[HOWTO] Captive portal + FreeRADIUS + local MySQL user friendly single step
-
03 May 2017:
- New version 0.48 has php-mysqli requirements
29 Nov 2016: - Added watchdog install
26 May 2016: - Added new pkg procedure for 2.3 final and post 2.3 releases
Hello,
I've written a captive portal wrapper that creates the FreeeRADIUS user account and logs in in one step, all with bootstrap responsive code and validation, with configurable language that suits for hotels and public wifi providers.
Here's the full howto:
1 Introduction
pfSense-cp-auth-onestep is a project that aims to provide a captive portal interface for pfSense 2.x (currently tested on 2.2.x and 2.3-beta) that doesn't require the creation of a user account.
In fact, when a user registers, it creates the RADIUS user account and then logs in with that account.
A demo can be found at the following address:http://pfcp.netpower.fr
The latest doc can be found here: http://netpower.fr/pfcp-pfSense-auth-onestepInitial work based on the excellent work of khan: https://forum.pfsense.org/index.php?topic=57260.0
2 Preparation of pfSense
In order to work, pfSense needs the following packages: FreeRADIUS, Cron.
Also, some upstream packages are required in order to work.
First we need to fetch some upstream packages:
Additional steps for pfSense 2.3
The repository management has changed in pfSense 2.3, and by default the FreeBSD repository is disabled.
You must edit the file /usr/local/etc/pkg/repos/pfSense.conf and set the following value:
FreeBSD: { enabled: yes }Additional steps after 2.3 final release
You must also edit file /usr/local/etc/pkg/repos/FreeBSD.conf and set the following value:
FreeBSD: { enabled: yes }ATTENTION: Once the packages are installed with pkg command, please set this value to 'no' again so updates won't interfere with pfSense normal functionality.
Installation of packages:
pkg pkg update pkg install nano gitIf your pkg doesn't find the packages, you may need to reinit the pkg database with
rm -f /var/db/pkg/*.sqliteAfter this, pkg update should reinitialize the pkg database.
2.1 Installation of MySQL
Although MySQL should be installed on a separate machine, it's convenient to have a single pfSense box doing the whole authentication.
Installation of MySQL isn't supported by pfSense, so you'll have to redo the following steps after every update.
2.1.1 pfSense 2.2 steps
MySQL installation
pkg install mysql56-server pkg install compat8x-amd64PHP support
touch /etc/php_dynamodules/mysql /etc/rc.php_ini_setupThe following command should output mysql and mysqlnd.
php -m | grep mysql2.1.2 pfSense 2.3 steps
MySQL installation
pkg install mysql56-server pkg install compat9x-amd64 pkg install php56-mysqlSince v0.48 of the captive portal version, mySQL queries are done via prepared statements using mysqli.
If using pfSense-cp-onestep-auth v0.48 or higher, please replace php56-mysql package with php56-mysqli.PHP support
The following command should output mysql and mysqlnd.
php -m | grep mysql2.1.3 Common steps
We need to allow the MySQL service to start.
echo 'mysql_enable="YES"' > /etc/rc.confAlso, pfSense won't start services unless their name finishes by “.sh”
mv /usr/local/etc/rc.d/mysql-server /usr/local/etc/rc.d/mysql-server.sh2.1.4 MySQL startup fix
For whatever, pfSense won't start MySQL sometimes. If you have a tip, please tell.
In order to fix this, create the following file /usr/local/bin/mysql_relaunch.sh
#!/usr/bin/env sh service /mysql-server.sh status > /dev/null if [ $? != 0 ]; then service mysql-server.sh start fiRender the file executable
chmod +x /usr/local/bin/mysql_relaunch.shInstall the cron package and add the following entry:
*/1 * * * * root /usr/local/bin/mysql_relaunch.shAfter this, we may launch the mysql service
service mysql-server.sh startAlso, as FreeRADIUS may start before mysql and fail, install watchdog service and set it up to restart FreeRADIUS.
