@Gertjan thanks, it looks like a solid explanation for my case

@free4 said in Voucher auth and username log:

@nicklang said in Voucher auth and username log:

Hi, i want to set up captive portal with voucher authentification, plus i need to register a username like 'self registered" with the vouncher (to have a name with the vouncher in pf log)

Any suggestions would be greatly appreciated.

Well,
pfSense does not offer such functionality. vouchers are "anonymous" codes and are not designed to be linked to any name. If you ever heard about GDPR in Europe or about various Data Privacy Act in the US & APAC, you should probably understand why.

You could of course set up your own page that will bind vouchers to real users. But i'm not sure that's what you really want (why use vouchers in the first place in this case? Couldn't you just use a freeRadius server + an SQL database containing your users? Your setup seems a little bit odd)

Also, the index.php.txt you provided seems to be the default login page of pfSense 2.4.3...You should probably use the 2.4.4 login page instead.
You could find this file in /usr/local/captiveportal/index.php in your pfSense appliance, or you could simply get it here
. Then you could update this page to bind vouchers to your username list, probably using an external database or something.

@Gertjan said in Voucher auth and username log:

Three choices exist :

No authentication User / password Voucher.

These are mutual exclusive.

Not really related but...that is not true, vouchers and user/password can be used at the same time :

d9964755-c3dc-413d-9a95-934bdfef2c1e-image.png

Well ... not really ^^
Checkout index.php line https://github.com/pfsense/pfsense/blob/master/src/usr/local/captiveportal/index.php#L158
If a voucher code has been entered, it will be tested - and accepted if the code is valid and some time is left for this voucher. If not, authentication stops - user/password are NOT tested, the error page is shown.

If no voucher value is entered, user and password are tested - if valid, the login is validated.

So, it one method, or the other.
There is no situation where both are tested.

If some one chooses to use voucher - and not the user/password it would be better to modify the existing login by removing User/Password related lines.
Btw : keep in mind, the pfsense admin can always use the User (== admin) and his Password to login against the portal.

( I resourced from the index.php source )

"FreeRadius" means : no vouchers as authentication. Just some access codes.
You should generate users & passwords, or just passwords - and use a hidden username that is common among all portal users so you can hide it in the html login page (see pfSence doc/book) - FreeRadius can enforce one user for one logged in account.
As been discussed on this forum many ... (more often ?) times.

I should inform you that running a FreeRadius isn't for the faint of heart.

@curioushuman said in pfsense does not work on mobile phones (iOs and android):

my wifi connection has to constantly renew lease each time wifi connection is interrupted. Why is that so?

When the Wifi goes down - or the phone goes to sleep, or out of range, etc, you have a situation that is identical to a wired connection : when you remove the cable, and put it back in again, interface comes up, and the first thing it does is launching a DHCP request.

Don't worry : the DHCP server will give it the same IP again. This won't disrupt the Captive portal connection whatsoever.
It's still the same MAC/IP so for the Captive portal it concerns the same session.

edit : keep in mind that the "voucher counter" doesn't stop when the device (Phone) is connected, or not.

@curioushuman said in pfsense does not work on mobile phones (iOs and android):

@gertjan It works now

Why didin't it work before ?

@gertjan

The same thing. Could you simulate that?

Thank you guys for the help, I tried it today and it seems that it fixed the issue.
Thanks again

Thanks so much for your help!

@grimson thank you sir,

One would assume that's how it should work, as 302 redirect seems to be standard for captive portal ... but I can confirm that Samsung devices for some reason -- do not follow this standard.

See here for more details:
https://android.stackexchange.com/questions/139588/captive-portal-detection-causing-phones-to-disconnect-from-wi-fi-in-intranet-env/208674#208674

Seems as though Samsung devices and their modified Android OS has changed the default handling to require some kind of response in the generate_204 instead of just using the code like mentioned above to trigger the captive portal login

Yeah. Add 208.67.222.222 and 208.67.220.220 to the Allowed IP Addresses in your captive portal configuration.

Linking again:

https://docs.netgate.com/pfsense/en/latest/book/captiveportal/troubleshooting-captive-portal.html#portal-page-never-loads-times-out-nor-will-any-other-page-load

Thanks for clearing that out--since I asked I had a major network redo and had two major "aha!" moments and I'm back to only the edge firewall + L3 switch and using every feature Windows Server's DHCP server has. I've been offline for really long periods while I broke some stuff.

But I accomplished what I wanted and was told repeatedly not to do it: DHCP option 121.
0_1551518079822_Screen_Shot_2019-02-13_at_08_45_54.png

I really liked the simplicity of using a transit network because all rules lay on a single interface plus a few floating ones it's awesome--parting from that and from this diagram I found:
:
0_1551518599407_chilli.png

and... your confirmation about no NAT needed (I'm really grateful, BTW) I'm thinking about setting up a captive portal as a transit network and whitelist hosts as needed. My previous experience with portals was with the UniFi system--it never occurred to me to look at things from another perspective.

I'll keep breaking stuff a little more, it's weekend, see what else can I learn--thanks a million!

The captive-portal was setup with MAC authentication. If login fails, rather then display a login page that scripts gets the MAC address and redirects to my captive portal site which allows them to setup an account and pay with PayPal.

@artz i think your issue has to deal with the following problem :

there is currently a bug with the captive portal ("reconfiguring a captive portal while users are connected to it, causes troubles for these users. they become half connected/half disconnected and cannot connect anymore").

this issue is known and will be resolved in the next version

the problem you are facing about "last activity" is a side effect of this issue

if you cannot wait for the next version, you could also patch your pfsense (here : https://forum.netgate.com/topic/137824/pfsense-no-internet-when-it-is-said-you-are-connected/13 )

@hugoeyng said in Invalid Local Database authentication after upgrading from 2.3.2 to 2.4.4:

Even there is only one option/Authentication Server is necessary to select/mark it.

As you said yourself :

@hugoeyng said in Invalid Local Database authentication after upgrading from 2.3.2 to 2.4.4:

You must select at least one authentication server.

@opticalx said in Creating users:

Hi Forum

On a follow up from my previous post.

I'm looking into if its possible to create a captive portal with a "create new user" button, that lets the user, type in e.g. Username and password.

The catch is that after this is done, it could create an actual user directly on the firewall.

Is this possible?

Or do I need radius/LDAP/AD?

Thanks in advance.

Why not just have an open network. it's as secure.

Perfect!

We overlooked this option, we've testet it and it works.

Thanks a bunch.

Hello,
Thank you for all this answers !! ;)
I detail my problem :

0_1550479043707_schéma_pfsense.jpg

In fact, I want to secure my machine networks with the use of a captive portal. The goal is that the client must be able to access the machine without knowing its internal address. Each machine has a differant network that's why I use a pfSense for each network.

I use the first pfSense(Router) for route all requests to the good pfsense.

I hope have been more clair, thanks for all !! ;)

@slybreiz i would recommand you to use PHP in your script ...for update your certificates :

In order to update the certificate in the config file, you could use cert_import() from certs.inc In order to restart the nginx server attched to a captive portal, you could use service_control_restart() function from service-utils.inc. That function will stop a captive portal zone, re-fetch the certificates from the config, and restart the cp zone.