Dear @soheil-amiri
No need to use freeradius in pfSense. Just deploy MS Radius Server and integrate it with pfSense and send your own attributes and that's the best way I'm using.

I have reviewed and its true its timing out on correct hour. however i think it has something to do with timezone since I changed the timezone. captive portal login uses the default timezone and co timeout uses the system timezone. lol

Issue created: https://redmine.pfsense.org/issues/10798

@Gertjan Okey, thanks. I will do that.

There might be a 'pfSense' limit, but you will not find it out.

Handling a voucher roll with thousands voucher needs a special way to handle used and unused vouchers.
Will that be you using a print out and a pencil ?
Some excel sheet that you maintain by hand ?

When things get messy, it might be easier to remove the roll, ans start using another one.

Btw : the bit numbers determine the seed, so there will be a limit for sure.

The ipfw firewall rules, put in place when the captive portal is activated, start with some rules letting through DHCP traffic. It's part of the default rule set.

When a device is hooked up, can you see DHCP traffic (DHCPDISCOVER) in the pfSense DHCP logs ?
If not, NIC is bad, cable is bad, or some switch device between user and pfSense.

Btw : you should keep LAN for admin purposes, and use a second interface - OPT1 - for the portal.

If remote admining is needed, use OpenVPN

@wakasavan said in DHCP Stop Working when captive Portal is enabled:

As long as captive portal enabled no Internet at all.

That's what a portal should be doing.

@wakasavan said in DHCP Stop Working when captive Portal is enabled:

I repair the the firewall but there is no issue there

What do you man ? You repaired something that wasn't broken ?

@wakasavan said in DHCP Stop Working when captive Portal is enabled:

Firewall can be accessed via WAN link but from local interfaced it is not working.

If a portal is activated on that LAN, then,except for obtaining an IP, nothing should work.
Exception : DNS requests ! Check that. But ok, if the device can't get an IP, all will be down.

@wakasavan said in DHCP Stop Working when captive Portal is enabled:

There was a power outage for a long time

The power of pfSense was shut down using the way it should ? Do you use a UPS ?
The file system is clean ? ( see very recent Netgate video on Youtube).

That's the one - or actually one of the two solution proposed.
It's merged again 2.5.0 so it will haunt the 2.4.5.x series for long time, except if it can get backported.

https://redmine.pfsense.org/issues/3128

@soheil-amiri do you have any news about your issue? I'´m, trying to implmenet a similar scenario. My scenariou include FreeRadius with LDAP background authentication for WAP2-Enterprise authentication.

I setted up FreeRadius and background LDAP authentication, i tried authentication form pfsense, and works well.

But when i'm trying to authenticate users over WPA2-Enterprise SSID, i have authentication errors.

my users file config:
DEFAULT Ldap-Group == "cn=account-users,ou=wireless,dc=example,dc=com"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = "1010"

Errors Logs:
jul 3 18:53:55radiusd98680(39) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [radiuser1] (from client AP_LAB port 0 cli 92-1F-E6-B9-E9-1E)

Jul 3 18:53:55radiusd98680(38) Login incorrect: [radiuser1] (from client AP_LAB port 0 cli 92-1F-E6-B9-E9-1E via TLS tunnel)

Can you help me?

If your files used-octets-* do not get emptied - but actually get filled with "0" it might be this line :

echo 0 > "/var/log/radacct/datacounter/$TIMERANGE/used-octets-$USERNAME"

Add a echo "used-octets-$USERNAME was emptied" line to see if this line gets executed. Check the logs to see the log line.

used-octets-* are empty, it's not filled with "0"

Unfortunately, with the 1st power failure, I got both used-octets-* and backup-*.log empty (all files size is zero)

I wish I could catch the root cause.

@curvian said in Captive Portal + freeRadius 3 + MySQL (PFSense 2.4.3):

@Gertjan Could you tell me what this screenshot is from?

Yes :

@Gertjan said in Captive Portal + freeRadius 3 + MySQL (PFSense 2.4.3):

(the image is part of the FreeRADIUS => Users => Edit => Users page.)

Maybe I should add : pfSense, when added the FreeRadius package

thanks for answer, at least somebody confirmed my suspicions. i know that it is impossible to track all CDN IP addresses, and that sucks because I had very big expectations about pfSense captive portal. Looks like we can not use it for our purpose..

