External captive portal authentication



  • Hi, do you have any knowledge about how can we do, external radius authentication and external captive portal authentication.

    unauthenticated local clients–-------firewalls(cyberoam or pfsense or mikrotik)---------adsl modem---------internet------------cloud----------pfsense(radius srv and captive portal)

    we want to when an unauthenticated user wants to connect to internet the remote extermal captive portal page comes in front of them.
    how can we do this, how can we write the api for this, can you please show me the way, i am trying to solve this issue for weeks.

    i find this one, but this is only comes to the external captive portal page infront of the user, but when user authenticated, login to the local captive portal, we want to login to the external site's (pfsense behind the cloud in this case) captive portal.
    this case external captive portal page comes to in front of the user, and remote radius authentication is ok too. but we want to login external captive portal not the local one.
    http://forum.mikrotik.com/viewtopic.php?t=55882
    http://wiki.mikrotik.com/wiki/HotSpot_external_login_page

    http://forum.mikrotik.com/viewtopic.php?f=2&t=41856

    http://forum.mikrotik.com/viewtopic.php?f=2&t=38216

    and also there are methods for api writing here,

    http://forum.mikrotik.com/viewtopic.php?f=9&t=77915&p=391372&hilit=external+captive+portal#p391372

    http://forum.mikrotik.com/viewtopic.php?f=9&t=66911&p=340489&hilit=external+captive+portal#p340489

    http://forum.mikrotik.com/viewtopic.php?f=7&t=54603&p=278179&hilit=external+captive+portal#p278179

    http://forum.mikrotik.com/viewtopic.php?f=2&t=34321&p=369926&hilit=api+for+external+captive+portal#p369926

    https://forum.pfsense.org/index.php?topic=46015.0

    i wrote that the method should be api writing and transfer the credentials from local site's login.html to the remote site's login.php.

    we have a portal page and it is working in local solutions with mikrotik or cyberoam or pfsense, but when we want to external captive portal authentication and want to write the user to this external captive portal and its mysql database, we can not be successful. Can you please help me.


  • Banned

    No. pfSense CP is not intended to run in the cloud. See How does CP block internet access?



  • Hi,

    doktornotor thank you for the answer, now i am trying the solution in the lab, now pfsense is at the same network with mikrotik,
    in prod conditions, i will make a ipsec tunnel to reach the pfsense from mikrotik, now i only try on the same network, but still can not be successful.

    we designed the index.html in the mikrotik/hotdpot folder and designed the index.php under the pfsense captive portal and made the necessary changes in the identificationcheck.php file in the pfsense captive portal file manager. now we can authenticate the unauthenticated users on the pfsense captive portal, but we can not go out to the internet, always the same captive portal page comes even auth the user. we can see the user in pfsense captive portal, successfully login ok, and see the user on the pfsense ghost radcheck database too(we do it by arranging the identificationcheck.php file, we made write the values to the database), but we see the microtik's outside interface's ip in this database.

    the client ip is 192.168.88.254, this client goes to mikrotik which is 192.168.88.1 and mikrotic's outside interface is 192.168.1.13, this interface connected to pfsense, which is 192.168.1.10 and pfsense wan interface pppoe to adsl modem.

    in the pfsense's ghost database we can see the 192.168.1.13 which is mikrotik's outside interface, we thought that we must see the clients ip 192.168.88.254 here to allow the client to go to the internet. how can we write this to the mysql database in pfsense?

    is the problem that? how can i troubleshoot this issue, how can i understand what is the problem? can you please show me the way?

    i thought this is the normal masquerading process on mikrotik, i must send the client network's traffic to the pfsense via routing not srcnat, but when i disable the nat, i can not reach the pfsense in my next hop after mikrotik, can i make the network behind the mikrotik to reach the pfsense in front of the mikrotik?

    can you please tell me the method of this? If we use redirection and redirect the captive portal page to the pfsense
    client is behind of the mikrotik, normally the mikrotik hotspot page must come in front of the unauth client, but we redirect the captive portal page to the pfsense captive portal page and make changes on the php files, now client can login to pfsense's captive portal, but can not go through internet, i thought that client must be accepted on the mikrotik hotspot too, how can i make this system working, can you please show me the way, i am trying to solve this for 4 weeks, but can not be successful.

    client–---mikrotik-------pfsense-------adsl modem

    if rlogin.html page on mikrotik takes my clients ip address, which is 192.168.88.254, my ip must be 192.168.88.254 in the pfsense database.
    because i red that, the rlogin.html transfers the values to the index.php on the pfsense captive portal,
    but i saw that, when i redirected the page to the pfsense, pfsense saw the mikrotik's wan ip address, in this case how can i make it possible for clients to go to the internet?


  • Banned

    Afraid, this forum certainly is not the place to discuss Mikrotik configuration details; I also kinda don't see why should Mikrotik be involved here at all, regarding the CP. As for the routing issue (cannot access pfS in front), seems like you are missing a static route both on pfSense and Mikrotik.

    Finally, as already stated - the CP is really NOT designed to be used externally as some authentication backend.



  • hi, can you please send me the related articles, knowledgebases, release notes, documentations about why we can not use pfsense's captive portal in the cloud for remote radius auth and remote captive portal page, i have been trying to establish this method for weeks, do i try for nothing?

    if you need to do this kind of setup, how can you solve this issue, which method do you choose? any advice?
    can we do this with ipsec, i also tried it but couldn't successful again,
    in routing in the same lan, i can do this, but when i try to going through internet, i can not be successful.

    clients–----cyberoam or mikrotik-----internet---cloud----pfsense ghost CP

    thank you for your all answers.


  • Banned

    It just does NOT work that way. Please, actually read on how this works. I already linked it here: https://forum.pfsense.org/index.php?topic=93479.msg518607#msg518607


Log in to reply