Troubleshooting captive portals

pfSense's captive portal service has many options, which means that there are many more things that can go wrong with captive portal access. We can divide these issues into two general categories:

  • Authentication issues (client cannot authenticate, even with seemingly valid credentials)
  • Client can establish a captive portal connection, but some other aspect of the service is not working (for example, DNS is not functioning or websites are blocked)

We will first consider authentication issues. The authentication options are Local User Manager/Vouchers and RADIUS Authentication. If you are using the local user manager, you should confirm that you have created the user accounts correctly and, if Allow only users/groups with "Captive portal login" privilege set is checked, you should confirm that the users have this privilege. You can, of course, disable this option and see whether the users can connect to troubleshoot the issue. If you are using vouchers to authenticate, you should confirm that your captive portal login page has <input name="auth_voucher" type="text"> for entering the voucher.

One possible issue that might arise is that you are trying to use MAC addresses for authentication, but the captive portal service cannot confirm that the MAC address is correct. This could happen if there is a router between the captive portal client and pfSense, and this issue could occur both in cases where a RADIUS server is being used for authentication, and without a RADIUS server. For troubleshooting, you might try allowing users access by IP address and see whether this works. If it does, there's a good chance pfSense is unable to confirm the MAC address.

One other possibility is that the user is trying to access the captive portal page through HTTPS, but your captive portal zone is only configured for HTTP access.  In this case, the solution is for the user to try again with HTTP at the beginning  of the URL.

One problem that has been reported is that sometimes, when using a captive portal on a VLAN, the captive portal page will not load. This apparently happens when the parent interface of the VLAN is also being used as a separate interface on pfSense. To prevent this problem, when a parent interface is partitioned into VLANs (VLAN1, VLAN2, and so on), the parent interface (for example, OPT1) should not be used separately; only the VLANs should be used.

If a RADIUS server is being used for authentication, the problem could be either a client or server issue. The RADIUS server may be misconfigured, or it may be down. If you have confirmed that the RADIUS server is functioning properly, the problem may be an incorrect configuration of pfSense. Log files can be helpful in further pinpointing the exact problem. Navigate to Status | System Logs and click on the Captive Portal Auth tab. If pfSense cannot connect to the RADIUS server at all, you should check the IP address/port settings for the RADIUS servers, as well as the shared secret.

The second category of issues is when the user is able to pass through the captive portal, but there are other issues. For example, the user may be having DNS issues. Once again, a good indication that a problem is related to DNS is when you can ping the IP address of a site, but you cannot ping the hostname. DNS is likely not functioning if pinging a valid hostname (for example, https://www.google.com/) returns the following result:

ping: unknown host google.com

If you are running the command prompt under Windows, the response might look like this:

Ping request could not find host google.com. Please check the name and try again.

If it looks like DNS resolution is the problem, you should check to make sure either DNS forwarder or DNS resolver is running, but not both. If you have confirmed that one of these is running and you are still having problems, the issue may be a DNS server that is down or is not configured properly.

If the user cannot access certain websites, the problem may be that the firewall or proxy server has blocked access to the site. You should navigate to Firewall | Rules and check to see whether there are any rules for the captive portal interface that might block access. Proxy servers usually have the capability to block websites, so if you are running one, you will want to check the settings for the proxy server. We will cover both firewall rules and proxy servers in greater depth in future chapters.

Having problems with pfSense's captive portal on iOS devices (for example, an iPad)? This could be due to a problem with the Safari browser. To fix it, disable URL redirection, clear Safari's caches, disable Autofill, and try again. 
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
52.14.168.56