@Gertjan Other one are missing,

because of google being blocked in china, cellphones and multiple chinese garbage browsers (360browser, etc...) are usually using one of these URL:

https://connect.rom.miui.com/generate_204 (Xiaomi) http://www.qualcomm.cn/generate_204 (Huawei) http://www.265.com/generate_204 (Google Chrome, Asus cellphones. This website is owned by google)

I also heard that nintendo devices are using http://conntest.nintendowifi.net for captive portal detection
but anyway, i don't think that's very important..

@Ludgarvb said in Autenticação Captive Portal + Radius + Tela de Login com opção de cadastro.:

Have any of your colleagues already implemented this scenario and could you please help me out?

Hi,

Yes, it has been done a number of times. Visit this forum : Home pfSense® Software Captive Portal - it's the forum where you posted your question ☺

Hit his button
1b935a47-97cd-46b2-9ff4-49f3b3fb315d-image.png
and sort on "Most posts".

The first solution - maybe not up to date - shows the way to go.

Be ware : these are never "click-and-ready" solutions.
Up to tou to write your own captive portal html/php login page.
Up to you to handle your database (mysql or other) storage area.
Up to you to add the FreeRadius support.
Etc etc.

You can make it as beautiful as you want.

If you just want a count, you can use the script that is there for RRD:

/usr/local/bin/php-cgi -q /usr/local/bin/captiveportal_gather_stats.php '<zone name>' 'loggedin'

/usr/local/bin/php-cgi -q /usr/local/bin/captiveportal_gather_stats.php '<zone name>' 'concurrent'

@Gertjan said in Trouble With CaptivePortal on Two VLANs in One Interface:

You are already using multiple interfaces - a VLAN is considered as a interface.

Typically, each interface has its own dedicated AP(s) - using a dedicated radio (== Wifi) setup.
A user should choose the correct Wifi SSID first to use the correct network. You can't automatize this.

I just wanted to make it happen. I was planning to redirect the user to the correct VLAN by using just one SSID. But I completely got that I can not do it. Thanks for your helps.

@free4 I still can not find an opportunity to try PacketFence. I will write down here if I can be successful on it.

@Martí-Ferret said in Captive portal not redirect:

@Gertjan https://vimeo.com/user97033072/review/328553388/b94c374499
Look i make a video doing what u sayed.

The videos already exist ^^ : here they are : https://www.youtube.com/channel/UC3Cq2kjCWM8odzoIzftS04A/videos
There are 3 good Captive portal videos. take the first one that initiates with the captive portal.

What are the firewall rules for this VLAN ?

Can't really help you with VLAN setup itself - but you can test this : hook up the AP on the LAN, and activate a captive portal on LAN. You see the same issue ?

I think everyone can agree that pr's should save time. Making comments on this forum uses valuable time. Probably more time then it would take a skilled coder to fix a couple of characters of code in some crappy pr that a random amateur created

@tennesse said in redirect problem with ssl certificate:

Can anybody tell me how to fix this?

There is no fix.
For the simple reason that a fix isn't needed.

See for yourself :
Disconnect you device (PC, Phone, whatever) from your network. Do this be disconnecting the Wifi, or rip out the network cable.
Wait several seconds.
Connect your device again.
What happens now, without you being able to see anything *** : you will see a message that special action is needed, or a browser opens that brings you to the captive portal login page.
This is independent to the URL that you wanted to visited initially.

With default OS settings (if those exists) and default browser settings, this always works.

** you could see what happens : when send your pfSense logs to a remote syslog server, you will see that, as soon as the connection comes up, the device obtains an IP (and mask, gateway, DNS, etc) from pfSense. Then it will throw out a basic http (not https) !! request - for an Apple device this is " http://captive.apple.com/hotspot-detect.html " (click on the link !) : this link should bring back the word "Success" - if so, the device knows that it's connected directly to the Internet, and no more actions are needed. If not, a captive portal is presumed, and the user is notified. The OS opens a browser, and this browser repeats the " http://captive.apple.com/hotspot-detect.html " URL, and get's redirected to the login page.
Note that the original requested link was added as an URL parameter (your www.google.de), after successful authentication you will be redirected that that URL : the connections is unblocked and www.google.de shows up.

Windows based system popup a message at least - or open the default browser.
From what I know, recent Android systems also work now.

