Reblogging this for backup reference. 🙂 Credits to the owner.
1 Introduction
pfSense-cp-auth-onestep is a project that aims to provide a captive portal interface for pfSense 2.x (currently tested on 2.2.x, 2.3-beta, 2.3, 2.31) that doesn’t require the creation of a user account.
In fact, when a user registers, it creates the RADIUS user account and then logs in with that account.
2 Preparation of pfSense
Additional steps for pfSense 2.3
The repository management has changed in pfSense 2.3, and by default the FreeBSD repository is disabled.
FreeBSD: { enabled: yes }
On pfSense 2.3 final and later, you must also edit file /usr/local/etc/pkg/repos/FreeBSD.conf and set the following value:
FreeBSD: { enabled: yes }
ATTENTION: Once the packages are installed with pkg command, please set this value to ‘no’ again so updates won’t interfere with pfSense normal functionality.
pkg pkg update pkg install nano git
rm -f /var/db/pkg/*.sqlite
2.1 Installation of MySQL
Although MySQL should be installed on a separate machine, it’s convenient to have a single pfSense box doing the whole authentication.
Installation of MySQL isn’t supported by pfSense, so you’ll have to redo the following steps after every update.
2.1.1 pfSense 2.2 steps
pkg install mysql56-server pkg install compat8x-amd64
touch /etc/php_dynamodules/mysql /etc/rc.php_ini_setup
php -m | grep mysql
2.1.2 pfSense 2.3 steps
pkg install mysql56-server pkg install compat9x-amd64 pkg install php56-mysql
php -m | grep mysql
2.1.3 Optional steps if mysql57 is used
[mysqld] bind-address = 127.0.0.1
In order to be able to use the FreeRADIUS schema, edit file /usr/local/my.cnf (or create /var/db/mysql/my.cnf with):
[mysqld] sql-mode=allow_invalid_dates
2.1.4 Common steps
echo 'mysql_enable="YES"' > /etc/rc.conf
mv /usr/local/etc/rc.d/mysql-server /usr/local/etc/rc.d/mysql-server.sh
2.1.5 MySQL startup fix
#!/usr/bin/env sh service /mysql-server.sh status > /dev/null if [ $? != 0 ]; then service mysql-server.sh start fi
chmod +x /usr/local/bin/mysql_relaunch.sh
*/1 * * * * root /usr/local/bin/mysql_relaunch.sh
service mysql-server.sh start
/usr/local/bin/mysql_secure_installation
[client] password="YourMySQLrootPassword"
2.2 FreeRADIUS setup
2.2.1 FreeRADIUS installation
Sep 29 14:54:50 radiusd[10330]: Loaded virtual server <default> Sep 29 14:54:50 radiusd[13493]: Ready to process requests.
Connect to pfSense via ssh or console and check if FreeRADIUS authenticates (replace SuperTest with your Shared Secret):
radtest testu testp 127.0.0.1:1812 0 SuperTest
Sending Access-Request of id 108 to 127.0.0.1 port 1812 User-Name = "testu" User-Password = "testp" NAS-IP-Address = 192.168.1.1 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=108, length=20
Sep 29 15:04:51 radiusd[22223]: Login OK: [testu] (from client pfSense port 0)
2.2.2 MySQL FreeRADIUS integration
First we need to create the RADIUS database. Launch the “mysql” program. If you didn’t create the /root/.my.cnf password file, launch “mysql -p” and execute the following statements:
CREATE DATABASE `radius`; exit
You can fetch them via wget at http://netpower.fr/sites/default/files/2016-03/pfSense-cp-auth-onestep.gz or directly via git:
cd /root git clone https://github.com/deajan/pfSense-cp-auth-onestep cd /root/pfSense-cp-auth-onestep/sql
We need to integrate every .sql file into the radius database. Please execute the admin.sql file at last because it contains definitions for the other files. Add “-p” to myql if you don’t have created the password file.
Before running those commands, modify the admin.sql file in order to replace the default password ‘radpass’. (Use vi or nano if installed).
mysql radius < cui.sql mysql radius < nas.sql mysql radius < radippool.sql mysql radius < schema.sql mysql radius < wimax.sql mysql radius < reg_users.sql mysql radius < admin.sql
MySQL authentication test
radtest testu testp 127.0.0.1:1812 0 SuperTest
mysql -p -e "SELECT * FROM radpostauth;" radius
+----+----------+-------+---------------+---------------------+ | id | username | pass | reply | authdate | +----+----------+-------+---------------+---------------------+ | 1 | testu | testp | Access-Accept | 2015-09-29 15:13:24 | +----+----------+-------+---------------+---------------------+
2.3 Enable captive portal
2.3.1 Setup
Grab a copy of the pfSense-pfcp-auth-onestep files via github or via the following link http://netpower.fr/sites/default/files/2016-03/pfSense-cp-auth-onestep.gz
Uncompress the file and edit captiveportal-config.php to meet your settings, especially the database password.
In Services > Captive Portal > File Manager, upload all the files from pfSense-pfcp-auth-onestep beginning with “captiveportal-*”
captiveportal-bootstrap.min.css captiveportal-bootstrap.min.js captiveprotal-jquery.validate.js captiveportal-jquery-1.11.3.min.js captiveportal-background.jpg captiveportal-sidelogo.png captiveportal-check_readio_sheet.png captiveportal-termsofuse.html captiveportal-config.php
#TIP: I had trouble with uploading the files in pfSense 2.2.6. After every 3 files, I had to restart WebConfigurator via ssh.
2.3.2 Testing
Once enabled, you can open a browser and enter any domain. You should end on the captive portal page.
#TIP: Your computer should use DHCP and use the pfSense IP as DNS server or the redirection won’t work.
If the redirection still doesn’t work, check that the DNS Resolver service is running without the forwarding mode.
service nscd restart
ipconfig /flushdns