No ;)

An image : the other Redirection issue - 2 inch lower :

8d72916b-452d-482b-8c5c-086bfa63a5b8-image.png

@jimp Hi Jimp,

Thank You for the explanation. All I know is I am glad this is back to working transparently. This is ina production/school setting so very dynamic users as there are as many 'visitors' that were getting 'stuck' at the 'continue' button. You don't realize how many phone calls happen once this isnt working,even with the COVID-19 thing a school is like grand central station even in small town USA. Used to really enjoy figuring this kind of stuff out,,now,, i just like to do some clicks,,and it works. :)

Thanks again.

You can't.

To have FreeRadius use all the MySQL database tables, you have to modify /usr/local/etc/raddb/sites-enabled/default - and probably other files as well - which means you have to modify pfSense itself.
This means thorough FreeRadius knowledge and a good understanding about how pfSense makes the set up files.
If that was the case, you wouldn't ask question, you were just doing it.

Hi,

@pierrelyon said in Voucher creation for Dummies:

As any of you has faced that situation?

Yep. Half the planet was working from home last month.
These people are now aware that some activities can be done "from everywhere" ;)

You could write down the steps you do.
Try to enumerate what can go wrong - and what to do.
Use your phone for some serious stuff : film yourself doing it.
Then : meet up with the candidate that replaces you.
Tell him what a voucher code is - and be sure he actually understands it.
Show him how to make a voucher roll.
Let him always test one of the new vouchers himself before he thinks he's done.

Btw : you can prepare also yourself enough vouchers roles for a week, or even longer. Print them out, put a date or number per page and you're good.

I'll explain what happened using the old code :
Note : this part does not exist any more in the 2.4.5 version :

if (!empty($cpcfg['redirurl'])) {
$redirurl = $cpcfg['redirurl'];
} elseif (preg_match("/redirurl=(.*)/", $orig_request, $matches)) {
$redirurl = urldecode($matches[1]);
} elseif ($_REQUEST['redirurl']) {
$redirurl = $_REQUEST['redirurl'];
}

If "$cpcfg['redirurl']" exists, then set the rediction to that value.

You could have set "$cpcfg['redirurl']" like this :

4b39045a-fdbc-4a05-88a1-f1a315a0a6de-image.png

Else, if there was an original URL 'redirurl' paramter, it was stored in "$orig_request, and use that
Else, if the special PHP $_REQUEST exists, it's a PHP super global variable which is used to collect data after submitting an HTML form, with an item called 'redirurl', then that one is used.

So, before 2.4.5, when you set "After authentication Redirection URL" in the captive portal settings, browser get redirected to that URL, no matter what.

As of 2.4.5, things have been re ordered :

First this is looked up in the URL :

where .* (dot star) can be "any possible string", normally some ting like "http://www.msn.com" - if it exists, it has a (one) match, the match is used to set the redirurl, the variable to be used to redirect the browser.
( this is the same test above at step 2 - explained using others words)
If not, the $_REQUEST['redirurl'] is tested, and if present, used.
If not, finally, the $cpcfg['redirurl'] is used, the URL we had set up in our captive portal settings.

As you can see, it's all the same, but different order.

Which means that portal visitors are now not redirected any more to what we as pfSense admins decided. It's what the browser (user) wanted to visit initially what is being used now.
If that doesn't exist == unknown, the captive's portal admin's choice is used.

@ahmed20n8 said in Assigning Static Ip or Pool of Static Ip's using DHCP:

I have installed FreeRadius and tried assign static ip through that too but didn't worked

@free4 said in Assigning Static Ip or Pool of Static Ip's using DHCP:

Because DHCP process is made before connecting to the captive portal, it is not possible to assign specific IPs to users passing through the captive portal

Why not ?

.... but assigning a "DHCP Static Mappings" for the IP on the captive portal's DHCP server page is possible.
This way, the device will always obtain the same IP. That IP should be outside of the DHCP's server portal pool range.
I just tried it : it works. My device obtained the static DHCP lease == always the same IP.

I could now apply special "IP" conditional conditions with firewall rules .... didn't tied that.

Hi,

Could you ask this question to https://github.com/lirantal/daloradius/issues/ ?