Squid3-dev captive portal integration

  • Hi,

    Squid3-dev now includes captive portal authentication method to log captive portal users on squid logs.

    If all code is working correctly, you can enable captive portal and use squid  with trasparent mode on or off.

  • Hi Marcelloc,
    I am a newbie.
    My pfsense server installed: squid3-dev, captive portal.
    I want to use authentication of CP and logging of squid with user-id of CP in logs (In my case, this function is very important).
    I enabled CP in Authentication methods of Squid and checked "Patch Captive Portal" box in Squid General Settings, and reapply captive portal setting.
    My problem is: In realtime squid logs shows "TCP_DENIED/403" in status bar (as attached file) . There arenot logs of Internet user although Logging is enabled in squid general setting.

    Which solution for my problem to use captive portal with squid ?
    Sorry for my English.  :)

    ![Squid Logs Errors.PNG](/public/imported_attachments/1/Squid Logs Errors.PNG)
    ![Squid Logs Errors.PNG_thumb](/public/imported_attachments/1/Squid Logs Errors.PNG_thumb)

  • Could you authenticate on captive portal?

  • If I only enabled Captive portal, CP authentication could run normally
    When I configured Captive portal and Squid3-dev simultaneously, there was error "The requested URL couldnot be retrieved" if I accessed to websites, as attached figure and in squid logs showed status "TCP_Denied/403".

    My configuration:

    Captive portal:
      - Enable Captive portal
      - Checked "Enable Captive portal"
      - Interfaces: LAN
      - Idletimeout: 10 minutes
      - Checked "Disable MAC filtering"
      - Authentication: Radius/PAP

    Proxy Server:
    General settings:
      - Proxy Interface(s): LAN
      - Checked "Allow users on interface"
      - Checked "Patch captive portal"
      - Unchecked "Transparent HTTP Proxy"
      - Enable Logging
      - Allowed subnets: LAN subnets
      - Authentication method: Captive portal

    ![error web browser.PNG](/public/imported_attachments/1/error web browser.PNG)
    ![error web browser.PNG_thumb](/public/imported_attachments/1/error web browser.PNG_thumb)

  • What you have on squid acls?

  • My network diagram with pfsense:

    Internet User –---- ------  L3SW Gateway (DHCP) ----- pfsense server (routing, no NAT) ---- ---- Firewall ------ Router ----- Internet

    On Squids ACLs:
      - Allowed subnets:
      - Others are default

  • Apologies if this is covered in a newer topic, however if it is I have failed miserably in finding it!

    I have set up squid3-dev using local authentication and it works fine…

    • Patch Captive Portal

    • ACL only contains (the local network address)

    • Proxy details are input to the browsers directly, transparent mode is off

    I have set up captive portal using RADIUS authentication and it works fine…

    • Captive portal is a custom one but is fairly basic, not sure if this could effect anything

    The problem I am encountering is that when I set squid3-dev to use the captive portal for authentication all I get is error pages, your basic "Access Denied" message and I cannot even go directly to the captive portal page (https://<pfsense>:8001)

    This is causing me a bit of a headache now as I really don't want to have people need to authenticate with the captive portal and then have to further authenticate themselves with the proxy!

    I would really like a solution to my problem…

    I tried to use no authentication on the proxy but then the proxy stops filtering https pages which is a bit of a requirement...

    I am not really sure which/where to find any relevant logs you might want to help me sort this so please ask if you can use one or need to know any of the configuration and I'll do my best to answer you in short order.


  • Hi everybody,

    I've a problem with  the captive portal authentication method for Squid.

    When Squid authentification methode is "captive portal", my users can authenticate in my captive portal (captive portal with RADIUS AUTHENTIFICATION) but all the request in port 80 are blocked by the proxy. The Squid's logs (in Real TIme) say "TCP_DENIED/403" and the errors page with "access denied" appears…

    When Squid authentification methode is "none", my users can authenticate in my captive portal and all the request in the port 80 are accept and the navigation is logged.

    Please can you help me ?

    I don't speak english very well, sorry... I'm french.

    Thanks very much !