@free4 some model of Android phones such as Huawei allow you to configure your phone as a hotspot router while connected to another hotspot router with a simple click of button.

@Gertjan Thank you. I'll try to find right web-portal to ask my question than. Have asked this on StackOverflow but I am still ignored there ))

Well, the advantage of open source is : you can do what you want, so there are many ways.

Something like this - it's executed every 5 minutes by a Munin client :

<?php require_once("/etc/inc/util.inc"); require_once("/etc/inc/functions.inc"); require_once("/etc/inc/captiveportal.inc"); /* Read in captive portal db */ /* Determine number of logged in users for all zones */ $count_cpusers = 0; /* Is portal activated ? */ if (is_array($config['captiveportal'])) /* For every zone, do */ foreach ($config['captiveportal'] as $cpkey => $cp) /* Sanity check */ if (is_array($config['captiveportal'][$cpkey])) /* Is zone enabled ? */ if (array_key_exists('enable', $config['captiveportal'][$cpkey])) { $cpzone = $cpkey; /* Zone selected -> count users and add */ $count_cpusers += count(captiveportal_read_db()); } echo $count_cpusers; ?>

and the info retrieved, the number of logged in portal users - is used to generate this.

The code above is what ne would call a Munin plugin.
Many others exist.

@mohkhalifa
Well, I found 2 threads about Microsoft NPS posted by you in CaptivePortal category, and I am glad that you figured out how to use Microsoft NPS as radius server for pfSense authentication.

It's better that you can take some time to share your experience in your own thread, It will help me and others who may got the same issue.

@free4 thank you for the info! I will look if I can find a release date. Perhaps it is worth to wait a bit with the upgrade

@mephisto Did you eventually figure it out? I'm in the same situation. Appreciated any info you can share. thanks

edit : see below - bottom - 0.15.7_17 includes this edit.

See here https://forum.netgate.com/topic/139132/need-help-on-max-daily-session-attribute?_=1600411248200

pastebin.com (do not post it here) your /usr/local/pkg/freeradius.inc file.

Just search

sql1 {$varsqlconf2authorize} }

and add there :

dailycounter monthlycounter noresetcounter expire_on_login

just before the line with

EOD;

Save, stop FreeRadius, start FreeRadius and again, keep in mind settings are thrown away if you upgrade the FreeRadius package.
But re editing (if needed) is so easy ....

edit :

I just upgraded FreeRadius to 0.15.7_17 and this edit (patch) is now included.

@free4 I will definetely have a look at that. Thanks for all the help, i really appreciate it!

@Ahabash you are already able to do that.
Using DNS logs+ captive portal logs, you can check which user accessed which website.

If you are looking for the precise URL (and not just domains) : please be aware that most of websites are in HTTPS nowadays (which mean : you can't).

@dragon9981 said in Automatically Expire Vouchers via script outside of pfsense:

non-used but issued vouchers to be no longer valid.

Well that's quite simple : just delete the vouchers roll then create it again?

FreeRADIUS SQL backend counter feature: https://redmine.pfsense.org/issues/10871

Hi,

FreeRadius is better integrated these days, and can be installed as a pfSense package.
You'll be needing a MySQL (MariaDB) SQL server. This one doesn't (should not) run on pfSense.

If you're capable of running and maintaining** these these two, you're pretty close to redoing a bit the code used in the project, as html, ccs and PHP. These 3 had their rocket science status removed in the late nineties.

The problem with big addons is .... they only work for a couple of months.
As soon as pfSense updates, chances are that something breaks. The author should solve the issue as soon as possible. This means he should be using a portal himself. Which means he already knows that an animal called "RGBD" really exist.

When you run a captive portal, you should apply this rule " keep it simple ". Not doing so means : Very soon, you will not be doing what you are doing right now.

pfSense is a security device, not some nicely coloured gadget. If updates exist, you install them.
If the installed code is personalized which this kind of addons, admins tend to stop updating.
And that's another way of going out of business with a lot of buzz.

