Captive autenticates on radius, but wont surf after



  • Hello Everyone.

    I'm building a setup where pfsense will be the gateway of a laboratory with 60~80 machines. We have a centralized auth server using radius for the students, and so when they use the pcs on the labs, they would be prompted for autentication.

    I already have a dhcp server, so I setup pfsense as a dhcp relay, Im wondering if captive portal would work with relay dhcp, since it prompts a message to enable dhcp on the lan interface, but I cannot apply that here.

    Setting up pfsense as gateway on the lab, and pointing up the auth to the radius server I am prompted for the pfsense captive default portal, and I can see that radius communication is working, since I can auth with my user, and it shows on captive portal auth logs, and prompting bogus credentials the portal shows back the invalid credentials page.

    With or without the popup for logoff, after presenting the credentials the browser just stops, with a message with whatever site the user prompted, but no surfing after this…

    I saw on the browser access to the server on port 8002, created a firewall rule to allow this, but still I get stuck on the autentication...

    Im using pfsense 2.3.2p1



  • Hi,

    First, use pfSense + Captive Portal as it came out of the box. Make it work like that.
    This means : pfSEnse is doing the  auth with the local user manager, pfSense is the DHCP server for you portal.

    On the captive portal page settings page, Services->Captive Portal->ZONE->Configuration you saw this :
    Don't forget to enable the DHCP server on the captive portal interface! Make sure that the default/maximum DHCP lease time is higher than the hard timeout entered on this page. Also, the DNS Forwarder or Resolver must be enabled for DNS lookups by unauthenticated clients to work. ?

    The question is known : can another DHCP be used ? May be. But then it's up to you to make things work.

    You didn't mention if clients PC's got the correct IP, Gateway, DNS, etc. The DNS better should be the pfSense captive portal IP (is also the Gateway …) because, if not, other special settings need to be set up.

    I never added a firewall rule to 'permit' that clients could visit the 8002 port on the captive portal's Interface.

    You can see if the portal is working by inspecting the ipfw rules. See https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting
    Table 1 and 2 hold the IP and MAC for all authorized clients.



  • Oh thanks for the troubleshooting link.

    I had previews rules to block http and https of the proxy, so after auth the user couldn't connect further. Also, I had to change the dns served by the dhcp to be pfsense itself, instead of allowing the lan network to reach the dns server. Thanks!

    Now I'll focus on creating the pages for the users on the captive portal, thanks again