Squid + Captive Portal Auth

  • Posted by: pfsensation
    « on: February 26, 2017, 12:32:39 pm »

    Hey guys,

    Has anyone been able to successfully get Captive Portal + Squid proxy working correctly? I've seen many threads where people were complaining about Squid proxy being able to bypass their Captive Portal and old patches were made (and removed).

    I'm using Captive Portal to essentially limit bandwidth on a per uses basis, since I have WPAD setup I don't want people bypassing the captive portal by connecting directly to the proxy. Is it not possible to make the proxy work only for the people who have authenticated via captive portal or have their MAC address bypass set? I can see that there's a captive portal auth option but can't seem to get that working.

    Or if that somehow isn't possible, maybe we can put authenticated captive portal users on a separate DHCP pool which allows squid proxy? (time depends on their captive portal access / voucher)

    Thanks in advance :3

    Same doubt here. We found a lot of information about the bug, the patches and recommendations to remove them. The GUI still have the line telling about the bug (if the feature was removed, I don't understand this line telling about something that was a bug and was removed).

    Well, a network with captive portal and squid proxy accepts that clients access Internet without authenticate yourselves on CP.

    Here we have wpad because many browsers use this as default behavior (auto detect proxy configuration). On networks with CP enabled we have to send on wpad the "DIRECT" action elsewere clients bypass the authentication. In that way client access everything directly an the CP can filter. We have to enable transparent proxy on that network and not permit squid to listen on interface of pfSense, elsewere a client with manual configuration can bypass CP.

    I hope some day this proble could be solved. If I've understood it is necessary the creation of some firewall rules.

  • Why have you decided to clone my post, and basically ask the same thing?

    Just post in my original thread, without spamming this board. I haven't found a solution to this until now. :(

    However one possible solution could be to block WPAD etc, until a client has authenticated. So some kind of NAT to redirect even clients that are setup with the proxy to the Captive Portal until they've been authenticated.

  • I think I've tried the original post but the forum system refused the post.

    This thread can be deleted.


  • Anybody found a solution to this? I am trying to get SQUID to work with CP authentication but cant! Help will be appreciated

Log in to reply