Windows 10 Voucher authentication page reappears after entering correct and valid voucher

Snailkhan

Hi,
I have Captive portal that is working fine with andorid/ios/Winodw7-8.1. However on windows 10 machines when a user connects to the wifi ssid they get an ip from the dhcp server on the pfsense box that is also hosting captiveportal.
however when they enter the voucher on the authentiction page it reappears again. tried with Edge/Chrome/IE (in IE disabled popup blocker/addin/added the site to compatibility view ) . no change. the authenticaiton page appears and after entering the voucher it re appears again. the voucher code is valid and looking at the logs in pfsense captive portal below messages is shown.

below are logs from server where i tried two different voucher codes.

Jun 20 13:04:52 logportalauth 88423 Zone: GUESTSSID - Voucher login good for 720 min.: W3wvP4, 64:6e:69:a3:57:55, 10.11.202.136
Jun 20 13:05:14 logportalauth 88423 Zone: GUESTSSID - CONCURRENT LOGIN - REUSING IP 10.11.202.136 WITH DIFFERENT MAC ADDRESS ac:81:12:05:32:80: kMG5H4, ac:81:12:05:32:80, 10.11.202.136
Jun 20 13:05:14 logportalauth 88423 Zone: GUESTSSID - Voucher login good for 719 min.: W3wvP4, 64:6e:69:a3:57:55, 10.11.202.136
Jun 20 13:12:19 logportalauth 27981 Zone: GUESTSSID - CONCURRENT LOGIN - REUSING IP 10.11.202.136 WITH DIFFERENT MAC ADDRESS ac:81:12:05:32:80: kMG5H4, ac:81:12:05:32:80, 10.11.202.136
Jun 20 13:12:19 logportalauth 27981 Zone: GUESTSSID - Voucher login good for 712 min.: W3wvP4, 64:6e:69:a3:57:55, 10.11.202.136
Jun 20 13:12:41 logportalauth 27981 Zone: GUESTSSID - CONCURRENT LOGIN - REUSING IP 10.11.202.136 WITH DIFFERENT MAC ADDRESS ac:81:12:05:32:80: kMG5H4, ac:81:12:05:32:80, 10.11.202.136
Jun 20 13:12:41 logportalauth 27981 Zone: GUESTSSID - Voucher login good for 712 min.: W3wvP4, 64:6e:69:a3:57:55, 10.11.202.136
Jun 20 13:13:29 logportalauth 27981 Zone: GUESTSSID - CONCURRENT LOGIN - REUSING IP 10.11.202.136 WITH DIFFERENT MAC ADDRESS ac:81:12:05:32:80: kMG5H4, ac:81:12:05:32:80, 10.11.202.136
Jun 20 13:13:29 logportalauth 27981 Zone: GUESTSSID - Voucher login good for 161042 min.: swh352, 64:6e:69:a3:57:55, 10.11.202.136
Jun 20 13:13:37 logportalauth 27981 Zone: GUESTSSID - CONCURRENT LOGIN - REUSING IP 10.11.202.136 WITH DIFFERENT MAC ADDRESS ac:81:12:05:32:80: kMG5H4, ac:81:12:05:32:80, 10.11.202.136
Jun 20 13:13:37 logportalauth 27981 Zone: GUESTSSID - Voucher login good for 161042 min.: swh352, 64:6e:69:a3:57:55, 10.11.202.136
Jun 20 13:14:42 logportalauth 27981 Zone: GUESTSSID - CONCURRENT LOGIN - REUSING IP 10.11.202.136 WITH DIFFERENT MAC ADDRESS ac:81:12:05:32:80: kMG5H4, ac:81:12:05:32:80, 10.11.202.136
Jun 20 13:14:42 logportalauth 27981 Zone: GUESTSSID - Voucher login good for 161041 min.: swh352, 64:6e:69:a3:57:55, 10.11.202.136
Jun 20 13:15:05 logportalauth 27981 Zone: GUESTSSID - CONCURRENT LOGIN - REUSING IP 10.11.202.136 WITH DIFFERENT MAC ADDRESS ac:81:12:05:32:80: kMG5H4, ac:81:12:05:32:80, 10.11.202.136
Jun 20 13:15:05 logportalauth 27981 Zone: GUESTSSID - Voucher login good for 161041 min.: swh352, 64:6e:69:a3:57:55, 10.11.202.136
Jun 20 13:15:05 php-fpm 27981 /index.php: Submission to captiveportal with unknown parameter zone:
Jun 20 13:16:13 php-fpm 27981 /index.php: Submission to captiveportal with unknown parameter zone:
Jun 20 13:16:36 php-fpm 27981 /index.php: Submission to captiveportal with unknown parameter zone:
Jun 20 13:16:45 logportalauth 27981 Zone: GUESTSSID - CONCURRENT LOGIN - REUSING IP 10.11.202.136 WITH DIFFERENT MAC ADDRESS ac:81:12:05:32:80: kMG5H4, ac:81:12:05:32:80, 10.11.202.136
Jun 20 13:16:45 logportalauth 27981 Zone: GUESTSSID - Voucher login good for 161039 min.: swh352, 64:6e:69:a3:57:55, 10.11.202.136
Jun 20 13:17:19 logportalauth 27981 Zone: GUESTSSID - CONCURRENT LOGIN - REUSING IP 10.11.202.136 WITH DIFFERENT MAC ADDRESS ac:81:12:05:32:80: kMG5H4, ac:81:12:05:32:80, 10.11.202.136
Jun 20 13:17:19 logportalauth 27981 Zone: GUESTSSID - Voucher login good for 161038 min.: swh352, 64:6e:69:a3:57:55, 10.11.202.136
Jun 20 14:31:08 logportalauth 44736 Zone: GUESTSSID - CONCURRENT LOGIN - REUSING IP 10.11.202.136 WITH DIFFERENT MAC ADDRESS ac:81:12:05:32:80: kMG5H4, ac:81:12:05:32:80, 10.11.202.136
Jun 20 14:31:08 logportalauth 44736 Zone: GUESTSSID - Voucher login good for 160965 min.: swh352, 64:6e:69:a3:57:55, 10.11.202.136

