Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2.5.0 Captive portal logging issue

    Scheduled Pinned Locked Moved Captive Portal
    26 Posts 8 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SEBBAC @kzsk
      last edited by

      @kzsk

      For anyone for whom it might be useful.

      My setup

      pfSense box IP: 192.168.1.1
      Hostname: pfsense
      domain: dom

      Default Captive Code (important code highlighted):

      <form name="login_form" method="post" action="http://pfSense.dom:8002/index.php?zone=test_zone">
      <input name="auth_user" placeholder="User" id="auth_user" type="text">
      <input name="auth_pass" placeholder="Password" id="auth_pass" type="password"> <br><br>
      <input name="auth_voucher" placeholder="Voucher Code" value="" type="text">
      <input name="redirurl" value="http://www.gazeta.pl/0,0.html" type="hidden">
      <input name="accept" class="login login-submit" value="Login" id="login" type="submit">
      </form>

      This does not work - It always returns "invalid credentials" and there is no sign in logs for any authentication try.

      However if the code is modified in a way that pfSense.dom is replaced by IP ie:

      <form name="login_form" method="post" action="http://192.168.1.1:8002/index.php?zone=test_zone"> <input name="auth_user" placeholder="User" id="auth_user" type="text">

      Captive login works correctly.

      pfSense.dom is correctly recognized as 192.168.1.1 IP address (alias setup in DNS Resolver on the pfsense box)

      47073fb2-1302-42ab-8375-c30d90dc2a72-image.png

      Any ideas?

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @free4
        last edited by

        There are ways to test "who waits for who and when".

        The most easy one, and probably complicated on a hand-hold device: test name resolution or DNS. If DNS is flaky, the portal access goes down with it.
        Everything goes down with a bad DNS.
        And some devices are picky and stupid, like the owners, they plant a 8.8.8.8 everywhere. Which is in many way so wrong .....

        Make the Resolver verbose - goto the Advanced settings page and make the log level 3 - and :

        tail -f /var/log/resolver.log
        

        Now you see real time DNS action.

        The captive portal's web login page is only showed when the portal's web server that serves this page was asked for it :

        tail -f /var/log/nginx.log | grep '192.168.2'
        

        where '192.168.2' is your captive portals upper 3 network nibbles / digits.
        As soon as you see a line like

        Apr  8 20:50:23 pfsense nginx: 192.168.2.16 - - [08/Apr/2021:20:50:23 +0200] "GET /hotspot-detect.html HTTP/1.0" 302 0 "-" "CaptiveNetworkSupport-407.40.1 wispr"
        

        you know the device throws out a 'http' request over port 80 to detect if it's behind a portal.
        The portal(s firewall ipfw redirects this page request to the portal's webserver
        This line follows :

        Apr  8 20:50:23 pfsense nginx: 192.168.2.16 - - [08/Apr/2021:20:50:23 +0200] "GET /index.php?zone=cpzone1&redirurl=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html HTTP/1.0" 200 1640 "-" "CaptiveNetworkSupport-407.40.1 wispr"
        

        Here you can see that the request was redirected to "index.php" of the captive portal's web serer which produces the login page.
        The initial "http://captive.apple.com/hotspot-detect.html" request is stored in the "redirurl" parameter, which will get used when authentication succeeds.
        Which is rather stupid of course. Who wants to land on " http://captive.apple.com/hotspot-detect.html " after successful login ? (click and see for yourself).
        Answer : No one.

        IF "redirurl" is defined (it always is), this one :

        3fc41e2b-151e-4051-8b2e-d82df002952d-image.png

        has no effect ! the presence of an URL in "redirurl" is prioritized.
        IMHO, a 'bug' non related to the subject of this thread.

        @free4 : you know where to look, please tell me that I'm wrong.

        Back to the subject : the test :
        You can see in real time when your device is asking for a (login) page.
        And when the captive portal's web server is sending the result, which should produce a page on your device's web browser.

        All the rest is your device doing other things.

        My experience : 2.5.0 isn't any different as 2.4.5 in captive portal 'auth' handling.

