Squid + Captive Portal Auth



  • Hey guys,

    Has anyone been able to successfully get Captive Portal + Squid proxy working correctly? I've seen many threads where people were complaining about Squid proxy being able to bypass their Captive Portal and old patches were made (and removed).

    I'm using Captive Portal to essentially limit bandwidth on a per uses basis, since I have WPAD setup I don't want people bypassing the captive portal by connecting directly to the proxy. Is it not possible to make the proxy work only for the people who have authenticated via captive portal or have their MAC address bypass set? I can see that there's a captive portal auth option but can't seem to get that working.

    Or if that somehow isn't possible, maybe we can put authenticated captive portal users on a separate DHCP pool which allows squid proxy? (time depends on their captive portal access / voucher)

    Thanks in advance :3



  • Same doubt here. We found a lot of information about the bug, the patches and recommendations to remove them. The GUI still have the line telling about the bug (if the feature was removed, I don't understand this line telling about something that was a bug and was removed).

    Well, a network with captive portal and squid proxy accepts that clients access Internet without authenticate yourselves on CP.

    Here we have wpad because many browsers use this as default behavior (auto detect proxy configuration). On networks with CP enabled we have to send on wpad the "DIRECT" action elsewere clients bypass the authentication. In that way client access everything directly an the CP can filter. We have to enable transparent proxy on that network and not permit squid to listen on interface of pfSense, elsewere a client with manual configuration can bypass CP.

    I hope some day this proble could be solved. If I've understood it is necessary the creation of some firewall rules.



  • It was not a bug, the patch modified captive portal rules to block access to squid local ports.

    Core team denies this kind of modifications since 2.3.

    I've pushed a manual patch to captive on a forum topic that you can apply using system patches or you can point squid deny page to captive portal.



  • I've pushed a manual patch to captive on a forum topic that you can apply using system patches or you can point squid deny page to captive portal.

    I could not find the patch you mentioned anywhere, I've searched though your last posts…



  • @robertolw:

    I've pushed a manual patch to captive on a forum topic that you can apply using system patches or you can point squid deny page to captive portal.

    I could not find the patch you mentioned anywhere, I've searched though your last posts…

    It's on the redmine "issue" page under comments and on git

    https://redmine.pfsense.org/issues/5594

    https://github.com/pfsense/pfsense-packages/pull/1210



  • @marcelloc marcelloc
    the patch to Captive Portal work at today in V 2.4.4-RELEASE-p2 of pFSense??



  • Just to feed my curiosity : I use a captive portal (and some LAN's) : why should i use squid ?
    Reading from http://www.squid-cache.org/Intro/ squid caches http (ftp ? wtf is that ? I thought is was dead by now).
    For some reason, everything became "S" (SSL/TLS) these days. Caching these (private ?) streams is and stays a big no-no (for me).



  • @gertjan for example for our company is important to have control over the activity of internal user about they access on the web, in recent days i was using squid transparent http and https pass under nat, i'm thinking to come back to thats config, another rason are make lees changes on the final client setting proxy etc...
    Make me some recomendations please. thanks



  • Bonjour, j'ai beau navigué sur les forum en long en large et en travers, je ne trouve aucune information sur le fonctionnement de squid avec une authentification via portail captif couplé au ldap. C'est une solution proposée par pfsense mais je n'arrive pas à le faire fonctionner.
    Merci.


Log in to reply