How To Configure A Captive Portal For Network Access Authentication Using A Pfsense Firewall.

The PFSENSE captive portal feature is a useful authentication system that makes it possible to secure a network by requesting a user to enter  a username and password  on a portal page before granting access to resources on a network. Captive portals are most commonly deployed on wireless hotspots, hotels, airports, business offices. and even homes. This tutorial provides a simple guide on how to configure a captive portal for network access authentication using a PFSENSE firewall

Requirements

In order to complete this tutorial successfully the following items are required. Please ensure to have these items available before taking implementation action on this tutorial:
1) A desktop or latop with a web browser installed.
2) A PFSENSE firewall appliance or virtual machine.
3) An internet connection.
4) Basic understanding of HTML programming.

Step One: Create A Captive Portal (Without Authentication).

1) Power on the PFSENSE firewall and once it completes the system startup process, open a web browser (i.e chrome, safari, edge, explorer, firefox etc), enter the IP ADDRESS or HOSTNAME of the web configurator in the browser address bar and press the  “ENTER” key on your keyboard.

Once the PFSENSE web configurator login page opens enter your login credentials and click on “SIGN IN”

2) Add a new CAPTIVE PORTAL by clicking on “SERVICES > CAPTIVE PORTAL > ADD”.

On the “ADD CAPTIVE PORTAL ZONE” page type in a “ZONE NAME” and “ZONE DESCRIPTION” on the appropriate spaces and click on “SAVE & CONTINUE”

3) On the “CONFIGURATION” tab click on the “ENABLE CAPTIVE PORTAL” check box and set the “INTERFACE” to LAN.

Enter the maximum number of connections to the captive portal on the  “MAXIMUM CONCURRENT CONNECTION”  and type in the amount of time when clients will be disconnected due to inactivity on the “IDLE TIMEOUT(MINUTES)” input box.

4) Scroll down to the “CAPTIVE PORTAL LOGIN PAGE” section and click on the “DISPLAY CUSTOM LOGO” check box. On “LOGO IMAGE” click on the “CHOOSE FILE” button and select your logo.

Click on the “DISPLAY CUSTOM BACKGROUD IMAGE” check box and on the “BACKGROUND IMAGE” option click on the “CHOOSE FILE” button and select your background image.

Type in or paste terms and conditions for use in the captive portal on the “TERMS AND CONDITIONS” text input box.

On the “AUTHENTICATION METHOD” drop down menu select the “NONE, DONT AUTHENTICATE USERS” option.

5) On the “HTTPS OPTIONS” section click on the “ENABLE HTTPS LOGIN” checkbox and enter the IP ADDRESS of the PFSENSE firewall on the “HTTPS SERVER NAME” text input box. It is also possible to type in a hostname provided you have a DNS server that can resolve to the correct interface IP on the  PFSENSE firewall.

Choose the default web configurator certificate on the “SSL CERTIFICATE” drop down menu and click on “SAVE”

6) Open a new browser tab and try to browse to google.com or any other web page. PFSENSE will automatically redirect to the captive portal login page. Click on “LOGIN” to gain access to network resources.

To view the number of user that are currently logged into the captive portal click on “SERVICES > CAPTIVE PORTAL >NUMBER OF USERS”

Step Two: Add A Custom Captive Portal Login Page.

7) The PFSENSE captive portal feature allows you to add a custom login page. This is usefull if the default PFSENSE captive portal login page lacks features and / or designs that you may wish to display. You may also want to display adverts and / or custom information for users and this is possible if a custom captive portal login page is used.

To set up a custom captive portal login page, click on  “SERVICES > CAPTIVE PORTAL”. Click on the EDIT icon on the captive portal zone. On the CONFIGURATION  tab scroll down and click on the “USE CUSTOM CAPTIVE PORTAL PAGE” check box.

8) Create an html  web page using any code editor such as notepad++, visual studio code, netbeans,  phpstorm, atom.. etc. Ensure that the web page is named portal.html. Two additional pages for handling authentication and logout events also have to be created. 

We have prepared a starter project that you can download and setup the custom captive portal login page. Click HERE to download the HTML files.

Step Three: Use An Authentication Backed To Authenticate Captive Portal Users.

8)

Step Four: Use Radius MAC Authentication To Authenticate Captive Portal Users.

9)