[HOWTO] Captive portal + FreeRADIUS + local MySQL user friendly single step
-
You have not updated this documentation page at this time
http://netpower.fr/sites/default/files/soft/html-doc/pfSense-cp-auth-onestep_0.html
I'm aware of that :) Still have to redo the whole howto on a recent pfSense build in order to rewrite it properly and address new issues, but as always, time is a b****, and I was more eager to rewrite the portal itself for security reasons than the manual.
-
Hi deajan, thanks a lot for this project.
Is it possible to use this Captive Portal for self registration on a unencrypted WLAN SSID with username and password, and use these credentials to authenticate on a encrypted WPA2 Enterprise SSID (with PEAP authentification or something like that)? -
Hi deajan, thanks a lot for this project.
Is it possible to use this Captive Portal for self registration on a unencrypted WLAN SSID with username and password, and use these credentials to authenticate on a encrypted WPA2 Enterprise SSID (with PEAP authentification or something like that)?Hi,
I'm not really sure what's your usecase here, but if I understand right, you want users to self sign in on a first wireless network, then have them connect on the secured wireless network with the credentials they created earlier.
You would have to modify the code of the captive portal to add a password option (let's say instead of the room number or so).
Then you'd need to add the pfSense FreeRADIUS server to your WPA2 setup.
Could you elaborate a bit please ? -
Hi,
I'm not really sure what's your usecase here, but if I understand right, you want users to self sign in on a first wireless network, then have them connect on the secured wireless network with the credentials they created earlier.
You would have to modify the code of the captive portal to add a password option (let's say instead of the room number or so).
Then you'd need to add the pfSense FreeRADIUS server to your WPA2 setup.
Could you elaborate a bit please ?That's exactly what I want to implement.
I've got three LANCOM L-322agn Access Points, one LANCOM WLC-4006+ Controller and a pfSense Setup. This will be used for a public WLAN in a small industrial area. The idea is to provide these two SSIDs with the access points at the same time. I do not want to use a "normal" WPA with pre shared key to provide more security when using the WLAN without VPN. I Think 802.1x/EAP with MSCHAPv2 or somethink like that would be better. What would be the best way to do that with your Captive portal solution? My PHP and JavaScript knowledge is unfortunately limited :-\ -
Is there any way with this setup to limit the amount of data one user can use at one time? say i want user bob to only have a max download limit of 1 GB for the duration of his time at the hotel?
-
Especially for Bob ? or All Bobs ? :)
-
Especially for Bob ? or All Bobs ? :)
All Bobs lets say have a max download each of 1gb and all daves have max download of 500mbs
i have tried this
INSERT INTOradcheck
(id
,username
,attribute
,op
,value
)VALUES (NULL, 'bob', 'Acct-Output-Octets', ':<', '5242880');
INSERT INTOradcheck
(id
,username
,attribute
,op
,value
)VALUES (NULL, 'bob', 'Acct-Output-Octets', ':=', '5242880');
INSERT INTOradcheck
(id
,username
,attribute
,op
,value
)VALUES (NULL, 'bob', 'Acct-Output-Octets', ':!=', '5242880');
INSERT INTOradcheck
(id
,username
,attribute
,op
,value
)VALUES (NULL, 'test3', 'Max-forever-Octets', ':=', '5242880');I guess im not supposed to do this as Freenas documentation says i cant use < as a operator for check…. any idear ?
-
You should check FreeRADIUS docu for this: https://wiki.freeradius.org/modules/Rlm_sqlcounter
Also, check that rlm_sqlcounter module is present in pfSense :) -
Hi Deajan!
I am trying to implement your solution at a hotel.
So also Freeradius and MySQL are working fine, but the Captive Portal didn't.
I tried twice, building two VMs in Virtual Box and pfSense 2.3 (last stable version). The first machine, after fill the form and accept the terms of use, when I click on confirm button appears 404 error. After hours and hours looking for what could be happening I gave up and decided to start over again, building a new VM.
In the second VM I took the same case: MySql and Freeradius are working fine, but now when I click on confirm button appears a blank page without any error. In browser address bar appears the Server IP + /$ symbol.
Can you advice me to find a solution? I had past entire Sunday doing this!
My best regards!
GiovaniPS: I found in my downloads a 2.2 pfSense version. I was thougthing in do a downgrade.
-
…. when I click on confirm button appears 404 error. After hours and hours looking for what could be happening I gave up and decided to start over again, building a new VM.
In the second VM I took the same case: MySql and Freeradius are working fine, but now when I click on confirm button appears a blank page without any error. In browser address bar appears the Server IP + /$ symbol.
....(The captive portal) web server log didn't mention what happened ??
Are you using the default built-in captive portal page ? -
@giovani.junior: Don't use the integrated view button as behavior changed in 2.3.2+, see https://forum.pfsense.org/index.php?topic=132106.0
Also, have you configured the redirection address for the CP ? -
Hi everyone, I modified the template for adding profilation and for ask a question to a clients.
Here is the file
https://github.com/mastrus/pfSense-cp-auth-onestep
Now I want to ask if is possible to have first autentication after 2 hours and one autentication after 8 hours with a different form page.
