function.

Where does pfsense point for dns? When it finds the ip for www.google.com better hope it matches what the client finds when it does query.. Pointing to different dns can exacerbate problems with mismatch of IPs..

Ok, I am done. I am using OpenLDAP for Authentication Servers. Now everything work fine. This is my configuration:

Screen Shot 2020-08-08 at 10.44.17.png

Screen Shot 2020-08-08 at 10.44.28.png

Screen Shot 2020-08-08 at 10.44.54.png

Screen Shot 2020-08-08 at 10.55.38.png

Now user 'direktur' can login to Captive Portal 'Direksi' but can't login to Captive Portal 'Dokter'.

Screen Shot 2020-08-08 at 10.49.05.png

Screen Shot 2020-08-08 at 10.49.16.png

@Gertjan I have two systems both 2.5-dev version . second system is up to date always. I keep an eyes on all updates and bug fixes (redmine) everyday i am testing both system in different ways.

second system i didn't apply any patch and people can reuse voucher on other device so they get disconnected from old

Aug 3 13:00:03 logportalauth 38072 Zone: campco - CONCURRENT LOGIN - TERMINATING OLD SESSION: 9478394944, 7c:78:7e:4d:1c:43, 10.10.21.188

Moving soon to FreeRADIUS base solution which has no issue with concurrent logins. I have already done initial testing in production environment.

@Gertjan said in Newbie need help to merge pfSense Captive Portal with old Linksys WRT54GL hotspot feature:

@ha11oga11o said in Newbie need help to merge pfSense Captive Portal with old Linksys WRT54GL hotspot feature:

Also on router i have WiFiDog and Chillispot. But my problem is that i dont know what to use as redirect page to pfSense machine.

The "page to redirect" etc does not concern pfSense at all. You'll be using the hotspot's facilities of the AP, there is nothing to be done on pfSense.
If you set up the AP on the WAN side of pfSense, the question is even less relevant, as the traffic isn't seen by pfSense.

For help about the hotspot's (DDWRT) : see their forum. I don't know what Chillispot is, neither Wifidog.

You can also transform your WRT54GL as a simple AP - I'm using several of these Linksys/Cisco routers, with the DDWRT firmware - and activate the portal on pfSense.
In that case, I strongly advise you to use a dedicated interface on pfSense (a third interface) for the portal, leaving the LAN for trusted devices - and the OPT1 interface for the non trusted devices, as are portal users by default.
I you choose to use pfSense for the portal management, start by looking up the Youtube site on the Internet. Then locate the Netgate channel, and see (several times) the Captive portal and DNS videos. When done, a portal can be set up in less then 10 minutes.
Remember : keep it simple at first.

Well,

you definitely pointed me right way. I do want that pfSense is handling portal and WiFi just to be "radio" device for that.

Thank you.

Dear @soheil-amiri
No need to use freeradius in pfSense. Just deploy MS Radius Server and integrate it with pfSense and send your own attributes and that's the best way I'm using.

I have reviewed and its true its timing out on correct hour. however i think it has something to do with timezone since I changed the timezone. captive portal login uses the default timezone and co timeout uses the system timezone. lol

Issue created: https://redmine.pfsense.org/issues/10798

@Gertjan Okey, thanks. I will do that.

There might be a 'pfSense' limit, but you will not find it out.

Handling a voucher roll with thousands voucher needs a special way to handle used and unused vouchers.
Will that be you using a print out and a pencil ?
Some excel sheet that you maintain by hand ?

When things get messy, it might be easier to remove the roll, ans start using another one.

Btw : the bit numbers determine the seed, so there will be a limit for sure.

The ipfw firewall rules, put in place when the captive portal is activated, start with some rules letting through DHCP traffic. It's part of the default rule set.

When a device is hooked up, can you see DHCP traffic (DHCPDISCOVER) in the pfSense DHCP logs ?
If not, NIC is bad, cable is bad, or some switch device between user and pfSense.

Btw : you should keep LAN for admin purposes, and use a second interface - OPT1 - for the portal.

If remote admining is needed, use OpenVPN

@wakasavan said in DHCP Stop Working when captive Portal is enabled:

As long as captive portal enabled no Internet at all.

That's what a portal should be doing.

@wakasavan said in DHCP Stop Working when captive Portal is enabled:

I repair the the firewall but there is no issue there

What do you man ? You repaired something that wasn't broken ?

@wakasavan said in DHCP Stop Working when captive Portal is enabled:

Firewall can be accessed via WAN link but from local interfaced it is not working.

If a portal is activated on that LAN, then,except for obtaining an IP, nothing should work.
Exception : DNS requests ! Check that. But ok, if the device can't get an IP, all will be down.

@wakasavan said in DHCP Stop Working when captive Portal is enabled:

There was a power outage for a long time

The power of pfSense was shut down using the way it should ? Do you use a UPS ?
The file system is clean ? ( see very recent Netgate video on Youtube).

That's the one - or actually one of the two solution proposed.
It's merged again 2.5.0 so it will haunt the 2.4.5.x series for long time, except if it can get backported.

https://redmine.pfsense.org/issues/3128

@soheil-amiri do you have any news about your issue? I'´m, trying to implmenet a similar scenario. My scenariou include FreeRadius with LDAP background authentication for WAP2-Enterprise authentication.

I setted up FreeRadius and background LDAP authentication, i tried authentication form pfsense, and works well.

But when i'm trying to authenticate users over WPA2-Enterprise SSID, i have authentication errors.

my users file config:
DEFAULT Ldap-Group == "cn=account-users,ou=wireless,dc=example,dc=com"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = "1010"

Errors Logs:
jul 3 18:53:55radiusd98680(39) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [radiuser1] (from client AP_LAB port 0 cli 92-1F-E6-B9-E9-1E)

Jul 3 18:53:55radiusd98680(38) Login incorrect: [radiuser1] (from client AP_LAB port 0 cli 92-1F-E6-B9-E9-1E via TLS tunnel)

Can you help me?

If your files used-octets-* do not get emptied - but actually get filled with "0" it might be this line :

echo 0 > "/var/log/radacct/datacounter/$TIMERANGE/used-octets-$USERNAME"

Add a echo "used-octets-$USERNAME was emptied" line to see if this line gets executed. Check the logs to see the log line.

used-octets-* are empty, it's not filled with "0"

Unfortunately, with the 1st power failure, I got both used-octets-* and backup-*.log empty (all files size is zero)

I wish I could catch the root cause.

@curvian said in Captive Portal + freeRadius 3 + MySQL (PFSense 2.4.3):

@Gertjan Could you tell me what this screenshot is from?

Yes :

@Gertjan said in Captive Portal + freeRadius 3 + MySQL (PFSense 2.4.3):

(the image is part of the FreeRADIUS => Users => Edit => Users page.)

Maybe I should add : pfSense, when added the FreeRadius package

thanks for answer, at least somebody confirmed my suspicions. i know that it is impossible to track all CDN IP addresses, and that sucks because I had very big expectations about pfSense captive portal. Looks like we can not use it for our purpose..

No ;)

An image : the other Redirection issue - 2 inch lower :

8d72916b-452d-482b-8c5c-086bfa63a5b8-image.png