[HOWTO] Captive portal + FreeRADIUS + local MySQL user friendly single step

deajan

03 May 2017:

• New version 0.48 has php-mysqli requirements
  29 Nov 2016:
• Added watchdog install
  26 May 2016:
• Added new pkg procedure for 2.3 final and post 2.3 releases

Hello,

I've written a captive portal wrapper that creates the FreeeRADIUS user account and logs in in one step, all with bootstrap responsive code and validation, with configurable language that suits for hotels and public wifi providers.
Here's the full howto:

1 Introduction

pfSense-cp-auth-onestep is a project that aims to provide a captive portal interface for pfSense 2.x (currently tested on 2.2.x and 2.3-beta) that doesn't require the creation of a user account.

In fact, when a user registers, it creates the RADIUS user account and then logs in with that account.

A demo can be found at the following address:http://pfcp.netpower.fr
The latest doc can be found here: http://netpower.fr/pfcp-pfSense-auth-onestep

Initial work based on the excellent work of khan: https://forum.pfsense.org/index.php?topic=57260.0

2 Preparation of pfSense

In order to work, pfSense needs the following packages: FreeRADIUS, Cron.

Also, some upstream packages are required in order to work.

First we need to fetch some upstream packages:

Additional steps for pfSense 2.3

The repository management has changed in pfSense 2.3, and by default the FreeBSD repository is disabled.

You must edit the file /usr/local/etc/pkg/repos/pfSense.conf and set the following value:

FreeBSD: { enabled: yes }

Additional steps after 2.3 final release

You must also edit file /usr/local/etc/pkg/repos/FreeBSD.conf and set the following value:

FreeBSD: { enabled: yes }

ATTENTION: Once the packages are installed with pkg command, please set this value to 'no' again so updates won't interfere with pfSense normal functionality.

Installation of packages:

pkg
pkg update
pkg install nano git

If your pkg doesn't find the packages, you may need to reinit the pkg database with

rm -f /var/db/pkg/*.sqlite

After this, pkg update should reinitialize the pkg database.

2.1 Installation of MySQL

Although MySQL should be installed on a separate machine, it's convenient to have a single pfSense box doing the whole authentication.

Installation of MySQL isn't supported by pfSense, so you'll have to redo the following steps after every update.

2.1.1 pfSense 2.2 steps

MySQL installation

pkg install mysql56-server
pkg install compat8x-amd64

PHP support

touch /etc/php_dynamodules/mysql
/etc/rc.php_ini_setup

The following command should output mysql and mysqlnd.

php -m | grep mysql

2.1.2 pfSense 2.3 steps

MySQL installation

pkg install mysql56-server
pkg install compat9x-amd64
pkg install php56-mysql

Since v0.48 of the captive portal version, mySQL queries are done via prepared statements using mysqli.
If using pfSense-cp-onestep-auth v0.48 or higher, please replace php56-mysql package with php56-mysqli.

PHP support

The following command should output mysql and mysqlnd.

php -m | grep mysql

2.1.3 Common steps

We need to allow the MySQL service to start.

echo 'mysql_enable="YES"' > /etc/rc.conf

Also, pfSense won't start services unless their name finishes by “.sh”

mv /usr/local/etc/rc.d/mysql-server /usr/local/etc/rc.d/mysql-server.sh

2.1.4 MySQL startup fix

For whatever, pfSense won't start MySQL sometimes. If you have a tip, please tell.

In order to fix this, create the following file /usr/local/bin/mysql_relaunch.sh

#!/usr/bin/env sh  

service /mysql-server.sh status > /dev/null
if [ $? != 0 ]; then
        service mysql-server.sh start
fi

Render the file executable

chmod +x /usr/local/bin/mysql_relaunch.sh

Install the cron package and add the following entry:

*/1 * * * * root /usr/local/bin/mysql_relaunch.sh

After this, we may launch the mysql service

service mysql-server.sh start

Also, as FreeRADIUS may start before mysql and fail, install watchdog service and set it up to restart FreeRADIUS.