        Side note : I know that Apple device (can) use others way of detecting a captive portal.
        The method pfSense is using is the old fashioned way : a firewall intercepts port 80 TCP traffic and redirects to a local web server. That 'works'. As long as port 80 http requests are 'permitted' - and these will be abandoned soon : port 80 is condemn to die. Long live port 443 traffic, which use only TLS ..... and then redirection, MITM, all if that is impossible.
        This is actually not a big issue, as captive portal is now defined in the RFCs.
        It's dead easy and should work flawlessly : a DHCP option is present in the DHCP_OFFER protocol. It hands over the URL (to a json file ?) that the device should use (visit/get) to have the instructions to show the login page. Fast, easy and clean.
        If this stupid world wide pandemic wasn't eating all my time I would have played with it by now.

        Btw :

        This is a part of the logs of some stupid Windows ( ?) device that does 'something' that doesn't look like it want to look for the presence of a captive portal :

        Apr  8 20:31:51 pfsense nginx: 192.168.2.13 - - [08/Apr/2021:20:31:51 +0200] "POST /SpamResolverNG/SpamResolverNG.dll?DoNewRequest HTTP/1.0" 302 0 "-" "-"
        Apr  8 20:31:54 pfsense nginx: 192.168.2.13 - - [08/Apr/2021:20:31:54 +0200] "GET /connecttest.txt HTTP/1.1" 302 5 "-" "Microsoft NCSI"
        Apr  8 20:31:55 pfsense nginx: 192.168.2.13 - - [08/Apr/2021:20:31:55 +0200] "POST /SpamResolverNG/SpamResolverNG.dll?DoNewRequest HTTP/1.0" 302 0 "-" "-"
        Apr  8 20:31:55 pfsense nginx: 192.168.2.13 - - [08/Apr/2021:20:31:55 +0200] "GET /connecttest.txt HTTP/1.1" 302 5 "-" "Microsoft NCSI"
        Apr  8 20:31:56 pfsense nginx: 192.168.2.13 - - [08/Apr/2021:20:31:56 +0200] "POST /SpamResolverNG/SpamResolverNG.dll?DoNewRequest HTTP/1.0" 302 0 "-" "-"
        Apr  8 20:31:59 pfsense nginx: 192.168.2.13 - - [08/Apr/2021:20:31:59 +0200] "\x17$\x10\x04\x00)\x9DE\x0B" 400 150 "-" "-"
        Apr  8 20:32:00 pfsense nginx: 192.168.2.13 - - [08/Apr/2021:20:32:00 +0200] "POST /SpamResolverNG/SpamResolverNG.dll?DoNewRequest HTTP/1.0" 302 0 "-" "-"
        

        It throws out a "http portal portal request", the "GET /connecttest.txt" but doesn't accept the logical following redirect from the captive portal's web server.
        It hammers on with :
        " POST /SpamResolverNG/SpamResolverNG.dll?DoNewRequest "

        The captive portal's web server says something like "f*ck you - try again".
        And round we go.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • K
          kzsk
          last edited by kzsk

          Replacing $PORTAL_ACTION$ with a string with an ip address didn't help. In the logs of radius. log when trying to log in with a username/password, these are the entries

          Fri Apr  9 08:40:26 2021 : Auth: (100984) Login incorrect (Failed retrieving values required to evaluate condition): [00-1c-25-36-8d-6b/raduissecret] (from client captiveportal port 2232 cli xx-xx-xx-xx-xx-xx) xx-xx-xx-xx-xx-xx
          

          radiussecret - RADIUS MAC Secret
          xx-xx-xx-xx-xx-xx - MAC of device

          For some reason, instead of a login-password pair, the captive portal passes to radius a mac-Radius MAC Secret pair

          S 1 Reply Last reply Reply Quote 0
          • S
            SEBBAC @kzsk
            last edited by

            @kzsk

            As a test - try creating Radius user with MAC addresses ( - separated) and see if that works.... It should.

