If you disconnect the user via the CP Status (or Widget), your pfSense will handle it for you.
The Radius will get a disconnect and it will store it on your SQL Backend.

Just delete the accounting Table has no effect (works as designed). The DB can't send a Access Stop to the radius, it has to be the other way around :)

@tsudenoconsigliere:

i was using the Max-Daily-Session on my CP with FreeRadius2 and MySQL and made an a username and password on table radcheck
with a Max-Daily-Session of 2hours per day of 7200 seconds per day, i was wondering if i could display the remaining time left on the logout page?

Hi,

two options:

Native PHP with the Info of pfSense (Search the Forum, but you need to patch pfSense to get this info for non voucher users)

Use PHP and Query your Database. You will need to use the radacct Table and do some math ;-)

Have fun.

@MacandraNet:

So my question is, what is the simplest way to receive messages if somebody fills the form in the captive portal?

Why not using PHPMailer? https://github.com/PHPMailer/PHPMailer/
Works fine for me…
I use an Smarthost (with authentication) to sent my mails if special events happens.

Works fine, even if you use Google as Relay.

P.S.: You will find great howto's for PHPMailer ;-)

Thanks for both replies, that was what I was looking for (I know, next time look harder - lol).

Thank you very much for your suggestions. I'm going to take a close look onto your ideas.

But first I have to give you my recent observation: As you can see in my logs, I logged every time onto the Pfsense-Server. I logged by klicking on the CP-Login-Page 192.168.123.1:8000 (using a SSH-tunnel to the Server). It resulted in a login in the auth.log. As you see, I was thrown out within 60 Sec. This was also mentioned in the log. Today I used the local computers.
Result:

Oct 28 08:00:02 pfsense logportalauth[723]: LOGIN: gd, 02:0f:b5:c8:2f:1f, 192.168.123.106 Oct 28 08:32:01 pfsense logportalauth[55266]: TIMEOUT: gd, 02:0f:b5:c8:2f:1f, 192.168.123.106 Oct 28 08:54:31 pfsense logportalauth[723]: Voucher login good for 269240 min.: xyxyxy, 84:a6:c8:38:26:ba, 192.168.123.147 Oct 28 10:08:49 pfsense logportalauth[68280]: xyxyxy invalid: TYPO illegal character (U) found in 4U2RG8 !! Oct 28 10:08:49 pfsense logportalauth[68280]: FAILURE: xyxyxy, 5c:8d:4e:3b:c3:9d, 192.168.123.173 Oct 28 10:09:18 pfsense logportalauth[68280]: Voucher login good for 269165 min.: xyxyxy, 5c:8d:4e:3b:c3:9d, 192.168.123.173 Oct 28 10:20:36 pfsense logportalauth[7555]: Reconfiguring captive portal(Seminar). Oct 28 10:21:37 pfsense logportalauth[91985]: TIMEOUT: xyxyxy, 84:a6:c8:38:26:ba, 192.168.123.147 Oct 28 10:54:43 pfsense logportalauth[81922]: TIMEOUT: xyxyxy, 5c:8d:4e:3b:c3:9d, 192.168.123.173 Oct 28 11:19:44 pfsense logportalauth[23891]: Voucher login good for 269094 min.: xyxyxy, 84:a6:c8:38:26:ba, 192.168.123.147 Oct 28 11:19:59 pfsense logportalauth[23891]: CONCURRENT LOGIN - REUSING OLD SESSION: xyxyxy, 84:a6:c8:38:26:ba, 192.168.123.147 Oct 28 11:19:59 pfsense logportalauth[23891]: Voucher login good for 269094 min.: xyxyxy, 84:a6:c8:38:26:ba, 192.168.123.147 Oct 28 12:04:56 pfsense logportalauth[80944]: TIMEOUT: xyxyxy, 84:a6:c8:38:26:ba, 192.168.123.147 Oct 28 12:37:36 pfsense logportalauth[97699]: Voucher login good for 269017 min.: xyxyxy, 84:a6:c8:38:26:ba, 192.168.123.147 Oct 28 13:23:11 pfsense logportalauth[43792]: TIMEOUT: xyxyxy, 84:a6:c8:38:26:ba, 192.168.123.147 Oct 28 13:28:47 pfsense logportalauth[43520]: Reconfiguring captive portal(Seminar). Oct 28 14:12:04 pfsense logportalauth[43039]: Voucher login good for 268922 min.: xyxyxy, 84:a6:c8:38:26:ba, 192.168.123.147 Oct 28 14:13:46 pfsense logportalauth[43039]: Voucher login good for 268920 min.: xyxyxy, 5c:8d:4e:3b:c3:9d, 192.168.123.173 Oct 28 15:05:51 pfsense logportalauth[43039]: DISCONNECT: xyxyxy, 84:a6:c8:38:26:ba, 192.168.123.147 Oct 28 15:34:11 pfsense logportalauth[27574]: TIMEOUT: xyxyxy, 5c:8d:4e:3b:c3:9d, 192.168.123.173 Oct 28 15:34:44 pfsense logportalauth[43301]: LOGIN: gd, f0:de:f1:be:6f:f1, 192.168.123.108 Oct 28 16:24:20 pfsense logportalauth[44795]: TIMEOUT: gd, f0:de:f1:be:6f:f1, 192.168.123.108

Unbelievable, isn't it? It seems to work! Everywhere - except on the Pf-machine! Well, I searched the responsible inc-File to learn, why it is so. But this is goint to take longer. In the moment I'm just happy, that it works (and possibly worked before).