Secure your installation by running the following command and change your root password

/usr/local/bin/mysql_secure_installation

Optionnaly, you may create the following password file /root/.my.cnf

[client]
password="YourMySQLrootPassword"

2.2 FreeRADIUS setup

2.2.1 FreeRADIUS installation
Install the FreeRADIUS2 package via System > Packages > Available

In Services > FreeRADIUS > Users

Add a user called: testu

Set it's password: testp

in Services > FreeRADIUS > NAS / Clients

Add a NAS user:

IP: 127.0.0.1

Client Shortname: tester

Shared Secret: SuperTest (replace this with a good password)

In Services > FreeRADIUS > Interface

Add the interface the RADIUS server should listen on: 127.0.0.1

You can now check in Status > System Logs that the server is active

Sep 29 14:54:50 radiusd[10330]: Loaded virtual server <default>Sep 29 14:54:50 radiusd[13493]: Ready to process requests.</default>

Connect to pfSense via ssh or console and check if FreeRADIUS authenticates (replace SuperTest with your Shared Secret):

radtest testu testp 127.0.0.1:1812 0 SuperTest

The answer should look like:

Sending Access-Request of id 108 to 127.0.0.1 port 1812
        User-Name = "testu"
        User-Password = "testp"
        NAS-IP-Address = 192.168.1.1
        NAS-Port = 0
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=108, length=20

Check authentication in Status > System Logs

Sep 29 15:04:51	radiusd[22223]: Login OK: [testu] (from client pfSense port 0)

#TIP: See https://doc.pfsense.org/index.php/Testing_FreeRADIUS for tuning and troubleshooting

2.2.2 MySQL FreeRADIUS integration

First we need to create the RADIUS database. Launch the “mysql” program. If you didn't create the /root/.my.cnf password file, launch “mysql -p” and execute the following statements:

CREATE DATABASE  `radius`;
exit

We also have to get a copy of the sql files needed for the captive portal.

You can fetch them via wget at http://netpower.fr/sites/default/files/soft/bin/pfSense-cp-auth-onestep.gz or directly via git:

cd /root
git clone https://github.com/deajan/pfSense-cp-auth-onestep
cd /root/pfSense-cp-auth-onestep/sql

We need to integrate every .sql file into the radius database. Please execute the admin.sql file at last because it contains definitions for the other files. Add “-p” to myql if you don't have created the password file.

Before running those commands, modify the admin.sql file in order to replace the default password 'radpass'. (Use vi or nano if installed).

mysql radius < cui.sql
mysql radius < nas.sql
mysql radius < radippool.sql
mysql radius < schema.sql
mysql radius < wimax.sql
mysql radius < reg_users.sql
mysql radius < admin.sql

Activate SQL support in Services > FreeRADIUS > SQL:

Enable SQL Support: Enable

Enable SQL Authorization: Enable

Enable SQL Accounting: Enable

Enable SQL Session: Enable

Enable SQL Post-Auth: Enable

Server IP Address –> 127.0.0.1

Server Port --> 3306

Server Database -> radius

Server User -> radius

Server Password -> radpass (replace with your database password).

MySQL authentication test

Execute the following command (replace SuperTest with your Shared Secret):

radtest testu testp 127.0.0.1:1812 0 SuperTest

The radpostauth table should contain the authentication info:

mysql -p -e "SELECT * FROM radpostauth;" radius

+–--+----------+-------+---------------+---------------------+
| id | username | pass  | reply        | authdate            |
+----+----------+-------+---------------+---------------------+
|  1 | testu    | testp | Access-Accept | 2015-09-29 15:13:24 |
+----+----------+-------+---------------+---------------------+

2.3 Enable captive portal

2.3.1 Setup

Grab a copy of the pfSense-pfcp-auth-onestep files via github or via the following link http://netpower.fr/sites/default/files/soft/bin/pfSense-cp-auth-onestep.gz

Uncompress the file and edit captiveportal-config.php to meet your settings, especially the database password.

Create a new zone in Services > Captive Portal . Example “PUBLICWIFI”

In Services > Captive Portal > File Manager, upload all the files from pfSense-pfcp-auth-onestep beginning with “captiveportal-*”

The following files need to be uploaded:

captiveportal-bootstrap.min.css
captiveportal-bootstrap.min.js
captiveprotal-jquery.validate.js
captiveportal-jquery-1.11.3.min.js
captiveportal-background.jpg
captiveportal-sidelogo.png
captiveportal-check_readio_sheet.png
captiveportal-termsofuse.html
captiveportal-config.php

#TIP: I had trouble with uploading the files in pfSense 2.2.6. After every 3 files, I had to restart WebConfigurator via ssh.

We Can now enable the captive portal on the LAN interface or whatever interface you need.

