To get started implementing a captive portal on your network, perform the following steps:
- Navigate to Services | Captive Portal. This page displays a table with all of the defined captive portal zones. There is a green +Add button down and to the right of the table; pressing this button allows you to add a zone.
- When you add a zone, you are initially directed to the Add Zone page. Here you are required to enter Zone Name, which can only contain letters, digits, and underscores. You can also enter a brief (non-parsed) description in the Description field. Enter this information and press the Continue button.
- Now we will be directed to the Configuration page, where we are presented with a warning which contains the following information:
-
- Make sure you enable the DHCP server on the captive portal interface
- Make sure the maximum DHCP lease time is longer than the captive portal hard timeout
- Make sure the DNS forwarder or DNS resolver is enabled, or DNS lookups will not work for unauthenticated clients
- To begin configuration, check the Enable Captive Portal checkbox. Once this box is checked, the other options will appear on the page.
- We will begin by considering the options that must be changed in order for captive portal to work. You must select at least one interface on which the captive portal will be enabled, and you can do this in the Interfaces list box. The first option is the Interfaces drop-down box, in which you select the interface on which captive portal will be enabled. In most scenarios where you are setting up a captive portal, you probably want to have a separate interface or interfaces for captive portal users.
- Next, scroll down to the Authentication section. Here you must select an authentication method: No Authentication, Local User Manager/Vouchers, or RADIUS Authentication:
- If No Authentication is selected, the captive portal user will not be prompted for a username and password or a voucher code—usually at most they will be required to accept the network's terms of service.
- Local User Manager/Vouchers covers the cases in which pfSense will handle authentication. Either the user will be prompted for a username/password combination for a user who was previously entered into the pfSense user manager, or the user will be prompted for a voucher code that was generated by pfSense.
- In the case of RADIUS Authentication, the authentication will be done by an external RADIUS server. This will be covered in detail in a subsection, but we will note that if you choose this option, at a minimum you will have to enter the RADIUS protocol and the IP address of the primary RADIUS server.
The next section is HTML Page Contents. At a minimum, you will probably find it necessary to replace the portal page, contents page, and to upload a portal page that is appropriate for the type of authentication you selected. If you are not requiring authentication, all you need is a form with a Submit button and a hidden field with the name redirurl and the value $PORTAL_REDIRURL$. If you require authentication, then you need to have either auth_user and auth_pass or auth_voucher (or both if you support both username/password login and vouchers).
The pages you uploaded may contain images, and as you probably guessed, you're going to need a means of uploading these images. This is what the File Manager tab is for. Any files you upload via this tab with the filename prefix of captiveportal- will be made available in the root directory of the captive portal server. This is useful if you have files which you want to reference in your portal page (for example, a company logo). In addition, you can upload PHP files for execution. The total size limit for all files uploaded via this tab is 1 MB.
- To add a file, click on the +Add button, which is below the Installed Files table and to the right. This loads a separate page where you can upload the file.
- Click on the Browse button to launch a file dialog box.
- Select a file, click on the Open button in the file dialog box, and then click on the Upload button.