Slides for the April 2015 pfSense Hangout video

1. Captive Portal
April 2015 Hangout
Jim Pingle

2. Project Notes
● pfSense 2.2.2 is out!
– Security and bug fixes
– Console issue, update files fixed
● New SG series hardware shipping now
● Support moved to per-Incident model
● Still investigating new Hangout hosting options

3. About this Hangout
● Description, Capabilities, and Limitations
●
Zones
● Authentication Types
●
Vouchers
●
Portal Settings Run-Through
●
Passing devices/users through
●
Redirects
●
Custom Login Pages
●
Status & Graphs
● Basic Troubleshooting

4. Description / Capabilities
● What is Captive Portal?
● Captive Portal forces users to authenticate before they can
reach the Internet or any network outside their interface
● Captures HTTP requests for unauthenticated users and directs
them to a portal page
– It can try to redirect HTTPS but this can result in certificate errors in
the browser.
● Useful for presenting a ToS, User agreement, displaying a
business or property page, preventing unauthorized use, etc
● Commonly used in businesses and especially hospitality/travel:
Hotels, cafes, restaurants, airports

5. Description / Capabilities
● Works at layer 2, checks MAC addresses and/or IP
addresses depending on settings
● Certain hosts (source or destination) may be set to bypass
the portal
– Always-on devices, walled garden, local servers
● Optional automatic per-user bandwidth limits
● Some operating systems and clients have special support
to detect portals and alert users that a login is necessary
– Certain cases such as iOS devices may not work quite right and
users may need to manually load an HTTP page to login

6. Limitations
● Cannot act as a “reverse” portal for clients on WAN
● Does not work for IPv6
● Is only effective if clients have a unique MAC/IP address – If many clients are
behind a single router that performs NAT before reaching pfSense, it will not
work
● For authentication, not encryption, so wireless clients may still need additional
security (WPA2, etc)
● Cannot effectively redirect HTTPS requests (no portal can without SSL MITM)
● Can only work with bridges if the portal is on the assigned bridge interface
(e.g. bridge0)
● Requires some extra work to function with a proxy involved
● No per-user rules based on login name
● No LDAP authentication support

7. Zones
● Zones allow for multiple independent portals to be
configured
● Zones may have completely different settings
● At least one zone must be defined
● One zone may operate on multiple interfaces
● An interface can only be a member of a single zone
● Currently no way to edit zone name/description so
be mindful when creating a new zone

8. Authentication Types
● None/Open (“Click through”)
– Useful for showing users a ToS/Splash page without requiring a login
●
Local Users
– Useful for small numbers of users
– Optional Captive Portal user permission requirement
●
Vouchers
– Great for time-limited anonymous but secure access, such as hotels and
restaurants, where creating or re-using common user accounts is not viable
●
RADIUS
– Useful for large numbers of users or for using extended attributes such as
per-user bandwidth or time limits, tying into an AD or similar structure

9. Vouchers
● Secure access codes generated based on crypto keys
● All vouchers have a set time limit measured in minutes
● Timers are counted from first login, no logout/pause
● Created in batches called “rolls” that share a common
time limit
● Once a voucher is used or manually expired, it cannot
be re-used
● Voucher rolls may be exported as .csv and printed or
imported into a POS system

10. Basic Portal Settings Run-Through
●
Enable, select interface(s)
●
Max current connections – Only controls how many people may access
the portal web server simultaneously, not a user connection upper limit
● Idle timeout, Hard timeout
● Logout pop-up – Not very effective due to pop-up blocking in browsers
●
Redirect URL – See next slide
●
Concurrent User Logins – Prevents multiple logins
●
MAC Filtering – useful when routing, not direct Layer 2
●
Per-User Bandwidth restriction – sets up a limiter for each user
●
Authentication – pick whichever method is best for this env
●
HTTPS login – needs a cert from a CA trusted by the user's browser
●
Custom pages – covered later

11. Redirects
● Be sure to enter a full URL including HTTP or HTTPS prefix!
● Pre-authentication redirect
– Requires special code handling in the portal login page and on the landing
page
– If blank, the captive portal page is presented directly
● Post-authentication redirect
– Good for a welcome page after login, or redirecting to a preferred search
engine, etc
– If blank, user will be redirected to whichever page they originally requested
●
Blocked MAC address redirect
– If a MAC is set to be blocked on the MAC tab, they will be redirected here
– Useful for blocking infected systems or known offenders

12. Custom Login Pages
● Do not copy/paste code from “View Source” as this breaks macros!
● Sample code is on the CP config tab
● More samples on the forum, for example
https://forum.pfsense.org/index.php?topic=26141.0
● Once uploaded, the custom page can be downloaded or reset
● Example page from this demo will be available for download
● The stock CP page code may be found In the source
● Images, CSS, etc may be uploaded on the File Manager tab
– Uploaded files are prefixed with “captiveportal-”, for example
“captiveportal-logo.png”, which must be accounted for in the HTML code

13. Passing Devices Through
● MAC tab
– Pass or block specific MAC addresses
– Apply bandwidth limit to a specific MAC address
● Allowed IP Addresses tab
– Pass all traffic to or from a specific IP address
– Useful for local servers, remote DNS servers, etc
● Allowed Hostnames tab
– Pass from, to, or both directions for a fully qualified domain name
– Works based off hostname resolution (resolved periodically)
– Does not work for hosts with random DNS replies
– Works best with static or infrequently changing responses (no RR)

14. Status / Graphs
● Status > System Logs, Portal Auth tab shows a record of
logins and error messages (if any)
● Status > Captive Portal shows online users, their
address, login time
● Voucher tabs allow for viewing online voucher users, roll
status, testing vouchers, and expiring vouchers
● Status > RRD Graph, Captive Portal tab
– Logged In graph: Count of users who have logged in over time
– Concurrent Graph: Count of users online at a specific time

15. Basic Troubleshooting
● No redirect to portal page?
– Check if DNS is working. If DNS server is remote, add to
Allowed IP addresses tab.
– Check firewall rules, make sure they allow outbound access to
port 80 (HTTP)
– Client has HTTPS home page. Have them load an HTTP page
– Try hitting portal ip:port directly
● More advanced troubleshooting here:
https://doc.pfsense.org/index.php/Captive_Portal_Troubl
eshooting

16. Conclusion
● Eventually will have an “Advanced Captive
Portal” hangout to cover more complex portal
configurations, more detail on vouchers,
RADIUS authentication, user attributes,
bandwidth and time limits, and more
● Questions?
● Ideas for hangout topics? Post on forum,
comment on the blog posts, Reddit, etc