We also need to activate RADIUS authentication:

IP: 127.0.0.1

Port: 1812

Shared Secret: SuperTest (or your Shared Secret)

Radius Protocol: PAP

Account Check:

Send RADIUS accounting packets: Enable

Port: 1813

Accounting updates: stop/start accounting (FreeRADIUS if available)

RADIUS NAS IP attribue: LAN IP (or whatever interface you selected)

Portal page contesnts: Upload file ozy-captive.php

Redirection URL: Whatever you'd like, example: http://www.google.com

2.3.2 Testing

Once enabled, you can open a browser and enter any domain. You should end on the captive portal page.

You may access directly to the captive portal via http://[pfSenseIP]:8002

#TIP: Your computer should use DHCP and use the pfSense IP as DNS server or the redirection won't work.

If the redirection still doesn't work, check that the DNS Resolver service is running without the forwarding mode.

Also, if your computer already has the domain in DNS cache, you may have to flush dns cache.

On Linux:

service nscd restart

On Windows:

ipconfig /flushdns

At least, close and reopen your browser so it would make a new DNS query.

Fell free to help improve this howto.

Regards,
Ozy.

Ivart

Thanks deajan for the post with detailed information to implement self signed captive portal. My CP was working fine in 2.2 now I can´t install needed packages.
pkg version (pkg -v) is 1.6.2, pkg install mysql56-server creates a loop with these messages

Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
Updating pfSense-core repository catalogue...
pfSense-core repository is up-to-date.
Updating pfSense repository catalogue...
pfSense repository is up-to-date.
All repositories are up-to-date.
New version of pkg detected; it needs to be installed first.
Checking integrity... done (0 conflicting)
The most recent version of packages are already installed

I´ve tried pkg install pkg-1.7.2 with the same result

deajan

Hello,

This is more a pfSense than a captive portal problem.
Are you still running V2.2 ?

Check the contents of /usr/local/etc/pkg/pfSense.conf and see if FreeBSD is enabled (disable it after installing mysql).

MasterBill

Thanks so much Deajan for this code! I just wanted to give a heads up that I ran into an issue with the firmware 2.3-RELEASE. When data was submitted I was getting a Fatal error: Call to undefined function mysql_connect(). I was pushing this data to a remote Mysql server.

After looking around I found out from a post that php56-mysql needs to be installed manually on 2.3 with```
pkg install php56-mysql

deajan

I think I wrote about this in section 2.1.2.
Anyway, thanks for the feedback.

MasterBill

Ahhh I see your right. I must have missed that some how. Anyway thanks again!

novensiles

Hallo,

I did all fine but get

PHP ERROR: Type: 1, File: /var/etc/captiveportal_oberemuehle.html, Line: 126, Message: Call to undefined function mysql_connect()

after typed in registring datas and send it.

php56-mysql  is Installed

All Packages Updated + Upgraded

jmonline

On a brand new pfsense 2.3-RELEASE (amd64)

I have edited /usr/local/etc/pkg/repos/pfSense.conf and set the following value:

FreeBSD: { enabled: yes }

I have then run :

pkg update

Then:

pkg install nano git

This then results in:

pkg install nano git
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
Updating pfSense-core repository catalogue...
pfSense-core repository is up-to-date.
Updating pfSense repository catalogue...
pfSense repository is up-to-date.
All repositories are up-to-date.
New version of pkg detected; it needs to be installed first.
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be REINSTALLED:
        pkg-1.6.2 [pfSense]

2 MiB to be downloaded.

Proceed with this action? [y/N]: y
Fetching pkg-1.6.2.txz: 100%    2 MiB 632.9kB/s    00:04
Checking integrity... done (0 conflicting)
[1/1] Reinstalling pkg-1.6.2...
You may need to manually remove /usr/local/etc/pkg.conf if it is no longer needed.
[1/1] Extracting pkg-1.6.2: 100%
Message from pkg-1.6.2:
If you are upgrading from the old package format, first run:

  # pkg2ng
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
Updating pfSense-core repository catalogue...
pfSense-core repository is up-to-date.
Updating pfSense repository catalogue...
pfSense repository is up-to-date.
All repositories are up-to-date.
New version of pkg detected; it needs to be installed first.
Checking integrity... done (0 conflicting)
The most recent version of packages are already installed
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
Updating pfSense-core repository catalogue...
pfSense-core repository is up-to-date.
Updating pfSense repository catalogue...
pfSense repository is up-to-date.
All repositories are up-to-date.
New version of pkg detected; it needs to be installed first.