Secure your installation by running the following command and change your root password
/usr/local/bin/mysql_secure_installationOptionnaly, you may create the following password file /root/.my.cnf
[client] password="YourMySQLrootPassword"2.2 FreeRADIUS setup
2.2.1 FreeRADIUS installation
Install the FreeRADIUS2 package via System > Packages > AvailableIn Services > FreeRADIUS > Users
Add a user called: testu
Set it's password: testp
in Services > FreeRADIUS > NAS / Clients
Add a NAS user:
IP: 127.0.0.1
Client Shortname: tester
Shared Secret: SuperTest (replace this with a good password)
In Services > FreeRADIUS > Interface
Add the interface the RADIUS server should listen on: 127.0.0.1
You can now check in Status > System Logs that the server is active
Sep 29 14:54:50 radiusd[10330]: Loaded virtual server <default>Sep 29 14:54:50 radiusd[13493]: Ready to process requests.</default>
Connect to pfSense via ssh or console and check if FreeRADIUS authenticates (replace SuperTest with your Shared Secret):
radtest testu testp 127.0.0.1:1812 0 SuperTestThe answer should look like:
Sending Access-Request of id 108 to 127.0.0.1 port 1812
User-Name = "testu"
User-Password = "testp"
NAS-IP-Address = 192.168.1.1
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=108, length=20Check authentication in Status > System Logs
Sep 29 15:04:51 radiusd[22223]: Login OK: [testu] (from client pfSense port 0)#TIP: See https://doc.pfsense.org/index.php/Testing_FreeRADIUS for tuning and troubleshooting
2.2.2 MySQL FreeRADIUS integration
First we need to create the RADIUS database. Launch the “mysql” program. If you didn't create the /root/.my.cnf password file, launch “mysql -p” and execute the following statements:
CREATE DATABASE `radius`; exitWe also have to get a copy of the sql files needed for the captive portal.
You can fetch them via wget at http://netpower.fr/sites/default/files/soft/bin/pfSense-cp-auth-onestep.gz or directly via git:
cd /root git clone https://github.com/deajan/pfSense-cp-auth-onestep cd /root/pfSense-cp-auth-onestep/sqlWe need to integrate every .sql file into the radius database. Please execute the admin.sql file at last because it contains definitions for the other files. Add “-p” to myql if you don't have created the password file.
Before running those commands, modify the admin.sql file in order to replace the default password 'radpass'. (Use vi or nano if installed).
mysql radius < cui.sql mysql radius < nas.sql mysql radius < radippool.sql mysql radius < schema.sql mysql radius < wimax.sql mysql radius < reg_users.sql mysql radius < admin.sqlActivate SQL support in Services > FreeRADIUS > SQL:
Enable SQL Support: Enable
Enable SQL Authorization: Enable
Enable SQL Accounting: Enable
Enable SQL Session: Enable
Enable SQL Post-Auth: Enable
Server IP Address –> 127.0.0.1
Server Port --> 3306
Server Database -> radius
Server User -> radius
Server Password -> radpass (replace with your database password).
MySQL authentication test
Execute the following command (replace SuperTest with your Shared Secret):
radtest testu testp 127.0.0.1:1812 0 SuperTestThe radpostauth table should contain the authentication info:
mysql -p -e "SELECT * FROM radpostauth;" radius+–--+----------+-------+---------------+---------------------+
| id | username | pass | reply | authdate |
+----+----------+-------+---------------+---------------------+
| 1 | testu | testp | Access-Accept | 2015-09-29 15:13:24 |
+----+----------+-------+---------------+---------------------+2.3 Enable captive portal
2.3.1 Setup
Grab a copy of the pfSense-pfcp-auth-onestep files via github or via the following link http://netpower.fr/sites/default/files/soft/bin/pfSense-cp-auth-onestep.gz
Uncompress the file and edit captiveportal-config.php to meet your settings, especially the database password.
Create a new zone in Services > Captive Portal . Example “PUBLICWIFI”
In Services > Captive Portal > File Manager, upload all the files from pfSense-pfcp-auth-onestep beginning with “captiveportal-*”
The following files need to be uploaded:
captiveportal-bootstrap.min.css
captiveportal-bootstrap.min.js
captiveprotal-jquery.validate.js
captiveportal-jquery-1.11.3.min.js
captiveportal-background.jpg
captiveportal-sidelogo.png
captiveportal-check_readio_sheet.png
captiveportal-termsofuse.html
captiveportal-config.php#TIP: I had trouble with uploading the files in pfSense 2.2.6. After every 3 files, I had to restart WebConfigurator via ssh.
We Can now enable the captive portal on the LAN interface or whatever interface you need.
