Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Some client no need authentication to access through the captive portal

    Scheduled Pinned Locked Moved Captive Portal
    7 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      camazalraman
      last edited by

      Hi all,
      I have successfully installed pfsense captive portal + freeradius 2 + MySQL in my company
      Username and password store in MySQL
      All client devices need login by captive portal to access internet.

      idle timeout: 15 minutes
      hard timeout: 180 minutes

      everything worked, but affter a few days, some users go home and back to the company the next morning.
      they can access internet without login. i monitor in pfsense and  sure that, they access the Internet through pfsense
      their ip address not appear in "Status: Captive portal" table

      Anyone could suggest me how to check this case

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        @camazalraman:

        ….
        Anyone could suggest me how to check this case

        The captive portal log file : Status: System logs: Portal Auth

        You should find lines like this:

        Dec 17 03:08:43 	logportalauth[30544]: Zone: cpzone1 - LOGIN: 216, 0c:df:xx:3d:b3:e4, 192.168.2.59

        and after some time (in your case : between 15 minutes and 180 minutes max), you will find (should fined !) this :

        Dec 17 07:17:24 	logportalauth[93475]: Zone: cpzone1 - TIMEOUT: 216, 0c:df:xx:3d:b3:e4, 192.168.2.59

        What version of pfSense are you running ?

        And, just for checking, the IP"s the Captive Portal (pfsense) gave to your visitors are all unique, and present in the DHCP server log (and DHCP lease table) ?

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • C
          camazalraman
          last edited by

          thank for your reply,

          my Pfsense is

          2.2.5-RELEASE (amd64) 
built on Wed Nov 04 15:49:37 CST 2015 
FreeBSD 10.1-RELEASE-p24

          when users complain, I immediately check  his devices, and search his ip address in "Status: System logs: Portal Auth", no line show up
          i also check "Status: DHCP lease", MAC addres of his device have uique IP address

          1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan
            last edited by

            I can"'t help you with the Radius part (I'm using the Local Manager) to 'manage' my visitors, but I can propose some tests:

            Open an SSH prompt.
            Exécute:

            ps ax | grep 'minicron'

            Several lines should show up, two of them must be:

             7250  -  Is        0:00.00 /usr/local/bin/minicron 60 /var/run/cp_prunedb_cpzone1.pid /etc/rc.prunecaptiveportal cpzone1
 7512  -  I         0:01.13 minicron: helper /etc/rc.prunecaptiveportal cpzone1 (minicron)

            This is the pruning process. I starts every minute, and checks for idle or hard timemout candidates. If it finds candidates, they will be disconnect then (by modifying the captive portal's firewall - see below) - and of course, a line will be logged "Dec 17 08:16:45 logportalauth[69733]: Zone: cpzone1 - TIMEOUT: 111, 08:xx:8e:12:87:9a, 192.168.2.129".

            Btw: to see the firewall, and while you have a SSH open: read this : https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting the tables

            For example:

            ipfw zone list

            will list you the 'zone' that your captive portal is using - mine is "2"
            So:

            ipfw -x 2 table 3 list

            and

            ipfw -x 2 table 34list

            These two tables list all the IP's used by your visitors that are able to use the Internet (are authenticated).

            The job of the 'prune' task yousaw above is to remove entries from these tables when the connection expires.

            I guess the entries aren't removed from your tables ….. right ?

            As said above, I can't help you with radius setup issues, I know it works (thousands are using it).
            Maybe you can do a test try with the 'simple' local user Manager to see if if works in that case. It can be done quickly. Using a idla time out of (example) 3 minutes, and a hard time out of 5 minutes, and test drive to see if your are throw out after 5 minutes. The you will know that your 'pfsense' is working, and that the problem is else where..

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • C
              camazalraman
              last edited by

              I execute

              ps ax | grep 'minicron'

              show up

              
54081  -  Is       0:00.00 /usr/local/bin/minicron 60 /var/run/cp_prunedb_mycompany_captive.pid /etc/rc.prunecaptiveportal mycompany_captive
54701  -  I        0:00.19 minicron: helper /etc/rc.prunecaptiveportal mycompany_captive (minicron)

              List zone

              [2.2.5-RELEASE][admin@pfSense.localdomain]/root: ipfw zone list
Currently defined contexts and their members:
2: em1,

              show table list 1 and 2

              
ipfw -x 2 table 1 list


              ipfw -x 2 table 2 list

              and I find out ip address of users who can access through captive without login.

              192.168.1.106/32 mac 1c:b7:2c:40:52:91 2956

              how I remove their ip from table list 1 and 2 without restart captive portal service or pfsense

              1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan
                last edited by

                @camazalraman:

                ….
                and I find out ip address of users who can access through captive without login.

                192.168.1.106/32 mac 1c:b7:2c:40:52:91 2956

                how I remove their ip from table list 1 and 2 without restart captive portal service or pfsense

                Well ….

                man ipfw

                ?
                But, ok, pfSense doesn't include the man (from 'manual') pages.
                So I had to Google ipfw ….. ;)

                But: keep it mind that the firewall connection states of that client have also have to be removed.

                Doing all this by hand isn't a solution.

                Understanding WHY clients aren't removed by pfSense is the solution.

                Did you try to use the local manager (not using Radius) for a moment ?

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • F
                  felix.wolfsteller
                  last edited by

                  You probably hit this bug

                  https://redmine.pfsense.org/issues/5622

                  You can search your log files for the respective message:

                  • logportalauth[63045]: Zone: main_zone - Successfully reinitialized
                    tables for main_zone – database has been reset.
                  • logportalauth[63045]: Zone: main_zone - Error during table main_zone
                    creation. Error message: database is locked. Resetting and trying again.

                  With some luck its resolved in 2.2.6, the workaround is pretty simple.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.