@undrblack

Without knowing the details :
When you remove the 'virtual' part, that is : running pfSense with 3 real networking interfaces, bare bone, your issue will be gone. I can imagine the vitual interfaces / switch can be set up many ways, some of them could be wrong ?
See also Virtualization ! if you have a Windows 10 (Pro) orMS SErver : use the build in Hyper-V : I've one running iwth Hyper-V, and it works fine. There is a detailed step by step setup guide in the doc.
When a client connects to the Wifi, can you see the DHCP server log 'lease' attribution on the right interface ? What was the IP/mask/gateway/DNS received on the client ? That info should correspond to with the pfSense portal NIC.
pfSEnse doesn't handle the the AP <=> Client radio (wifi) connection.
if the AP is an AP and router, the pfSense portal only sees the IP and MAC of the router, not the IP and MAC of the clients. Ones a first client is logged in, all the others will pass without seeing a login screen.

I'm going to add one more note here in case anyone ever finds this (but mainly for my own future reference). The query filter can check for multiple groups with an OR ("|") operator as long as the string is not wrapped in parentheses, because as mentioned in the OP pfsense is going to add its own parentheses and LDAP syntax doesn't like unnecessary levels of nested parens.

For example, I've modified my configuration to allow an additional user without admin privileges, and the filter now looks like this:

|(memberOf=cn=fw_admins,cn=groups,cn=accounts,dc=mydomain,dc=com)(memberOf=cn=fw_users,cn=groups,cn=accounts,dc=mydomain,dc=com)

This means that any LDAP user who belongs to EITHER the fw_admins group or the fw_users group may now log in. An important note is that both groups need to be defined in pfsense's group settings and have their specific permissions assigned their, such as which web configurator pages they can view.

Boas,
Tenho o mesmo problema, alguém tem alguma dica ?

I would reboot the pfSense and when it completed, then reboot/repowered your CenturyLink modem. You'll then obtain an IP address for WAN.

If you just want a count, you can use the script that is there for RRD:

/usr/local/bin/php-cgi -q /usr/local/bin/captiveportal_gather_stats.php '<zone name>' 'loggedin'

/usr/local/bin/php-cgi -q /usr/local/bin/captiveportal_gather_stats.php '<zone name>' 'concurrent'

@jmurr
Посмотрите тут
Обратите внимание на раздел Extended Query
Возможно , это то что Вам нужно
https://docs.netgate.com/pfsense/en/latest/usermanager/ldap-troubleshooting.html

Glad you have it working now. ☺

-Rico

@juanmaximoti Como conseguiu liberar?

In case this will help any one else, I've figured this out....

Here is a link on how to find the logs for NPS...

https://social.technet.microsoft.com/Forums/windows/en-US/45aa3000-c32b-483b-8d6e-565b56b163fc/how-to-check-the-nps-logs-in-the-event-viewer?forum=winserverNAP

Basically there are text file logs in c:\Windows\System32\LogFiles\In* , or you can check in Event Viewer under Diagnostics -> Event Viewer -> Custom Views -> Server Roles -> Network Policy.

In my case, the problem users were set to "Deny Access" under the "Dial In" tab of the user properties in AD Users & Computers. Setting to Allow Access fixed it up.

If you don't see the "Dial In" tab, this may be of help :

https://support.microsoft.com/en-ca/help/975448/the-dial-in-tab-is-not-available-in-the-active-directory-users-and-com

For me, I had to be on the server to get that tab, not accessing Active Directory Users and Computers on another PC.

Hope this will help someone else.

Thanks, Derelict for pointing me in the right direction!