We also need to activate RADIUS authentication:
IP: 127.0.0.1
Port: 1812
Shared Secret: SuperTest (or your Shared Secret)
Radius Protocol: PAP
Account Check:
Send RADIUS accounting packets: Enable
Port: 1813
Accounting updates: stop/start accounting (FreeRADIUS if available)
RADIUS NAS IP attribue: LAN IP (or whatever interface you selected)
Portal page contesnts: Upload file ozy-captive.php
Redirection URL: Whatever you'd like, example: http://www.google.com
2.3.2 Testing
Once enabled, you can open a browser and enter any domain. You should end on the captive portal page.
You may access directly to the captive portal via http://[pfSenseIP]:8002
#TIP: Your computer should use DHCP and use the pfSense IP as DNS server or the redirection won't work.
If the redirection still doesn't work, check that the DNS Resolver service is running without the forwarding mode.
Also, if your computer already has the domain in DNS cache, you may have to flush dns cache.
On Linux:
service nscd restartOn Windows:
ipconfig /flushdnsAt least, close and reopen your browser so it would make a new DNS query.
Fell free to help improve this howto.
Regards,
Ozy. - New version 0.48 has php-mysqli requirements
-
Thanks deajan for the post with detailed information to implement self signed captive portal. My CP was working fine in 2.2 now I can´t install needed packages.
pkg version (pkg -v) is 1.6.2, pkg install mysql56-server creates a loop with these messagesUpdating FreeBSD repository catalogue... FreeBSD repository is up-to-date. Updating pfSense-core repository catalogue... pfSense-core repository is up-to-date. Updating pfSense repository catalogue... pfSense repository is up-to-date. All repositories are up-to-date. New version of pkg detected; it needs to be installed first. Checking integrity... done (0 conflicting) The most recent version of packages are already installedI´ve tried pkg install pkg-1.7.2 with the same result
-
Hello,
This is more a pfSense than a captive portal problem.
Are you still running V2.2 ?Check the contents of /usr/local/etc/pkg/pfSense.conf and see if FreeBSD is enabled (disable it after installing mysql).
-
Thanks so much Deajan for this code! I just wanted to give a heads up that I ran into an issue with the firmware 2.3-RELEASE. When data was submitted I was getting a Fatal error: Call to undefined function mysql_connect(). I was pushing this data to a remote Mysql server.
After looking around I found out from a post that php56-mysql needs to be installed manually on 2.3 with```
pkg install php56-mysql -
I think I wrote about this in section 2.1.2.
Anyway, thanks for the feedback. -
Ahhh I see your right. I must have missed that some how. Anyway thanks again!
-
Hallo,
I did all fine but get
PHP ERROR: Type: 1, File: /var/etc/captiveportal_oberemuehle.html, Line: 126, Message: Call to undefined function mysql_connect()
after typed in registring datas and send it.
php56-mysql is Installed
All Packages Updated + Upgraded
-
On a brand new pfsense 2.3-RELEASE (amd64)
I have edited /usr/local/etc/pkg/repos/pfSense.conf and set the following value:
FreeBSD: { enabled: yes }I have then run :
pkg updateThen:
pkg install nano gitThis then results in:
pkg install nano git Updating FreeBSD repository catalogue... FreeBSD repository is up-to-date. Updating pfSense-core repository catalogue... pfSense-core repository is up-to-date. Updating pfSense repository catalogue... pfSense repository is up-to-date. All repositories are up-to-date. New version of pkg detected; it needs to be installed first. The following 1 package(s) will be affected (of 0 checked): Installed packages to be REINSTALLED: pkg-1.6.2 [pfSense] 2 MiB to be downloaded. Proceed with this action? [y/N]: y Fetching pkg-1.6.2.txz: 100% 2 MiB 632.9kB/s 00:04 Checking integrity... done (0 conflicting) [1/1] Reinstalling pkg-1.6.2... You may need to manually remove /usr/local/etc/pkg.conf if it is no longer needed. [1/1] Extracting pkg-1.6.2: 100% Message from pkg-1.6.2: If you are upgrading from the old package format, first run: # pkg2ng Updating FreeBSD repository catalogue... FreeBSD repository is up-to-date. Updating pfSense-core repository catalogue... pfSense-core repository is up-to-date. Updating pfSense repository catalogue... pfSense repository is up-to-date. All repositories are up-to-date. New version of pkg detected; it needs to be installed first. Checking integrity... done (0 conflicting) The most recent version of packages are already installed Updating FreeBSD repository catalogue... FreeBSD repository is up-to-date. Updating pfSense-core repository catalogue... pfSense-core repository is up-to-date. Updating pfSense repository catalogue... pfSense repository is up-to-date. All repositories are up-to-date. New version of pkg detected; it needs to be installed first.This then loops over and over and does not stop.