Michael

I want a voucher to be used by only one user and no one else.
Is it Possible?

Rogério
Campinas, São Paulo, Brazil.

on my part.

I'm using a 6 to 7 length in voucher

using my mac terminal

1. openssl genrsa 31 > key.private
2. openssl rsa -pubout < key.private >key.public
3. cat key.private
3.1 copy the keys
4. cat key.public
4.1 copy the keys

hope it helps,

He is probably using my software using his NAS as webspace and had difficulties finding the user frontend to request a code via SMS (which was my fault, I forgot to include it in the latest revision). I just realized that I answered his (quite more specific) question on administrator.de (or the same question from a user with the same username  ;) ).

hi again Derelict, thank you for the reply.. i already tried reverting the landing page to the default page.. however, it still producing the same error.. i already tried adding the privileges for the user, which is enable the captive portal login,but it still doesnt work..

The service status there is only for the web server process that serves the portal page. So the question is what's happening to the lighttpd instance that runs CP. There should be something about lighttpd in one of the logs (probably system) somewhere. It wouldn't be a captive portal related log.

thank you very much, i still need to modified my html page.. haha, and thanks for the link, i will check it out later ;)

Hi,

I'm using the same version: 2.1.5-RELEASE (i386)

Right now, I count 7 iDevices on my portal network. I asked, a,nd found 6 IOS 8 devices. Btw: using one myself right now.

The only difference with my setup and yours: I do not use radius neither "squid3 as a transparent proxy and squidguard to filter urls". Be carefull with "extensions" they can make things better, or break it altogether.

@simply:

What table are the user accounts supposed to be stored in ?
My greatest desire to store all user info on the DB.
Thanks for the reply.

DB? Table?
Yes, LDAP can use databases. It's up to you to configure a database backend for your LDAP Server!

I use the OpenLDAP build in database, no fancy backends.
Here are some relevant LDIF Files:

dn: ou=users,dc=bewoelkt,dc=lan ou: users objectClass: top objectClass: organizationalUnit structuralObjectClass: organizationalUnit dn: ou=groups,dc=bewoelkt,dc=lan ou: groups objectClass: top objectClass: organizationalUnit structuralObjectClass: organizationalUnit dn: uid=jho,ou=users,dc=bewoelkt,dc=lan objectClass: top objectClass: radiusprofile objectClass: inetOrgPerson cn: jho sn: jho uid: jho description: Radius User Joerg Hochwald userPassword: PWhere radiusReplyItem: WISPr-Redirection-URL+='http://www.bewoelkt.net' radiusReplyItem: WISPr-Bandwidth-Max-Down+=1024 radiusReplyItem: WISPr-Bandwidth-Max-Up+=1024 radiusReplyItem: WISPr-Location-Name+="FFM01" radiusReplyItem: WISPr-Location-ID+="01" radiusReplyItem: WISPr-Max-Daily-Session+=3600 radiusReplyItem: Simultaneous-Use+="0" radiusReplyItem: Max-Daily-Session+='3600' radiusReplyItem: MHS-INT-Site+="Default" radiusReplyItem: myHotspot-Group+="Guest" radiusSessionTimeout: 7200

Just include the Radius Schema in /etc/ldap/slapd.conf:

# Radius include include /etc/ldap/schema/radius.schema

Now create a file (schema.conf below) with the following content:

include /etc/ldap/schema/radius.schema

And import the Schema to your LDAP Server:

slaptest -f schema.conf -F testdir/ ldapadd -Y EXTERNAL -H ldapi:/// -f testdir/cn\=config/cn\=schema/cn\=\{0\}radius.ldif

The Schema above works fine with pfSense. Just did some tests with 50k Users (imported via LDIF).
There is only one problem: The RADIUS didn't return all radiusReplyItem configured in the example above. But I didn't find the time to dig into that issue. All relevant infos are parsed :)

For mySQL: You will find a lot of good howtos via Google (Remember, this is your friend) ;-)

Not in the portal itself but probably in the firewall advanced rules for the rule that passes outbound sessions.

In advanced options you have things like:

Maximum state entries this rule can create
Maximum number of unique source hosts
Maximum number of established connections per host (TCP only)
Maximum state entries per host

No comment on whether this will enhance or degrade the user experience.

/var/etc

No.  The CP is a man in the middle.  HTTPS is designed to prevent the same.

I don;t have time to look at captiveportal.inc today.  Try it without vouchers.