You can say how Do it?
I have also automated by shell script the creation of the machine with captive portal (after also i post the code).
Thanks in advance
Alessandro
-
…. when I click on confirm button appears 404 error. After hours and hours looking for what could be happening I gave up and decided to start over again, building a new VM.
In the second VM I took the same case: MySql and Freeradius are working fine, but now when I click on confirm button appears a blank page without any error. In browser address bar appears the Server IP + /$ symbol.
....(The captive portal) web server log didn't mention what happened ??
Are you using the default built-in captive portal page ?@Gertjan, the web server log doesn't show anything interesting or any error.
No, I am using the captive portal developed by deajan!
My best rgds! -
@giovani.junior: Don't use the integrated view button as behavior changed in 2.3.2+, see https://forum.pfsense.org/index.php?topic=132106.0
Also, have you configured the redirection address for the CP ?@deajan, sorry me because my ignorance, but where is this view button? Is it a captive portal configuration or a resource in web page?
Yes, I had configured the redirection address to http://www.google.com.
My best regards! -
Hi guys!
I took a print screen from login e post login captive portal page.
Please, any idea?![CP Image Login.png](/public/imported_attachments/1/CP Image Login.png)
![CP Image Login.png_thumb](/public/imported_attachments/1/CP Image Login.png_thumb)
![CP Post Login.png](/public/imported_attachments/1/CP Post Login.png)
![CP Post Login.png_thumb](/public/imported_attachments/1/CP Post Login.png_thumb) -
- CP Post Login.png (23.07 kB, 1920x1032 - viewed 0 times.)
That image shows the problem very well.
http://192.168.56.200:8002/?
isn't a valid URL (IP is ok, port 8002 also - but with the file called '?' the web server (Nginx) will yell … euh log something and show you the file not found error - also known as world's famous "404".Knowing that the correct URL will be build with "$PORTAL_ACTION$" I wonder what your this variable is in your case.
Edit your portal.html (and portal.php or whatever files are used to create te loggin page, and add this " html code ":
... PORTAL_ACTION == [$PORTAL_ACTION$] ....
With my portal, this line shows :
PORTAL_ACTION == [https://brit-hotel-fumel.net:8003/index.php?zone=cpzone1]
and this is a valid URL (works with my pfSense setup - I'm using https, this explains the "8003" port - and the zone name is 'cpzone1')
So, what about showing your "portal login html files" ?
edit : I didn't test-drive, but this :
https://github.com/deajan/pfSense-cp-auth-onestep/blob/master/ozy-captive.php#L331
looks fine to me. -
Good morning Gertjan!
I am sending the index.php file.
Sincerly, I don't know what to do. I read a lot of docs about captive portal and followed the advices from other people with the same problem, but nothing is working.
My best regards and thanks by your attention! -
heyy guys, first of all thank you Deajan for the amazing work, really, it helps alot, now to my problem, i am currently on pfsense 2.3.4, and everything seems to be working fine except for the radius login part, i can see the users in the MYSQL database but they are all Rejected, the configuration of the ports on the radius server is ok, i was able to find this in the logs
"Invalid user (sql1: Failed to create the pair: Invalid vendor name in attribute name "Password"): [123] (from client tester port 2010 cli "
i believe from what ive read that there is no such thing as apassword atribute, it must be Cleartext-Password, the problem is that i cant seem to find where to change the value, could you please help me out?,
FYI if i use the test user and test password i can log in no problem and the mysql database also reflects that, so im guessing its just some sintaxis problem.
thanks
-
I'd like to mention that I'm NOT using Freeradius and MySQL to handle te Captive portal clients.
(I just 'stole' somewhat the GUI part).
I'm running the Captive portal for a hotel for many years now - just using the local client database, built into pfSense.I tend to keep it simple, which guarantees that my portal is always available, which is THE most important thing for my clients.
Tracking or accounting my clients is not one of my priorities - I'm not selling Internet access - I just offer it.
-
FOLLOWUP, in case anyone is hitting the same problem as me, the problem is with freeradius3, so first of all you need to change the attribute type on the file ozy-captive :
From : "INTO radcheck (username, attribute, value) VALUES (?, 'Password', ?)")) "
TO: INTO radcheck (username, attribute, value) VALUES (?, 'Cleartext-Password', ?)"))
And then you need to change the file Schema.sql BEFORE you add it to the radius database
FROM:
CREATE TABLE radcheck (
id int(11) unsigned NOT NULL auto_increment,
username varchar(64) NOT NULL default '',
attribute varchar(64) NOT NULL default '',
op char(2) NOT NULL DEFAULT '==',
value varchar(253) NOT NULL default '',
PRIMARY KEY (id),
KEY username (username(32))
) ;TO:
CREATE TABLE radcheck (
id int(11) unsigned NOT NULL auto_increment,
username varchar(64) NOT NULL default '',
attribute varchar(64) NOT NULL default '',
op char(2) NOT NULL DEFAULT ':=',
value varchar(253) NOT NULL default '',
PRIMARY KEY (id),
KEY username (username(32))
) ;I hope this helps anyone My problem was with pfsense 2.3.4 FRERADIUS 3