Captive Portal Load in Windows



  • When i connect notebook with Windowos to Portal Captive, i guess that it takes too long to load or sometimes it does not load the login screen, somebody had this problem ?

    On Android loads normally.



  • android/ios has captive portal detection built-in
    windows has some support built-in starting 8.1 ish i think.
    the portal detection forces a plain http request that gets intercepted & redirected, this goes quickly

    without builtin detection, the browser will load its homepage (https://google.com or whatever)
    problem with long loading is due to the worlds fetish with https for every stupid thing. Captive portal can not intercept https, so it takes a while to time-out before it can get redirected.



  • @heper said in Captive Portal Load in Windows:

    captive portal detection built-in

    Do you have any suggestions for resolving this?



  • Update to newer Windows or set the browsers homepage to a plain http address



  • @heper said in Captive Portal Load in Windows:

    windows has some support built-in starting 8.1 ish i think.

    As Windows 7 : Still using it and even IE will show a taskbar pop-up, that brings the user to an IE screen that will load the portal login page.
    Windows 10 : actually, never tested that one myself, but I'm pretty sure Microsoft didn't stop captive portal support.

    To make any browser on any OS work : give it a default home page like http://www.google.com and you'll be fine.

    @marciourakawa said in Captive Portal Load in Windows:

    Do you have any suggestions for resolving this?

    You cannot change the OS behaviour, Microsoft isn't open source ^^
    Keep in min d that a Captive Portal is not a pfSense invention. It needs OS support also.
    Of course, pfSEnse has to be set up correctly, DNS should work all the time.
    I tend to say that if you enable https portal authentication (with, for example, a certificate obtained with the acme package) things work better.


  • LAYER 8 Global Moderator

    http://www.google.com not really work since it forces https does it not?



  • @johnpoz said in Captive Portal Load in Windows:

    http://www.google.com not really work since it forces https does it not?

    You agree with me that a https://anywhere.tld won't work because it can't be intercepted and redirect to the http or https captive portal login page : our browser will yell out loud.

    I also set :

    0_1536505286545_bfe5f415-2a9f-4b3a-9a46-5aaff8da7228-image.png

    The result of checking "HTTPS Forwards" is that the next line in the ipfw firewall rule list will NOT be present any more :

    02117 fwd 127.0.0.1,8003 tcp from any to any dst-port 443 in
    

    Only this one will stay - and does all the work :

    02118 fwd 127.0.0.1,8002 tcp from any to any dst-port 80 in
    

    Translation : all connections with destination "port 80" will get redirected to localhost, port 8002.
    Port 8002 - in my case - is the http captive portal server, an instance serving http requests.

    Now check out this part in /usr/local/captiveportal/index.php :

    /* the client thinks it's connected to the desired web server, but instead
    	   it's connected to us. Issue a redirect... */
    	$protocol = (isset($cpcfg['httpslogin'])) ? 'https://' : 'http://';
    	header("Location: {$protocol}{$ourhostname}/index.php?zone={$cpzone}&redirurl=" . urlencode("http://{$orig_host}/{$orig_request}"));
    
    	ob_flush();
    	return;
    

    This enforces that all connections to our captive portal web server, nginx, (at port 8002, or http server) will get redirected to our secure https web server instance, running on http+1 or port 8003, so that authentication against our captive portal will be secured over https.

    Of course, the access to captive portal login page will only be triggered when our client issues a classic http access over port 80. The http://www.what-ever.here.tld or http://www.google.com.

    This part :

    0_1536505856275_55d88933-aaf0-407b-8e71-5859662a4fea-image.png

    only enforces that the captive portal authentication is done over https - nothing else.
    It does not enable a way so that an initial https://www.google.com request triggers the captive portal login page.
    The last "HTTPS Forward" check enforces that our captive portal doesn't activate some MITM situation.

    Still, I suspect the pfSense captive portal work better if using https authentication. I admit, no science neither explication in this phrase ;)

    Thus,

    @johnpoz said in Captive Portal Load in Windows:

    http://www.google.com not really work since it forces https does it not?

    "http://www.google.com" or any other http request is the only thing that makes the captive portal work ☺



  • I am in agreement with the proposed solution, but in my scenario I can't install certificates on client machines. I think I'll have to move on to another form of network access like retrying client macs.



  • @marciourakawa said in Captive Portal Load in Windows:

    I can't install certificates on client machines

    https login against the captive portal doesn't need any changes on the client devices.
    I use https authentication on my captive portal, for a hotel : this means I do not and can not "control" the devices that clients bring along. Clients do not need to modify their device to connect on our portal.
    The acme package obtains a certificate for me every 60 days or so, me doing nothing at all : all works automatically.



