Captive Portal MAC Authentication

Iahmad

Dear all,

i am using pfsense 2.2.3 with captive portal. i have added all legitimate MACs statically. it was aim to allowed only the MAC listed to allowed services and block all others.
last night i saw in status->captive portal show some un-authentic mac entiries

please see the attachment.

screeshot showing a mac that is not in my list..

Screenshot_2015-07-09-02-03-41-995.gif_thumb

muswellhillbilly

Where did you add the MAC addresses? Might be worth showing another screenshot with the MACs listed - include information of the menu/submenu where the config is made.

I'm guessing, but I have an idea you may have entered your MAC addresses in the 'pass-through MAC' tab in the captive portal config. If so, this doesn't prevent any other MACs from accessing the portal - all this does is allow them through without having to authenticate.

Gertjan

Also:
Please show the Captive Portal log at the moment this MAC visited your portal.

Please detail your Captive portal setup (main settings page).

Iahmad

i am attaching more screen shot for better understanding

i dont want users to redirect to any page, i just want to enter mac and statict entry for dhcp server and they are good to go.

![cap 1.gif](/public/imported_attachments/1/cap 1.gif)
![cap 1.gif_thumb](/public/imported_attachments/1/cap 1.gif_thumb)
![cap 2.gif](/public/imported_attachments/1/cap 2.gif)
![cap 2.gif_thumb](/public/imported_attachments/1/cap 2.gif_thumb)
![cap 3.gif](/public/imported_attachments/1/cap 3.gif)
![cap 3.gif_thumb](/public/imported_attachments/1/cap 3.gif_thumb)
![cap 4.gif](/public/imported_attachments/1/cap 4.gif)
![cap 4.gif_thumb](/public/imported_attachments/1/cap 4.gif_thumb)
![cap 5.gif](/public/imported_attachments/1/cap 5.gif)
![cap 5.gif_thumb](/public/imported_attachments/1/cap 5.gif_thumb)

muswellhillbilly

I'm using an older version of pfSense but I believe the process is the same. When you enable captive portal but disable authentication, this means your users will normally be taken to a page - usually a 'fair usage' document - which they just have to click through to gain access. The MAC tab simply is a pass-through option, allowing anyone in that list to gain access without going through the CP page. Others not on the list can still gain access - they just have to click-through the CP page.

If you want to block users on MAC address, the only way I can see you accomplishing this is by creating an alias in your firewall rules, populate it with the IP addresses you're assigning statically via DHCP and use this to create an allow rule for those IPs only, blocking everything else. If you tick 'deny unknown clients' in your DHCP server settings, you can allow only the listed MACs to get an address.

n3by

You forgot to add user/pass restriction to access Captive Portal and allow automatic MAC access without user/pass as you want.

Users without MAC in list will be ask for user / pass.

01.jpg_thumb

02.jpg_thumb

Gertjan

n3by is right.

Just activate 'Local user' login - don't add any users.
This way, users with a MAC on the list have access - others will just hit the portal ….