Sorry, i found my solution :
https://www.netgate.com/docs/pfsense/book/captiveportal/zone-configuration-options.html section MAC Filtering
We can disable MAC address filtering !

@free4 Yes, when it's to wear or take somewhere. You don't actually take a website with you, it lives on a server, you publish it. :) ⌨

You made me think though, what if I carry the web server with me, like those early-days iOS file server apps, but I'd still need a browser to access it and even with the browser being on the same device somehow makes me think I'm getting it, that it's still somewhere in a colo. The one thing I think could make me see it differently is if the address bar was 3x as big and read ...://localhost/... . 😂

@gertjan said in In the captive portal state, the version 2.4.4-RELEASE-p1 does not show the number of connected users:

Yours doesn't.
What up ?

Perfect, it worked, thank you very much for the solution and sorry for my ignorance. I am new in the management of this great distribution.

Hi,

What is Radius Desk ? Can't find any references to it in the manual/doc of pfSense.

edit : two years ago : https://forum.netgate.com/topic/109044/setting-up-internet-data-quota/6

What's your use case?

I mean, why would you do that? What are you trying to do exactly?

Thanks for the reply, i got it working im on 2.4.5-DEVELOPMENT (amd64)
how can i test if the LDAP was correctly connected?

As mentionned more or less everywhere in the forum, there is currently a bug on the captive portal : if you edit captive portal settings while users are connected to it, connected users will become in a "rogue state", half connected half disconnected. This is probably what happened to your samsung device

Temporary solutions :

don't edit your captive portal settings when users are connected if you ever have to edit them anyway, go to status->captive portal and click on "disconnect all". This will fully disconnect users

however, I just want to warn you that using a wifi router between you and the pfsense isn't optimal (it will force you to disable captive portal MAC filtering...which is not good)

why don't you setup directly a captive portal on your Wi-Fi router? if the router can't offer such functionality, why don't you buy a pfsense appliance or a small Wi-Fi switch such as Cisco aironet?

Thanks a lot Grimson. That solved the problem.

hi,

did you enabled HTTPS captive portal?
what is your default page in IE?

btw, IE is outdated and is going to be removed soon
could you test with edge?

@jane-doe2 said in After updating to version 2.4.4 "RADIUS MAC Authentication Failed.":

Therefore the Portal page contents can be left empty for this scenario?

Left to "default"that is - the default error page is not empty - it's a login page with an extra line that reflects the error that occurred during a previous login attempt.

I've been using a guide at (https://community.jisc.ac.uk/groups/eduroam/document/walled-garden-onboarding-user-devices-eduroam) . Plus some local systems which definitely do resolve to multiple IPv4 addresses.
If the limitation in Allowed Hostnames is using gethostbyname(), is it possible to request having that replaced by something that does handle multiple addresses? (e.g. getaddrinfo())

I played a little bit with " configuring-a-pre-authentication-redirect-for-captive-portal-users ".

Using Pre-authentication redirect URL and doing what is stated here still redirect the user to another web server. - not the captive portal.

This should be edited :

<?php require("globals.inc"); $request_uri = urldecode(str_replace("/index.php?redirurl=", "", $_SERVER["REQUEST_URI"])); $portal_redirurl = urldecode("$PORTAL_REDIRURL$"); if(!stristr(urldecode("$PORTAL_REDIRURL$"), $request_uri)) { Header("Location: $PORTAL_REDIRURL$"); exit; } ?> [Rest of CP login page]

The line

require("globals.inc");

should be removed now, it's already included.

The line (URL) on the pre authed web server that takes the user back :

http://x.x.x.x:8000/index.php

should at least include ?zone=your_zone like :

https://your_portal_server.your_pfsense.tld:8003/index.php?zone=your_zone&......

https://your_portal_server.your_pfsense.tld:8003 for me because "8003" is the URL and port on which my https enabled portal server is listening.
?zone=your_zone because otherwise the portal web server will not know which zone the user is using.

and that where it ended for me right now.
I'm have this subject on my to-test list, but somewhat blocked by the fact that portal debugging means : I'm throwing out the user every time I try something.

I guess the original functionality of Pre-authentication redirect URL is still possible, but the doc should be updated a little bit.

Check also https://forum.netgate.com/topic/138019/allowed-hostnames-not-being-converted-to-ips

@julio-freire said in Issues with HTTPS in Captive Portal:

Has anyone faced this issue?

Yep. Probably. Don't recall very well. There was a path for it.
But, you already know what the real solution is.
As soon as you decide not to upgrade for what ever reason that is yours you also accept that you and only you are the one that makes thing work. Even if this implies rubbing out bugs.
The thinks is : who remembers 2.2.6 issues ? And why should we ?

Btw : start with this one : very old SSL code can't handle the recent certificates.
When you use the portal with https mode, you should use a certified certificate that a browser trusts out of the box. Which means your certificate is recent.

Thanks for your answer.

I've tested with a 2 NICs computer and ping can passthrough pfsense.

@free4 said in Upgrade from 2.3.x to 2.4.4, captive portal not working:

is your computer configured to retrieve DNS servers from DHCP? or did you force your computer to use 8.8.8.8 / 1.1.1.1 like many computer-fanboys?

the computer usually uses the pfsense as the dns server (dns resolver). Because of the restriction, not to fall back from https to http of visited sites a redirect was not possible. After someone connects to the network a notification is shown in the browser, to log somebody in. If someone closes this, he wouldn't notice that there is a portal to log in....

Ok great I'll have a look at that one.

Follow up: Does anyone still have the file Voucher-Template-Printer-2.4.0.zip to reupload here?

Thank you!

@free4 said in Blocked MAC Address redirect URL not working:

@h2professor Would it be possible for you to test the patch on your side and give feedback on the redmine issue? I'd like to to confirm that the bug is fixed

I can confirm that the code change solves this problem.
Thank you