OK tHANK YOU  ;D

Why should I take a look I know how it works.

NO PHP WILL BE EXECUTED ON THE SERVER until the client makes an http request. Whatever is in that php script it is completely up to the client what is done with it.

What is so hard to understand? I'm out.

@The:

I tend to put www.apple.com in as a host name passthrough. Works fine then.

This could be one of the ten or hundred different URL's hard-coded in iOS.
When you have the change the random "www.apple.com" is used, the iOS thinks it is connected to the net …. and the pfSense Captive portal will still block the portal client to visit any other site

Just wire-shark your portal connection, you probably will not even find a "www.apple.com" (DNS) request .... so why allowing it ?

Thanks Gertjan… I've been to busy lately....

What I'm doing now... I'm just making sure the config file is actually getting written... that's until I get an SSD...

Ill do as doktornotor says...

I was actually trying to thank Gertjan not Doktornotor...

@Gertjan:

@Chrisiesmit93:

.
Can I kick users authenticated through RADIUS (MS Active Directory) from CLI or a .php script on another host and/or webserver?

'kicking' means 'disconnecting' means the Captive Portal firewall rules should be modified. So something has to execute on pfSense to 'kick'.
Putting a script on another system won't do 'the job'.

Btw : Userid's are stored into a SQLLIGHT3 database on the pfSense file syem (see source for the "how to access and retrieve").

Thank you! This is wat I searched for! :)

People have devices that constantly request web pages and they just sit there and run and run and run before the user navigates the portal. It could be hours or days.

What does this output when run from behind the portal?

openssl s_client -connect wifi.cityofaltonil.com:8003 -showcerts

Good advice ^^.

Also, sometimes clients get confused and simply reload the portal page. After they hit login is there a CP entry created (Status > Captive Portal. Also check the Portal Auth log).  After they hit login did you try manually navigating to other sites?

i check this now it is working thanks all

Probably a client connection to a '443' (https) not using a https 'talk'.

As describe in this post : https://forum.pfsense.org/index.php?topic=43675.msg515428#msg515428 there seems to be an issue in the Freeradius2 Implementation in pfsense.
I solved the problem as follows :
1. in Freeradius-LDAP enabled Authentication and Authorization.
2. Set Group Membership Filter for AD : (|(&(objectClass=group)(member=%{control:Ldap-UserDn})))
Saved Configuration
3. Inserted in radius Users File first line : DEFAULT LDAP-Group == "AD-Group Users have Access", Auth-Type := LDAP
4. in freeradius sites-enabled/default authorize-section disabled the ldap part ( here  line 207-210 : #redundant {

#}
You have to disable this everytime the freeradius configuration changes and is saved !
5. restart freeradius  :)

@Derelict:

I don't think the portal cares how many users are using the same credentials.  All my users show as "unauthenticated" and it works fine.

Who honestly cares if passers-by use the network? Toss a limiter on it to curtail torrenting and help keep one device from being able to hurt you.

The nasty stuff like DHCP pool exhaustion can be done without going through the portal anyway. A better answer is a WPA2 passphrase.

Thank you and you are right.
I might end up using a WPA2 passphrase and an unauthenticated captive portal to display the AUP upon login and make use of the limiter.

@Derelict:

…. It works great. 2.1.5.

Same thing for 2.2.4.
I just generated some vouchers, activates auto-add-mac support etc and started authenticating using vouchers.
Everything works as advertised.

I saw lines like:
Oct 28 08:39:43 logportalauth[38194]: Zone: cpzone1 - Voucher login good for 120 min.: SNWfCebPBQS, 0c:77:1a:xx:13:35, 192.168.2.40
….
Oct 28 10:39:44 logportalauth[33421]: Zone: cpzone1 - EXPIRED SNWfCebPBQS LOGIN - TERMINATING SESSION: SNWfCebPBQS, 0c:77:1a:xx:13:35, 192.168.2.40

The device "0c:77:1a:xx:13:35" was disconnected and removed from the MAC white list.

Nice  :)

I hope you can read English.

You shouldn't add an executable (who would use an undefined executable, found on the net ??) but at least share the source code and the steps how to build the program.

(je pourrais te répondre en Français s'il le faut, car j'y habite  ;))

Check out this subject - posted just a couple of hours before : https://forum.pfsense.org/index.php?topic=85695.0

Ah ….
I remember that one  ;)
But was was a year (two ?) ago.

Hi,

I also using an OPT1 interface for my Portal. I didn't use any 'limiters' on my Portal, so accessing the net, one authenticated, is as fast as accessing the net using the LAN interface.

I also tend to say : I'm using the default settings.

So, the question is : what did YOU change (without telling us) ? How did you set it up ? Undo your changes …