** FreeRadius and MySQL are not "set them and forget them" type of services.

Btw : I guess you do understand that the nearly identical question "Can I use the user's Facebook account to login in into my portal ?" vanished. Some English company did woke up a lot of people.
And Facebook changes it's API every week or so.

edit : almost forgot : this method is still allowed !

hi
thanks from Calvin Bui for this post, i found a way to create a login page that show only voucher filed.
i change this particular code to :

<div class="form-group"> <input name="auth_voucher" type="text" placeholder="Voucher" class="form-control"> </div> <input name="auth_pass" type="text" class="hidden" value="password"> <input name="redirurl" type="hidden" value="captiveportal-success.html"> <input class="btn btn-lg btn-success btn-block" name="accept" type="submit" value="I Agree">

Hello.

Thanks for the feedback.

I managed to solve by creating a record in the radcheck table, with the information of Session-Timeout and Idle-Timeout.
Only then does pfSense disconnect expired users.

Gracias.

@viktor_g Hi Victor! The webui certificate has < 398 days but the Freeradius certificate is 10 years. I will try setting up a new Freeradius cert with < 398 days lifetime to see if that resolves the issue. Thank you!

@ghassen said in Allowed-hostnames not working.:

I have disabled both the DNS Resolver and Forworder if that's what you mean.

And then how is client on your captive portal suppose to look up www.google.com then? Do you hand them external dns that you allow through captive portal?

@Gertjan stated - working dns is a MUST for captive portal to function.

Where does pfsense point for dns? When it finds the ip for www.google.com better hope it matches what the client finds when it does query.. Pointing to different dns can exacerbate problems with mismatch of IPs..

Ok, I am done. I am using OpenLDAP for Authentication Servers. Now everything work fine. This is my configuration:

Screen Shot 2020-08-08 at 10.44.17.png

Screen Shot 2020-08-08 at 10.44.28.png

Screen Shot 2020-08-08 at 10.44.54.png

Screen Shot 2020-08-08 at 10.55.38.png

Now user 'direktur' can login to Captive Portal 'Direksi' but can't login to Captive Portal 'Dokter'.

Screen Shot 2020-08-08 at 10.49.05.png

Screen Shot 2020-08-08 at 10.49.16.png

@Gertjan I have two systems both 2.5-dev version . second system is up to date always. I keep an eyes on all updates and bug fixes (redmine) everyday i am testing both system in different ways.

second system i didn't apply any patch and people can reuse voucher on other device so they get disconnected from old

Aug 3 13:00:03 logportalauth 38072 Zone: campco - CONCURRENT LOGIN - TERMINATING OLD SESSION: 9478394944, 7c:78:7e:4d:1c:43, 10.10.21.188

Moving soon to FreeRADIUS base solution which has no issue with concurrent logins. I have already done initial testing in production environment.

@Gertjan said in Newbie need help to merge pfSense Captive Portal with old Linksys WRT54GL hotspot feature:

@ha11oga11o said in Newbie need help to merge pfSense Captive Portal with old Linksys WRT54GL hotspot feature:

Also on router i have WiFiDog and Chillispot. But my problem is that i dont know what to use as redirect page to pfSense machine.

The "page to redirect" etc does not concern pfSense at all. You'll be using the hotspot's facilities of the AP, there is nothing to be done on pfSense.
If you set up the AP on the WAN side of pfSense, the question is even less relevant, as the traffic isn't seen by pfSense.

For help about the hotspot's (DDWRT) : see their forum. I don't know what Chillispot is, neither Wifidog.

You can also transform your WRT54GL as a simple AP - I'm using several of these Linksys/Cisco routers, with the DDWRT firmware - and activate the portal on pfSense.
In that case, I strongly advise you to use a dedicated interface on pfSense (a third interface) for the portal, leaving the LAN for trusted devices - and the OPT1 interface for the non trusted devices, as are portal users by default.
I you choose to use pfSense for the portal management, start by looking up the Youtube site on the Internet. Then locate the Netgate channel, and see (several times) the Captive portal and DNS videos. When done, a portal can be set up in less then 10 minutes.
Remember : keep it simple at first.

Well,

you definitely pointed me right way. I do want that pfSense is handling portal and WiFi just to be "radio" device for that.

Thank you.