            K 1 Reply Last reply Reply Quote 0
            • K
              kzsk @SEBBAC
              last edited by

              @sebbac it didn't work

              S 1 Reply Last reply Reply Quote 0
              • S
                seekerman @kzsk
                last edited by

                @kzsk i've same issue like you , the radius server send failed login error "Failed retrieving values required to evaluate condition): [xx-xx-xx-xx-xx-xx/<via Auth-Type = mschap>" , all configuration is correct but pfsense cannot retrive password from free radius.
                please guide.

                viktor_gV 1 Reply Last reply Reply Quote 0
                • viktor_gV
                  viktor_g Netgate @seekerman
                  last edited by

                  @seekerman Unable to reproduce, working fine for me:

                  May 15 09:27:53 pf41 logportalauth[346]: Zone: cpzone1 - ACCEPT: raduser1, de:5b:10:c5:bf:72, 192.168.88.7
                  

                  Are you using "RADIUS MAC Authentication"?
                  How I can reproduce it step-by-step?

                  S 1 Reply Last reply Reply Quote 0
                  • S
                    seekerman @viktor_g
                    last edited by

                    @viktor_g said in 2.5.0 Captive portal logging issue:

                    Authentication

                    hi @viktor_g
                    tnx for reply
                    yeh i've use radius mac authentication base on documentation but i got this error in radius log.
                    please guide me for correct configuration
                    i've use capitve portal and radius server on pfsense and make a user in free radius with mac address of my client as username and secret in captive portal as password . but the radius server show me an error "RADIUS MAC Authentication Failed."
                    tnx

                    viktor_gV 1 Reply Last reply Reply Quote 0
                    • viktor_gV
                      viktor_g Netgate @seekerman
                      last edited by

                      @seekerman said in 2.5.0 Captive portal logging issue:

                      @viktor_g said in 2.5.0 Captive portal logging issue:

                      Authentication

                      hi @viktor_g
                      tnx for reply
                      yeh i've use radius mac authentication base on documentation but i got this error in radius log.
                      please guide me for correct configuration
                      i've use capitve portal and radius server on pfsense and make a user in free radius with mac address of my client as username and secret in captive portal as password . but the radius server show me an error "RADIUS MAC Authentication Failed."
                      tnx

                      You need to enable Plain MAC Auth on the FreeRADIUS settings page and fill in CP RADIUS MAC Secret with any value.
                      Or create a RADIUS user with MAC username and password.

                      (0) Login OK: [de:5b:10:c5:bf:72/pass123] (from client local port 2002 cli de-5b-10-c5-bf-72) 
                      (0) Sent Access-Accept Id 185 from 127.0.0.1:1812 to 127.0.0.1:24100 length 0
                      (0) Finished request
                      Waking up in 4.9 seconds.
                      
                      S 1 Reply Last reply Reply Quote 0
                      • S
                        seekerman @viktor_g
                        last edited by

                        @viktor_g said in 2.5.0 Captive portal logging issue:

                        (0) Login OK: [de:5b:10:c5:bf:72/pass123] (from client local port 2002 cli de-5b-10-c5-bf-72)

                        hi i'm already get right response from the free radius by command prompt just like you but in captive portal anything is wrong
                        please guide me.

                        S 1 Reply Last reply Reply Quote 0
                        • S
                          seekerman @seekerman
                          last edited by

                          @seekerman user managment.JPG nas.JPG setting radius.JPG free radius.JPG user.JPG cp.JPG error.JPG errorrr.JPG

                          viktor_gV W 2 Replies Last reply Reply Quote 0
                          • viktor_gV
                            viktor_g Netgate @seekerman
                            last edited by

                            @seekerman Default Captive Portal MAC address syntax is "00:11:22:33:44:55", not "00-11-22-33-44-55"

                            also try to add MAC address on the FreeRADIUS / MACs page

                            1 Reply Last reply Reply Quote 0
                            • W
                              wissesolutions @seekerman
                              last edited by

                              @seekerman found somewere in the forum that this is a bug on version 2.5 fixed in development version.. ill try and let you guys know

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.