Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captiv portal and vouchers integration with ssid on wlc 9800

    Scheduled Pinned Locked Moved Captive Portal
    69 Posts 3 Posters 6.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GertjanG
      Gertjan @Jozy
      last edited by

      @Jozy

      Cisco ? Dono what that is. It better be an access point.

      What you want is this :

      e4833823-df2b-44bc-a715-f03096cc51d3-image.png

      As I use 3 access points, I used a dumb switch.
      As the connected client device are not my friends, just people that need an Internet access, I use a dedicated LAN interface (OPT) for the captive portal.
      My own stuff is hooked up to the LAN interface, not shown in the image.

      The access points don't need any special setup. Just an SSID, and typically, you remove the WPA password, so the SSID will be an 'open' network.

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @Jozy
        last edited by

        @Jozy you can run captive portal on the cisco controller, or just let cisco provide the wifi and run the captive portal on pfsense.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • J
          Jozy
          last edited by

          @Gertjan @johnpoz
          So the situation is that when I try to connect to SSID guest it redirects me to Pfsense
          4dee3a7c-2ce1-406f-9199-b86c312287d9-image.png

          the problem is that voucher are enabled and generated and when testing it works (as you can see from the picture )but when trying to reach Captiv Portal, pfSense asks me to type username and password instead of vouchers.
          What could be the problem, on Captive portal side or SSID doesn't send right path or there is some other issue?? :(

          e9edc83c-7aeb-47d2-865c-7caa47d67c56-image.png

          Best regards,
          Jozy

          johnpozJ GertjanG 2 Replies Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @Jozy
            last edited by

            @Jozy said in Captiv portal and vouchers integration with ssid on wlc 9800:

            pfSense asks me to type username and password instead of vouchers.

            that isn't captive portal, that is just the gui web page.

            https://docs.netgate.com/pfsense/en/latest/captiveportal/index.html#captive-portal

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            J 1 Reply Last reply Reply Quote 0
            • J
              Jozy @johnpoz
              last edited by

              @johnpoz perhaps I got it wrong.
              What should I get?
              How to get vouchers to autenticate instead of usename/paasword?

              1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan @Jozy
                last edited by

                @Jozy said in Captiv portal and vouchers integration with ssid on wlc 9800:

                So the situation is that when I try to connect to SSID guest it redirects me to Pfsense

                Did you saw the login page ?

                The default (build in) login page will ask for a user name and password. if you have activated Voucher it will also show a third entry line, where the voucher must be entered.
                Confusing for your portal victims ? I agree !

                Now, remember that you saw this : check the option "Enable to use a custom captive portal login page" and you' see :

                5322a2f5-f358-4ca0-ae93-9a23786c3c77-image.png

                Extract the captive portal login page with your browser to see what it looks lie.
                Html of course, so no big deal.
                Look also at /etc/inc/captiveportal.inc - search the function get_default_captive_portal_html() to get the default captive portal htm ๐Ÿ˜Š

                There you can see how it's done.
                In your case, make your own identical html file, but remove these two :

                		<input type="text" name="auth_user" placeholder="{$translated_text1}" id="auth_user">
                		<input type="password" name="auth_pass" placeholder="{$translated_text2}" id="auth_pass">
                

                Don't forget to create "error" logout page also. Its nearly the same file as your login page, with one line added (the line that shows the error message).

                After login, where do you login redirect your clients to ?

                198edadd-9356-4e60-a07c-5b8a29906792-image.png

                Remember this one ?

                @Gertjan said in Captiv portal and vouchers integration with ssid on wlc 9800:

                As the connected client device are not my friends, just people that need an Internet access, I use a dedicated LAN interface (OPT) for the captive portal.

                which means : don't run the portal on your LAN.
                You can, just be ready to assume the consequences.

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                J 1 Reply Last reply Reply Quote 0
                • J
                  Jozy @Gertjan
                  last edited by

                  @Gertjan Thanks for the effort.

                  That's the problem since as I can see everything is enabled but I still don't get third entry for vouchers, only for username and password not vouchers. hm

                  you can see below fi something is wrong:
                  a4743a87-6ebb-4f9e-9aed-12548f6f755f-image.png
                  31242659-0c08-4d68-8c2a-6b88260c83bf-image.png

                  c8126ad6-665c-4a57-a1bc-febfc7c25592-image.png

                  8e165e87-c688-4d6c-9335-f1847ac24695-image.png
                  Is this ok for the local database?

                  b249f8d7-c03e-4013-b5d6-017298d68fe1-image.png

                  I dont know what is wrong, is there some compability problem. PfSense version is 2.7.2 ?