Snailkhan

@snailkhan said in Windows 10 Voucher authentication page reappears after entering correct and valid voucher:

swh352

i checked in the Status >Captive Portal > Select the Zone > i see the IP that is assigned is already assigned to another station and it is also assigned to the new machine as shown in above logs.

10.11.202.136 ac:81:12:05:32:80 fuUXT 06/08/2018 09:09:45

Furthermore i do not see on status page any machine with any of the two voucher codes that i tried on that windows 10 machine as shown in above logs.

Snailkhan

i see both the vouchers that i tried on windows 10 machine under status >Active vouchers but DO NOT see them under Active Users.

I am struggling with the new interface of the support portals forum to find the edit button for editing existing post.

jimp

Do you have a URL configured to forward users to after they login? If not, it may be redisplaying the login page since it wasn't told to do anything else. Try setting a post-login redirect and then see if the behavior is the same.

Those log messages could possibly be related, but it looks more like maybe you were trying the same voucher code on multiple computers.

@snailkhan said in Windows 10 Voucher authentication page reappears after entering correct and valid voucher:

I am struggling with the new interface of the support portals forum to find the edit button for editing existing post.

Replies with new information are better than re-editing the initial post, because edits to the initial post won't show that the thread was updated to others, or trigger a notification to anyone watching the thread. That said, you can edit a post by clicking the three dots at the end of the "Reply / Quote / Upvote" line under the post text.

Snailkhan

@jimp
Thanks for your kind reply.
"After authentication Redirection URL" field is blank. and as such after inital intercept for authentication users are redirected to their originally requested site in normal circumstances and we do not want users to be redirected to any other site then requested.

While i have set a url and need to test it and update you. Is this a requirement for windows 10 ?

Gertjan

@snailkhan said in Windows 10 Voucher authentication page reappears after entering correct and valid voucher:

I have Captive portal that is working fine with andorid/ios/Winodw7-8.1. However on windows 10 machines when a user connects to the wifi ssid they get an ip from the dhcp server on the pfsense box that is also hosting captiveportal.

What do you mean ? That Windows 10 uses the DHCP server "pfSense" and "andorid/ios/Winodw7-8.1" are not ?
All devices, independent their OS, use the same DHCP server.

@snailkhan said in Windows 10 Voucher authentication page reappears after entering correct and valid voucher:

i checked in the Status >Captive Portal > Select the Zone > i see the IP that is assigned is already assigned to another station and it is also assigned to the new machine as shown in above logs.

The logs and stats are fine.
But there is better.
Read this : https://www.netgate.com/docs/pfsense/captiveportal/captive-portal-troubleshooting.html
and find this powerful ipfw command.:

You'll see all all firewalll rules, IP's, and related MAC's.
Keep in mind that these are not the firewall rules yo created in the GUI.
The ipfw rules are what makes the captive portal actually work.

The fact that you visit http://your-portal-page.tld/index.php&zone=your-zone - and then you POST against this same page again with with an extra parameter, the voucher code will produce .... the same "index.php" page (your captive portal login page) if there is no "fixed" redirect page.
If not, if you were visiting for example http://www.google.com, after login, you would have been redirected to http://www.google.com after authentication.

I never had to go to a page, or the actual login page ( https://portal.brit-hotel-fumel.net:8003/index.php?zone=cpzone1 in my case ) to make the captive portal show up. As soon as a Ethernet (wifi or cable) comes up, the OS (any OS these days) launches .... a DHCP request (you knew that already) and a request to something like "http://portal.apple.com" if it is a iOS device. If that page did not reply with a known answer like "Succes" the OS knows it is behind a portal. It will launch a navigator with the same URL "http://portal.apple.com" again - and this you, as a user, will see the captive portal login page.

Btw : do not ask what happens when you initial visited https://www.google.com before authentication ... you know in advance will happen and you want it to happen like that ;)

Snailkhan

@gertjan
Thanks sir,
I have only on box running latest pfsense. Dhcp server is on this box.
Android, ios, Windows 7/8/8.1. All get up from it and they get an ip, can access the cp authentication page and after entering a valid voucher connect to the internet.

However in windows 10 machines they also get ip and upon on launching browser and accessing any non https site they are redirected to the cp authentication page so far so good. But the problem is that when they enter valid voucher and click submit same page cp page reappears. It's happening in Chrome, IE, edge,

That is exact problem statement.
I need general answer : is the cp of pfsense compatible with win 10?

The field for redirect to specific page after authentication is blank in my configurations. And I windows 7/8/8.1/android/ios clients if they visit suppose Bing.com after authentication are automatically redirected back to Bing.com which is what we want and is normal behavior.
Is this not compatible with windows 10 and as such we cannot leave that field blank and hence must redirect a user to any other site?

Snailkhan

Bump

Gertjan

bing.com or http://www.bing.com or http://www.bing.com ?
I would choose one of the last 2.