  • This post is deleted!


  • @gertjan

    Sorry, but these are new ways for me.

    Could you share how the setup was done or some link?



  • The setup of my captive portal ?

    I have it from "the book" ☺ And always have a look to these thousands of Youtube movies. These movies always show old version, and none is 100 % correct, so watch them all just to see what they do, and what they don't do.
    A captive portal depends heavily on a working DNS, so I advise you to use the Resolver - and do not enter any other DNS info before you totally understood what DNS really is. Same thing for the DHCP : use the DHCP build into pfSense - other are possible .... later on.

    I used for many years the "Local user manager" for the authorized list of users.

    Later, I added the acme package, and obtained a wild card cert from LetsEnscrypt - which means that your need a existing domain name (a couple of $ or € a year). Do not underestimate the usage of this package. It uses state of the art technology, a certificate. Everybody uses them, nobody knows actually how to implement them, and what it takes to get one - even if they are free. Good news : a captive portal doesn't need a certificate to work, it's optional.

    And of course, because I use my portal to hand over access to compete strangers, I dedicated an OPT1 interface for that, adding a switch behind it, and a boatload of AP's (My opinion : Captive Portal should never be activated on LAN, that like driving that Formula 1 on a public road : no fun, only troubles).
    Using a dedicated interface also makes firewall rules on this interface more easy.

    Making the physical network : took me days.
    Setting it up in pfSense : 10 minutes or so ?

    Later on, because it worked so good and I was annoying myself,, I added the FreeRadius package and a MySQL server somewhere on my LAN, so authentication is handles by FreeRadius now. It still works great although it is more complex, thus more fun.

    Btw : I'm not selling Internet access : the contract is very simple : if it works for you (my clients) then that's ok - if not, not a problem for me. The pfSense captive portal works now for about ten years for me.
    It's rock solid.



  • @gertjan I'll try those days and post the result.

    I have a scenario similar to yours, here circulates a lot of people and users authenticate through Portal Captive that uses RADIUS to authenticate to AD.

    But some devices and notebooks (Win 7) hardly open the Portal Captive page.

    In your hotel, windows 7 notebook normally open?



  • @marciourakawa said in Captive Portal Load in Windows:

    In your hotel, windows 7 notebook normally open?

    "Windows 7", any version like Home, Pro, whatever : no problem.
    Wired or Wifi.

    I build the connection, like sliding in the RJ45 or selection the Wifi network.
    I wait 10 to 20 seconds.
    A system notification, at the right bottom corner tells me that a "User action is needed" (something like that. I click on the link in the text.
    A browser opens - typically IE.
    Which brings me to the captive portal login page.

    All this because Windows 7 is "captive portal aware".

    (Btw : my W7 systems are relatively clean : no Google polution, no other navigators - but I know my clients connect with their all devices .... this list is very long - even those with a less then 2 $ OS).



  • @gertjan

    Please how do I use external MySQL server for FreeRadius on pfsense and how to acme package to obtain LetsEnscrypt? If you can give me the setup for both. I use LetsEnscrypt on my Ubuntu Server at home and it was easy to obtain it but with pfsense captive portal never done before so please need your help.



  • @stephenkwabena said in Captive Portal Load in Windows:

    Please how do I use external MySQL server for FreeRadius on pfsense

    You could use whatver SQL database server on your LAN, or elsewhere.
    I use the MariaDB package from my NAS, a Synology Diskstation, which comes with a free bonus : phpmyadmin is also present, so I can check the database, Freeradius tables.

    @stephenkwabena said in Captive Portal Load in Windows:

    how to acme package to obtain LetsEnscrypt?

    Impossible to answer using few words.
    The subect "acme & Letenscrypt" behind it is overwhelming. Took me close to a year to lnow how it all works.
    @jimp takes 1 hour 15 min here https://www.youtube.com/watch?v=h7Rlru3agdA
    You should know what DNS is ... and certificates ... and you need some time ;)

    The certificate obtained can be used for the GUI, and the Captive portal https login.
    You'll be needing a real domain name.

    edit : the 2 videos discussing the Captive portal are also accessible now. They are mandatory. Seeing them and captive portal has no more secrets for you.



  • @gertjan

    I know is possible but how the connection is done that's what I wanted to know. I currently have Ubuntu Server running MySQL how to connect it to the pfsense freeradius server is my problem.

    Thanks


Log in to reply