                  Best regards,
                  Jozy

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @Jozy
                    last edited by

                    @Jozy looks to me you have it set to use custom, but don't actually have custom setup

                    custom.jpg

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    J 1 Reply Last reply Reply Quote 0
                    • J
                      Jozy @johnpoz
                      last edited by

                      @johnpoz hm not sure what do you mean when you say that? ๐Ÿ˜

                      johnpozJ GertjanG 2 Replies Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @Jozy
                        last edited by johnpoz

                        @Jozy your read @Gertjan posted write where you edit the template and add your voucher section..portal.jpg

                        edit: so what exactly is happening? You want to get rid of the username password prompt like @Gertjan was talking about? Because I just fired up captive portal on my guest network.. Connected with iphone, got the captive portal - and used a voucher to login.. It was pretty clicky clicky

                        login.jpg

                        And as I said before - this is not the captive portal, this is just the normal gui login

                        notcaptive.jpg

                        The default out of the box click,clicky captive portal is the image I posted above where I put in my voucher.

                        Your not running into a issue where your gui is listening on the captive portal port? I believe the captive portal is like 800x where x can change, etc. Are you using something like that for your web gui port? Example Just turned on the captive portal again to see what port its on, and its on 8002

                        [24.03-RELEASE][admin@sg4860.home.arpa]/root: netstat -anl 
                        Active Internet connections (including servers)
                        Proto Recv-Q Send-Q Local Address                                 Foreign Address                               (state)    
                        tcp6       0      0 *.8002                                        *.*                                           LISTEN     
                        tcp4       0      0 *.8002                                        *.*                                           LISTEN     
                        

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        J 1 Reply Last reply Reply Quote 0
                        • J
                          Jozy @johnpoz
                          last edited by

                          @johnpoz Please if you can help me what exact lines I have to add in "captiveportal.inc" instead of
                          <input type="text" name="auth_user" placeholder="{$translated_text1}" id="auth_user">
                          <input type="password" name="auth_pass" placeholder="{$translated_text2}" id="auth_pass">

                          ??

                          As well, what is URL for Captive Portal I should use and put to WLC if I want redirection to ?

                          Im using this - https://x.x.x.x/services_captiveportal_zones.php :)

                          I have downloaded and uploaded html from page to Captiv portal content but nothing -
                          https://docs.netgate.com/pfsense/en/latest/captiveportal/configuration.html#captiveportal-portal-page-contents-vouchers

                          Best regards,
                          Jozy

                          johnpozJ 1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator @Jozy
                            last edited by johnpoz

                            @Jozy said in Captiv portal and vouchers integration with ssid on wlc 9800:

                            As well, what is URL for Captive Portal I should use and put to WLC if I want redirection to ?

                            If your going to do the captive portal on pfsense, there is nothing to do on the wlc.. Its just the wireless connection - pfsense would handle the captive portal you enable in pfsense on the network your clients are connecting to via wireless.

                            I would suggest you get that working before you look into editing how the captive portal page looks.

                            If all your going to ever use is vouchers, you can edit the page to only show that as an option. But vouchers will work even if it presents the options of username/password.. But get your captive portal working before worry about how the page looks would be my suggestion.

                            You can always pretty up the page once you know its functioning ;) And I think there is even some 3rd party tools you could use to print out vouchers with qr codes on them, etc.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            J 1 Reply Last reply Reply Quote 0
                            • J
                              Jozy @johnpoz
                              last edited by

                              @johnpoz maybe I didn't provide enough info.
                              First im using virtual open source pfSence version 2.7.2.
                              Second, I would like to have SSID guest configured on WLC which is only for guest connected to captive portal and providing vouchers if possible.
                              If I'm not asking to much I would like if we can have short call as I can share you my screen for 10-15 min just to go through this setup since you know it already and can see what is the problem :)

                              Best regards,
                              Jozy

                              johnpozJ 1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator @Jozy
                                last edited by johnpoz

                                @Jozy this is really just click click on pfsense. If your trying to do something with captive portal on wlc and forwarding it to pfsense captive portal that is where your problem is.

                                It took me all of like 3 minutes to get captive portal working on my wifi guest network.. I enable the captive portal on it, pretty much all default really and it was done. The longest part of it was having to remember where to download the csv of the vouchers I created so I could see a voucher number.

                                If you want to use the pfsense captive portal - until your ready to create a custom page.. Keep this unchecked

                                captiveportal.jpg

                                I really wouldn't even worry about users or vouchers until when your client connects he sees that login page.. If so then your captive portal is working.. Then you can create users or vouchers..

                                This is really click enable and pick the pfsense interface you want to run the captive portal on, and hit the save button on the bottom of the page.. There isn't much else to it.

                                On your wlc don't setup any sort of captive portal, normal in a captive portal there is no login to the wifi.. But you could use just a psk auth to connect the client to the wifi if you want to make sure your captive portal is working before you move to no auth.

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                J 1 Reply Last reply Reply Quote 0
                                • GertjanG
                                  Gertjan @Jozy
                                  last edited by Gertjan

                                  @Jozy

                                  When this is activated - vouchers :

                                  90309c1f-111b-4f49-92a5-c8826e28bde1-image.png

                                  and you use the default portal settings : this - NOT checked :

                                  040397b2-ed37-4b52-b0f2-374373278175-image.png

                                  you see this as your portal login page :

                                  483de973-1bd6-4915-a998-e0594684c255-image.png

                                  If the user has a voucher code, then they should use the third text box marked Voucher code.

