Captive portal issue, Apple devices pass thru without authentication
-
Thanks a lot for that info.
-
i have the same issue is there a fix for this.
-
There is no: "push a button and the problem is gone".
Read message 2,3 and especially 3 (cmb) and even mine: This is NOT a pfSense problem.
As said: if packet come into the Portal interface with the same MAC adress, same source IP then pfSEnse can't tell any difference.
Try for yourself: if your portal interface is a wire only solution - so hook all guest up with cables on a switch behind the OPT1-portal interface (so NO Wifi Acces points) then this problem will stop.
Draw your conclusions.So, please, take 5 minutes - do the test I proposed, and see what happens. Post back with the results.
Btw: this is not a 'iPod-Pad-Phone-Mac-Apple' problem.
-
here's what, i setup a new pfsense and configure it to serve my LAN and VLAN's desktop. Captive portal i serving well all workstations however smartphones were able to browse the internet without authenticating to the portal and how did that happen ?
-
however smartphones were able to browse the internet without authenticating to the portal and how did that happen ?
You have provided nowhere near enough configuration information for me to say definitely. Perhaps captive portal is not enabled on the pfSense interface upstream of the smartphones. Perhaps the smartphones are downstream of some device that has authenticated with the captive portal and they are "piggybacking" on that device's access. Perhaps they are going through some proxy. Perhaps …
I suggest you provide a network network diagram showing at least a few of the smartphones exhibiting the behaviour, the upstream pfSense box and relevant interfaces, any intermediate devices and the IP address and subnet mask of all the interfaces on the diagram.
-
hi, here's your request attaching my network diagram.
however smartphones were able to browse the internet without authenticating to the portal and how did that happen ?
You have provided nowhere near enough configuration information for me to say definitely. Perhaps captive portal is not enabled on the pfSense interface upstream of the smartphones. Perhaps the smartphones are downstream of some device that has authenticated with the captive portal and they are "piggybacking" on that device's access. Perhaps they are going through some proxy. Perhaps …
I suggest you provide a network network diagram showing at least a few of the smartphones exhibiting the behaviour, the upstream pfSense box and relevant interfaces, any intermediate devices and the IP address and subnet mask of all the interfaces on the diagram.
![NETWORK DIAGRAM.jpg](/public/imported_attachments/1/NETWORK DIAGRAM.jpg)
![NETWORK DIAGRAM.jpg_thumb](/public/imported_attachments/1/NETWORK DIAGRAM.jpg_thumb) -
I presume the smartphones access the Internet through one of the APs on your diagram.
I suspect that the APs are doing NAT for the smart phones which would mean that pfSense would not be able to distinguish between two different smartphones using the same AP, hence a smart phone could "piggy back" on the authentication of another smart phone on the AP. You probably need to operate the APs as bridges rather than NAT routers. I am not familiar wit the APs you are using. Do they have multiple "LAN" ports and a "WAN" port?
-
All AP's does not have authentication they are open as authentication are being processed on Captive Portal using mac pass through. All AP's is under VLAN and PFSense is also servicing DHCP for that VLAN. My question in this is that Smarthphones connecting via AP's does not have any records on Captive Portral but they were able to by pass it ?
As I said earlier this is a new setup PFsense 2.0.1 and Portal is serving workstation well that means authentication page are being seen on all workstation except to all smartphones.
I forgot to mention all AP's are just running as bridge, and all IP being thrown are from PFSense DHCP Server (VLAN)
TIA
I presume the smartphones access the Internet through one of the APs on your diagram.
I suspect that the APs are doing NAT for the smart phones which would mean that pfSense would not be able to distinguish between two different smartphones using the same AP, hence a smart phone could "piggy back" on the authentication of another smart phone on the AP. You probably need to operate the APs as bridges rather than NAT routers. I am not familiar wit the APs you are using. Do they have multiple "LAN" ports and a "WAN" port?
-
Is it possible that the SmartPhone have any notion about the 1.1.1.1/24 network ?
I mean, if they get hold on and 1.1.1.1/24 the would not even see/hear/feal your pfSense installation.But, why only smartphones act like this is strange. They have no such thing as a special power to avoid portal pages. I'm pretty sure you won't find ANY communication on the pfSEnse box. Just try this : pull out the 1.1.1.1/.24 cable on your pfsense box and see if the smartphohes are still connected.
If they do: and as said in another thread (http://forum.pfsense.org/index.php/topic,61954.0.html), remove SQUID & SNORT and see what happens. -
i think i found the problem, after carefully checking the routes, the policy i have on firewalls and how the device passes over pfsense. Ok i will list it in details:
-
PFSEnSE is implementing a fail-over rule (I grouped the two ISP so it will served my failover)
-
ON firewall policy i define objects that will be under my failover setup
-
both LAN and VLAN contains both policy for failover
-
PFSense Captive Portal INterface is LAN and VLAN.
What I did is remove the failover policy (gateway) on the objects and put an any-any policy for testing purposes, and restarted Captive portal. After restarting the services of Portal I did run a test on Smartphones and BOOOOMMM there goes the login screen of portal.
I enable again the policy and there it goes the phone can by pass the portal and workstation cannot ! . This is really weird can someone enlighten me on this.
TIA
-
-
Good thing to here !
Btw: did your never thought about making your network more - simple -.