This then loops over and over and does not stop.

The same then happens if I run

pkg install mysql56-server

What am I missing please?

nimamhd

This is the bug of pkg and will fix in pkg 1.7.2:

https://github.com/freebsd/pkg/issues/1303

"" pkg infinite loop with multiple repos containing different versions of pkg ""

you can comment out all other repo and install what you want, then restore the configuration to default.

after install, the pkg will update to the last version that may cause the pfsense package system stop working, to resolve this:

run:

"pkg delete -f pkg" and install it again with pfsense repo.

A Former User

Hello Ozy, thank you so much for taking the time to do this. I can not stress how helpful this is!

I know this is a lot to ask but if anyone is considering to make a how to video I would really appreciate this. I am not so fluent in this type of configuration. Thank you!

beewolf

I have set the FreeBSD: { enabled: yes } but when I try to install the mysql56-server I get:

Updating pfSense-core repository catalogue…
pfSense-core repository is up-to-date.
Updating pfSense repository catalogue...
pfSense repository is up-to-date.
All repositories are up-to-date.
pkg: No packages available to install matching 'mysql56-server' have been found in the repositories

Almost as if it is not looking in the FreeBSD repo.

I have restarted after enabling FreeBSD and gone back in to check that it is enabled.

Any ideas?  Thanks

deajan

Hi,

I've updated the captive portal code a couple of days ago with some bug fixes and minor improvements.
Sorry for not having answered earlier, been in holidays :)

@novensiles: can you give the output of "php -m" ?
@abebraham: sorry, but I think the text howto is enough. It's also easier to update it than to update a video. Feel free to ask for help here on the forum or github.
@beewolf: Repo files slightly changed between 2.3-RC and 2.3 final. I've updated the doc for this.

beewolf

Many thanks for that - all installed fine with those changes but I am getting the following error on trying to log in:

PHP ERROR: Type 1, File /var/etc/captiveortal_guest_wifi.html, Line 127, Message: Call to undefined functionmysql_connect()

Probably something I have done but am struggling to find what exactly.  Any ideas?  Thanks

deajan

What's your output of php -m ?

beewolf

[2.3.1-RELEASE][root@pfSense.skh]/root/pfsense-cp-auth-onestep/sql: php -m

bcmath
bz2
Core
ctype
curl
date
dom
ereg
filter
gettext
hash
json
ldap
libxml
mbstring
mcrypt
mhash
mysql
mysqlnd
openssl
pcntl
pcre
PDO
pdo_sqlite
pfSense
posix
radius
readline
Reflection
rrd
session
shmop
SimpleXML
sockets
SPL
sqlite3
ssh2
standard
suhosin
sysvmsg
sysvsem
sysvshm
tokenizer
xdebug
xml
xmlreader
xmlwriter
Zend OPcache
zlib
zmq

[Zend Modules]
Xdebug
Zend OPcache

deajan

It seems that the mysql extension is there.
Can you please restart php-fpm ? And if it does not work, restart pfSense ?

beewolf

Yes, thank you that worked - I should have tried that first!!

All seems to be working now in a test environment - just one thing, Freeradius needs to be started manually after a restart.  Is this usual?  Would it be possible to add the service to the MySQL cron job so it definitely starts automatically?

deajan

I'll add a note about rebooting to the guide.

As for the freeradius service, it depends on mysql service.
As there is no loading order, sometimes freeradius loads before mysql and may fail.

In order to get FreeRADIUS working all the time, I've setup the watchdog package to restart failing services.

beewolf

Many thanks - all working now.

novensiles

bcmath
bz2
Core
ctype
curl
date
dom
ereg
filter
gettext
hash
json
ldap
libxml
mbstring
mcrypt
mhash
mysql
mysqli
mysqlnd
openssl
pcntl
pcre
PDO
pdo_sqlite
pfSense
posix
radius
readline
Reflection
rrd
session
shmop
SimpleXML
sockets
SPL
sqlite3
ssh2
standard
suhosin
sysvmsg
sysvsem
sysvshm
tokenizer
xdebug
xml
xmlreader
xmlwriter
Zend OPcache
zlib
zmq

[Zend Modules]
Xdebug
Zend OPcache