                                  No "help me" PM's please. Use the forum, the community will thank you.
                                  Edit : and where are the logs ??

                                  1 Reply Last reply Reply Quote 0
                                  • J
                                    Jozy @johnpoz
                                    last edited by

                                    @johnpoz @Gertjan I completely agree with you it is just straight forward with only few clicks but whatever I try it doesn't want to open third party for vouchers.
                                    So, when connecting to SSID it redirects me to a731a570-71fc-44f4-8821-b7b9ab68bd6a-image.png

                                    so, you can see here I cant get third party for vouchers.
                                    Maybe the problem is what you have mentioned at the beginning with about:
                                    /etc/inc/captiveportal.inc - search the function get_default_captive_portal_html() to get the default captive portal htm ๐Ÿ˜Š

                                    	<input type="text" name="auth_user" placeholder="{$translated_text1}" id="auth_user">
                                    	<input type="password" name="auth_pass" placeholder="{$translated_text2}" id="auth_pass">
                                    

                                    If yes this is something Im not sure how/what to add what lines are correct?

                                    Best regards,
                                    Jozy

                                    johnpozJ GertjanG 2 Replies Last reply Reply Quote 0
                                    • johnpozJ
                                      johnpoz LAYER 8 Global Moderator @Jozy
                                      last edited by johnpoz

                                      @Jozy that is NOT the captive portal

                                      notcaptive.jpg

                                      The only way you would see that is if you have your wlc redirecting.. That page would be available on whatever your normal gui ports are? 80/443?

                                      The captive portal is going to be on some 800x port..

                                      Or your captive portal isn't even running and your just hitting the pfsense IP on whatever ports your normal web gui is listening on.

                                      edit:
                                      Here.. did a quick packet capture of what happens when client hits the captive portal.. See how the redirection sends it to the port the captive portal page is being hosted on.

                                      captiveredirect.jpg

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                                      1 Reply Last reply Reply Quote 0
                                      • GertjanG
                                        Gertjan @Jozy
                                        last edited by

                                        @Jozy
                                        Removing this :

                                        f42c87e8-5aa8-4a27-8dae-2d99fa5972f4-image.png

                                        will remove this :

                                        d1d9b7dc-7b67-4743-810c-59a20127de7c-image.png

                                        But that's not the issue right now.
                                        Let's keep it for later.


                                        The device you use to connect to the captive portal, what IP does it huse ? What network mask ? What DNS does it use ? What is the gateway ?
                                        Same question : what was the DHCP lease you received ?

                                        On the pfSense side : what is the IP of your captive portal ?

                                        Do you remember that I said above, two times already : to start a first captive portal, do not use your pfSense .....

                                        No "help me" PM's please. Use the forum, the community will thank you.
                                        Edit : and where are the logs ??

                                        J 1 Reply Last reply Reply Quote 0
                                        • J
                                          Jozy @Gertjan
                                          last edited by

                                          @Gertjan Yes, I know if we remove lines form /etc/inc/captiveportal.inc will remove user and password functions.

                                          The device I'm using for this is android, with Ip address x.x103.48/24 and gateway 103.1 given from DHCP server configured on WIN server, actually I get it when try to connect to SSID which redirects me.
                                          I'm using internal DNS x.x.112.10 and gateway x.x.112.1.

                                          ip address of pfsense is x.x.110.155 and that one I'm using for pfsense and as well on WLC side for redirection.

                                          https://x.x.110.155/services_captiveportal_vouchers.php?zone=captivportal?switch_url=https://192.0.2.1/login.html&redirect=<website-name>

                                          you mentioned this" Do you remember that I said above, two times already : to start a first captive portal, do not use your pfSense ....."
                                          Does it mean I have to have different ip address on different subnet configured for Captive Portal, not using ip address of the pfsense
                                          47b4787b-1543-432c-b718-18c3172f8895-image.png

                                          Best regards,
                                          Josip

                                          johnpozJ GertjanG 2 Replies Last reply Reply Quote 0
                                          • johnpozJ
                                            johnpoz LAYER 8 Global Moderator @Jozy
                                            last edited by

                                            @Jozy so your lan is only wifi devices? Or you have mac filtering in place to allow your wired devices to bypass the captive portal.. Putting a captive portal on your lan is an easy way to lock yourself out that is for sure.

                                            So are you using public IP space.. Not sure why you would need to hide rfc1918 space?

                                            ip address of pfsense is x.x.110.155 and that one I'm using for pfsense and as well on WLC side for redirection.

                                            Again!! you should not be using any redirection in wlc!! you sending traffic to some IP on pfsense is just going to call up the webgui!! like your seeing..

                                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                                            If you get confused: Listen to the Music Play
                                            Please don't Chat/PM me for help, unless mod related
                                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.