Invalid Credential on Capitive Portal

  • I have just set up pfsense 2.2.3 and have enabled captive portal with the default landing page and then a url once authorised.

    I have setup a local user with a password and selected to use the local database as the authentication, however when I go to a machine which loads the landing page no problem and try to login, I get the message "invalid credentials supplied".

    I have setup a Capitive Portal Zone, but have no idea how to get users into the zone. >:(

    Please can someone help.



  • hi,

    just be sure the user is part of Captive Portal Group ( you will find this group already created  ).

    ![2015-09-03 14.41.46.jpg](/public/imported_attachments/1/2015-09-03 14.41.46.jpg)
    ![2015-09-03 14.41.46.jpg_thumb](/public/imported_attachments/1/2015-09-03 14.41.46.jpg_thumb)
    ![2015-09-03 14.41.49.jpg](/public/imported_attachments/1/2015-09-03 14.41.49.jpg)
    ![2015-09-03 14.41.49.jpg_thumb](/public/imported_attachments/1/2015-09-03 14.41.49.jpg_thumb)

  • Thanks for the response.

    Check and there was no group for capitive portal.
    So created the group under System:Group Manager
    Then assigned the user to the Capitive portal group

    On the Zones I have setup a zone called Portal, which shows no users.

    Have retried the login procedure and still no joy.
    Still getting the Invalid Credentials message.


  • ok now check to see if Group have assigned privileges for Portal login.

    ![2015-09-03 15.29.08.jpg](/public/imported_attachments/1/2015-09-03 15.29.08.jpg)
    ![2015-09-03 15.29.08.jpg_thumb](/public/imported_attachments/1/2015-09-03 15.29.08.jpg_thumb)
    ![2015-09-03 15.31.13.jpg](/public/imported_attachments/1/2015-09-03 15.31.13.jpg)
    ![2015-09-03 15.31.13.jpg_thumb](/public/imported_attachments/1/2015-09-03 15.31.13.jpg_thumb)

  • Note: this is applicable only if your captive portal settings have the "Allow only users/groups with 'Captive Portal Login' privilege set" box ticked. If you're unsure, you can untick this (temporarily) to see if you can log in successfully. If this is the issue, amend the Group settings, as n3by suggests, and add the 'User - Services - Captive portal login' privilege to the group your user(s) belong to.

  • OK, making progress thanks

    I can now authenticate, but the browser sits there saying redirceting to my url "" but does load the page.

    If I open a new browser tab and click my google bookmark it loads the page.

    What may be the problem??

    If I now wanted to change the suthenication to LDAP what changes would I need to make re the privelliges etc?

    Thanks Guys


  • We can't know why your page is not redirected properly because this involve a lot of settings in pfsense or computer.

    For example in my setup I block google & co, advertisers and trackers… with all I can: Squid, pfblocker... so for me it is normal to fail.

    But as long as you are authenticated and can exit to internet captive portal login/authentication looks ok.

  • Sounds like you may have wrongly entered the redirection URL (for Google, use '').  Otherwise have you set a proxy on your web browser?

    For AD/LDAP authentication, see here:

  • OK, that sorted the google forwarding out perfectly - thanks

    On the LDAP authentication, i have set up the LDAP connection to the server and tested the user name etc and this authenticates correctly.

    I have set up a group LDAP and assigned the privileges as per the url link you gave me. (I think!!)
    In System: User manager settings I switched the Authentication server from Local to UOPNET, which is our LDAP Service.

    But when I try to authenticate this comes back with Invalid Credentials again.

    For info if I try to now login as a local user this works, which to me should not happen.  >:(

    Please advise.

    Screen shots attached

    ![Authentication Server.PNG](/public/imported_attachments/1/Authentication Server.PNG)
    ![Authentication Server.PNG_thumb](/public/imported_attachments/1/Authentication Server.PNG_thumb)
    ![LDAP Group Permissions.PNG](/public/imported_attachments/1/LDAP Group Permissions.PNG)
    ![LDAP Group Permissions.PNG_thumb](/public/imported_attachments/1/LDAP Group Permissions.PNG_thumb)
    ![LDAP Group.PNG](/public/imported_attachments/1/LDAP Group.PNG)
    ![LDAP Group.PNG_thumb](/public/imported_attachments/1/LDAP Group.PNG_thumb)
    ![LDAP Authenticated.PNG](/public/imported_attachments/1/LDAP Authenticated.PNG)
    ![LDAP Authenticated.PNG_thumb](/public/imported_attachments/1/LDAP Authenticated.PNG_thumb)

  • Captive portal authentication is done via a local database or through RADIUS, as I understand it. LDAP is used to authenticate access to the firewall itself. If you install/enable RADIUS services on your Windows DC you can then point the CP to use that server to authenticate your users. That would be my suggestion, unless anyone else has any information I'm not privy to.

  • PS: It sounds a little round-the-houses, but if you don't like the idea of making your AD server a Radius server, you can integrate FreeRADIUS with Windows and target the FreeRADIUS server instead:

  • Thanks for your reply.

    The confusing thing is that on a different machine we have setup PFSense v2.03 and this works perfectly with LDAP authentication.
    It seems to be the way the software developers have changed the way privilleges are set tp groups that is now causing the issue.

    Simply before I setup the LDAP connection settings and then Authentication Server set this to use the LDAP - it just worked  :)

    Why do they have to make things so complicated  >:( >:( >:( >:(

    I have too many users to make it a local system and I dont really want to go down the road of a Radius server as this is just defeating the object of having LDAP as an option.

    Has anyone else come across LDAP setup problems??

    More so, has anyone resolved the issue of group privilleges to LDAP.

    How the meck do you assign users to a group when you dont know who the heck they are  ::) ::)


  • If RADIUS isn't your thing, then another possible route you could take would be to install a proxy on your pfSense and bind that to your AD domain. This would then require your users to authenticate through the proxy with their Windows credentials before accessing the internet. There are plenty of links showing how this is done. Here are a few:

    There are many more to be found via Google, of course.

    You can assign group policies to AD groups via a Squid/Dansguardian combination (the way I've done it). Members of that AD group can then be assigned specific access or non-access through rules you can set up in Dansguardian. Again, you'll find quite a few examples of this on the internet already if you fire up Google.

Log in to reply