Note : the captive portal facility is something that is supported by your device. people tend to think that pfSense is "doing the work", but it's only blocking (all) requests - and redirecting them to the internal web server. These should be "browser" requests - for example, fat mail client won't be able to trigger a login screen ^^

edit : I'm using a certificate portal.brit-hotel-fumel.net - and people (complete strangers for me) connect just fine using any possible device.

Hi,

When I use a voucher, and it expires, my device is removed from the captive portal firewall.
My device 'looses' that Wi-Fi connection, so I have to re-select it to connect. (It's important to reconnect).
I do see the standard login page again. It's like a first, initial connection and authentication.
If the voucher has expired, I'm getting redirected to the "error login page" which is identical to to standard login page, with one extra red message line "Voucher expired".

Btw : no need to browse to a "http" site to 'force' a login page to appear. The OS of your device should be doing that / discover all that for you.

It works. Thank you so much. ^^

@infosoporte said in Captive Portal and DNS Resolver:

Thank you!!

@luyo it's not same

the web server of the captive portal has a root to /usr/local/captiveportal/ so updating your files somewhere else probably won't work...

Sorry for the delay. After the upgrade and some other configurations like HTTPS the IOS issue was solved. Thanks a lot!!

@Gertjan thanks, it looks like a solid explanation for my case

@free4 said in Voucher auth and username log:

@nicklang said in Voucher auth and username log:

Hi, i want to set up captive portal with voucher authentification, plus i need to register a username like 'self registered" with the vouncher (to have a name with the vouncher in pf log)

Any suggestions would be greatly appreciated.

Well,
pfSense does not offer such functionality. vouchers are "anonymous" codes and are not designed to be linked to any name. If you ever heard about GDPR in Europe or about various Data Privacy Act in the US & APAC, you should probably understand why.

You could of course set up your own page that will bind vouchers to real users. But i'm not sure that's what you really want (why use vouchers in the first place in this case? Couldn't you just use a freeRadius server + an SQL database containing your users? Your setup seems a little bit odd)

Also, the index.php.txt you provided seems to be the default login page of pfSense 2.4.3...You should probably use the 2.4.4 login page instead.
You could find this file in /usr/local/captiveportal/index.php in your pfSense appliance, or you could simply get it here
. Then you could update this page to bind vouchers to your username list, probably using an external database or something.

@Gertjan said in Voucher auth and username log:

Three choices exist :

No authentication User / password Voucher.

These are mutual exclusive.

Not really related but...that is not true, vouchers and user/password can be used at the same time :

d9964755-c3dc-413d-9a95-934bdfef2c1e-image.png

Well ... not really ^^
Checkout index.php line https://github.com/pfsense/pfsense/blob/master/src/usr/local/captiveportal/index.php#L158
If a voucher code has been entered, it will be tested - and accepted if the code is valid and some time is left for this voucher. If not, authentication stops - user/password are NOT tested, the error page is shown.

If no voucher value is entered, user and password are tested - if valid, the login is validated.

So, it one method, or the other.
There is no situation where both are tested.

If some one chooses to use voucher - and not the user/password it would be better to modify the existing login by removing User/Password related lines.
Btw : keep in mind, the pfsense admin can always use the User (== admin) and his Password to login against the portal.

( I resourced from the index.php source )

"FreeRadius" means : no vouchers as authentication. Just some access codes.
You should generate users & passwords, or just passwords - and use a hidden username that is common among all portal users so you can hide it in the html login page (see pfSence doc/book) - FreeRadius can enforce one user for one logged in account.
As been discussed on this forum many ... (more often ?) times.

I should inform you that running a FreeRadius isn't for the faint of heart.

@curioushuman said in pfsense does not work on mobile phones (iOs and android):

my wifi connection has to constantly renew lease each time wifi connection is interrupted. Why is that so?

When the Wifi goes down - or the phone goes to sleep, or out of range, etc, you have a situation that is identical to a wired connection : when you remove the cable, and put it back in again, interface comes up, and the first thing it does is launching a DHCP request.

Don't worry : the DHCP server will give it the same IP again. This won't disrupt the Captive portal connection whatsoever.
It's still the same MAC/IP so for the Captive portal it concerns the same session.

edit : keep in mind that the "voucher counter" doesn't stop when the device (Phone) is connected, or not.

@curioushuman said in pfsense does not work on mobile phones (iOs and android):

@gertjan It works now

Why didin't it work before ?

@gertjan

The same thing. Could you simulate that?

Thank you guys for the help, I tried it today and it seems that it fixed the issue.
Thanks again

Thanks so much for your help!