The same then happens if I run
pkg install mysql56-serverWhat am I missing please?
-
This is the bug of pkg and will fix in pkg 1.7.2:
https://github.com/freebsd/pkg/issues/1303
"" pkg infinite loop with multiple repos containing different versions of pkg ""
you can comment out all other repo and install what you want, then restore the configuration to default.
after install, the pkg will update to the last version that may cause the pfsense package system stop working, to resolve this:
run:
"pkg delete -f pkg" and install it again with pfsense repo.
-
Hello Ozy, thank you so much for taking the time to do this. I can not stress how helpful this is!
I know this is a lot to ask but if anyone is considering to make a how to video I would really appreciate this. I am not so fluent in this type of configuration. Thank you!
-
I have set the FreeBSD: { enabled: yes } but when I try to install the mysql56-server I get:
Updating pfSense-core repository catalogue…
pfSense-core repository is up-to-date.
Updating pfSense repository catalogue...
pfSense repository is up-to-date.
All repositories are up-to-date.
pkg: No packages available to install matching 'mysql56-server' have been found in the repositoriesAlmost as if it is not looking in the FreeBSD repo.
I have restarted after enabling FreeBSD and gone back in to check that it is enabled.
Any ideas? Thanks
-
Hi,
I've updated the captive portal code a couple of days ago with some bug fixes and minor improvements.
Sorry for not having answered earlier, been in holidays :)@novensiles: can you give the output of "php -m" ?
@abebraham: sorry, but I think the text howto is enough. It's also easier to update it than to update a video. Feel free to ask for help here on the forum or github.
@beewolf: Repo files slightly changed between 2.3-RC and 2.3 final. I've updated the doc for this. -
Many thanks for that - all installed fine with those changes but I am getting the following error on trying to log in:
PHP ERROR: Type 1, File /var/etc/captiveortal_guest_wifi.html, Line 127, Message: Call to undefined functionmysql_connect()
Probably something I have done but am struggling to find what exactly. Any ideas? Thanks
-
What's your output of php -m ?
-
[2.3.1-RELEASE][root@pfSense.skh]/root/pfsense-cp-auth-onestep/sql: php -m
bcmath bz2 Core ctype curl date dom ereg filter gettext hash json ldap libxml mbstring mcrypt mhash mysql mysqlnd openssl pcntl pcre PDO pdo_sqlite pfSense posix radius readline Reflection rrd session shmop SimpleXML sockets SPL sqlite3 ssh2 standard suhosin sysvmsg sysvsem sysvshm tokenizer xdebug xml xmlreader xmlwriter Zend OPcache zlib zmq [Zend Modules] Xdebug Zend OPcache -
It seems that the mysql extension is there.
Can you please restart php-fpm ? And if it does not work, restart pfSense ? -
Yes, thank you that worked - I should have tried that first!!
All seems to be working now in a test environment - just one thing, Freeradius needs to be started manually after a restart. Is this usual? Would it be possible to add the service to the MySQL cron job so it definitely starts automatically?
-
I'll add a note about rebooting to the guide.
As for the freeradius service, it depends on mysql service.
As there is no loading order, sometimes freeradius loads before mysql and may fail.In order to get FreeRADIUS working all the time, I've setup the watchdog package to restart failing services.
-
Many thanks - all working now.
-
bcmath bz2 Core ctype curl date dom ereg filter gettext hash json ldap libxml mbstring mcrypt mhash mysql mysqli mysqlnd openssl pcntl pcre PDO pdo_sqlite pfSense posix radius readline Reflection rrd session shmop SimpleXML sockets SPL sqlite3 ssh2 standard suhosin sysvmsg sysvsem sysvshm tokenizer xdebug xml xmlreader xmlwriter Zend OPcache zlib zmq [Zend Modules] Xdebug Zend OPcache