The key thing here is I do not want to segment the network here, I just want to prevent access from this interface without authentication.

As in I want the DHCP server on the existing LAN to handle machines that communicate the pfsense box.

Hi,
    This message "Error: This computer wasn't used to login initially" is from the portal auth log. It seems that when the DHCP server reuses an IP address and reassigns it to a different host/mac-address, the IP/MAC pair does not match what's in the online users list for this user. I did put a timeout of 6000 for users to be disconnected from the portal though, but it seems they are not being removed.

Bom dia,

Gostaria de saber como calcular o Magic Number , na parte da criação dos voucher no pfsense,

Preciso mudar os caracteres do voucher para que seja criados apenas com numeros,

ai com isso preciso mudar o Magic Number para serrem validados no captive portal,

Thank´s

Yes.  Setting the NAS-Identifier differently for each CP instance should enable to to steer RADIUS in the right direction.

You can use it in the users file as a check item.  It will have to match along with the username and password or the RADIUS server will send an Access-Reject.

bob    Cleartext-Password := "hello", NAS-Identifier == Teacher-NAS       Reply-Item += "Reply Blah Blah"

Or something like that…

Yes - I see your point.
For them to go no cert error connecting to your network, your network address would have to be the url they entered in the address bar.
Go figure the odds.

@Derelict:

If your clients are not using the pfSense interface for DNS you need to whitelist the DNS servers.  See the Allowed IP Addresses Tab.

Very true.
But …. a client that uses a "Free Portal network" should obtain an IP (and gateway, and DNS, and ntp serveur, and ... etc etc) by the DHCP server.
I already met clients who 'locked' their IP statically .... and then came over seeing me telling me that the "portal isn't working". ... yeah, right .....
Client that lock their DNS servers statically will be treated equally. Its fine for me, but if the want to urf on the net, they have the option: 1) switch to default or 2): don't surf.

All this because their is a rule that says: "guests" should conduct as the "host" proposes ;)

If you turn on HTTPS logins in the captive portal and the user attempts to connect to a secure site and you forward them to the portal instead, there is nothing you can to do prevent the certificate error.  Think about it.  They tell their browser to connect to https://www.google.com/ and they get some certificate from your pfSense instead that has a completely different CN.  Certificate error - always.

If you have HTTPS logins enabled and the user attempts to connect to an HTTP site on port 80, the CP will redirect them to the proper HTTPS port on the server name defined in HTTPS Server Name in the portal.  It is up to you to obtain a certificate signed by something in the client's root certificate store and get it installed in the portal.  If everything doesn't exactly match, certificate error generated by the browser.

HTTPS Server Name
This name will be used in the form action for the HTTPS POST and should match the Common Name (CN) in your certificate (otherwise, the client browser will most likely display a security warning). Make sure captive portal clients can resolve this name in DNS and verify on the client that the IP resolves to the correct interface IP on pfSense.

The only way to guarantee certificate errors will not be generated by your portal is to enable HTTPS logins with all the proper certificates and hostnames and to be running 2.2-RC with the "Disable HTTPS forwards" option checked.  You won't get cert errors any more but initial attempts to HTTPS sites will still hang.

There is nothing, NOTHING that can be changed in pfSense or any other captive portal to "fix" this.  Captive portals break the internet by design.

ETA: https://www.startssl.com/ for free (really) certificates.  And you'll get an S/MIME cert for email (also free) in the process.  You, naturally, have to have control of the domain(s) under which you obtain certs.

Hi!

As I understand it, you want a way to see from what accesspoint a client is connected and then assign access rules based on what access point they are connected to? And you only want one captive portal connection for these multiple levels of access?

Do you always know exactly what access point a user is going to be connected to? What if they walk over to another and get other access privilegies? Isnt it better to base privilegies depending on what group they belong to? Do these users belong to different groups within the organization or are they public users? Maybe a mix?

I dont know if  i have understood what you are trying to do here and I feel that there is probably a better way than connecting vlan to users and try to set access rules based of that information.

In most cases you probably cant even get the vlan information from the client itself. Clients usualy dont know what vlan they are on, only the switches and APs knows about vlans and strip off the information before the frame is sent of to the client.

What if you configured one vlan per ssid, made a captive portal for each ssid and each group of users having the same privilegies could connect to that ssid using its captive portal?

This http://www.papy-team.org/munin/brit-hotel-fumel.net/pfsense.brit-hotel-fumel.net/index.html#portalusers has been done by counting the number of record in that database.

So yes, the only limit is our knowledge about PHP  ;)

I think that might be good enough for what I need to do. Now that I know how to do it, I see exactly where it's documentation.

I guess my question is which port do I need to be using, and what do I use for an admin password if my web gui is set to use radius for logins?

You might be able to have javascript auto-submit the form, but browsers may/may not allow that. That is more of a question for a web developer than the firewall.

Thank you; that's interesting and I appreciate your response.
I think I'll look at that further once I solve the php error showing in the logs, for example just now: php: /services_captiveportal_hostname_edit.php: The command '/sbin/ipfw -x cpzone /tmp/hostname_rules' returned exit code '71', the output was 'Line 3: setsockopt(IP_FW_TABLE_ADD): File exists'
when I added a website to the list.

I will try to submit the ticket.
Regards,
David

you need traffic to pass through pfsense in order to get a captive portal ….

so you need atleast 2 interfaces (WAN & LAN).

You typically run the portal on LAN, and connect the internet  on WAN

@cmb:

That log just looks like they got click happy on the submit button of the portal page and submitted it multiple times. No harm in that, but it will show as multiple logins since it is.

The "No valid RADIUS responses received" is what it says - your RADIUS server didn't respond.

Thanks you

About No valid RADIUS responses received, my RADIUS respond but this message appear whenever subscriber login fail (wrong password, wrong username, …) only one time fail, this message appear and must wait about 20s to login normally again.