Skip to main contentSkip to search
Skip to main content

pfSense

pfSense open-source firewalls authenticate WiFi and wired-guest users through their built-in captive portal against IronWiFi cloud RADIUS (PAP/MSCHAPv2), with the IronWiFi splash page delivered as the external portal URL. Configuration is done under Services > Captive Portal, where you add IronWiFi as the RADIUS authentication server for the zone.

Prerequisites

In IronWiFi Console (complete these first):

  1. Create a Network in IronWiFi Console
  2. Create a Captive Portal with the appropriate vendor
  3. Note your RADIUS settings and Splash Page URL

In pfSense:

  • Administrative access to pfSense device
  • Network connectivity to IronWiFi RADIUS servers

Device Configuration

Step 1: Access pfSense Web Interface

Log in to the pfSense web interface and navigate to the dashboard.

pfSense dashboard overview

Step 2: Navigate to Captive Portal Settings

Go to Services > Captive Portal to begin configuration.

pfSense Services menu with Captive Portal option

pfSense Captive Portal zone selection

Step 3: Configure Captive Portal Zone

Create or edit a captive portal zone with the appropriate settings.

pfSense Captive Portal zone configuration

pfSense Captive Portal zone settings continued

Step 4: Configure RADIUS Authentication

Navigate to the RADIUS authentication settings and configure with your IronWiFi details.

pfSense RADIUS server configuration

pfSense RADIUS authentication settings

RADIUS Settings

Configure your device with:

SettingValue
Primary Server
{Primary IP from IronWiFi}
Auth Port
{AUTH_PORT}
Acct Port
{ACCT_PORT}
Shared Secret
{Your shared secret}

pfSense RADIUS server IP and port configuration

pfSense RADIUS shared secret configuration

Step 5: Configure RADIUS Accounting

Set up RADIUS accounting to track user sessions.

pfSense RADIUS accounting configuration

Captive Portal

  1. Enable external captive portal
  2. Set splash page URL from IronWiFi
  3. Configure walled garden to include 
    107.178.250.42

pfSense Captive Portal enable and splash page URL

pfSense Captive Portal external URL settings

Step 6: Configure Portal Page

Set up the portal page redirect and authentication method.

pfSense portal page configuration

pfSense portal authentication method settings

Walled Garden

Add these entries for pre-authentication access:

pfSense walled garden configuration

Required for IronWiFi:

  • 107.178.250.42
    (IronWiFi splash page)
  • DNS servers

pfSense walled garden allowed IP addresses

Authentication Provider Domains:

If using social login providers, add the following domains to your walled garden:

ProviderRequired Entries
Google
*.google.com
, 
*.googleapis.com
, 
*.gstatic.com
, 
accounts.google.com
Facebook
*.facebook.com
, 
*.fbcdn.net
, 
connect.facebook.net
, 
facebook.com
Twitter
*.twitter.com
, 
*.twimg.com
, 
twitter.com
LinkedIn
*.linkedin.com
, 
*.licdn.com
Microsoft
*.microsoft.com
, 
*.microsoftonline.com
, 
*.live.com
, 
login.live.com

pfSense walled garden social login domains

Step 7: Configure Firewall Rules

Set up the necessary firewall rules for the captive portal to function.

pfSense firewall rules for captive portal

pfSense firewall rule details

Step 8: Test and Verify Configuration

Verify that all settings are correct and test the captive portal.

pfSense captive portal status page

WPA-Enterprise

For 802.1X authentication:

  1. Set security to WPA2-Enterprise
  2. Configure RADIUS server details
  3. Test with a known user

pfSense WPA2-Enterprise RADIUS configuration

Troubleshooting

IssuePossible CauseSolution
Portal not appearingWalled garden misconfiguredCheck walled garden includes 
107.178.250.42
and splash URL is correct
Authentication failingRADIUS settings incorrectVerify RADIUS IP, ports, and shared secret match IronWiFi Console
No internet after authFirewall or VLAN issueCheck firewall rules and VLAN settings

Getting Help

For device-specific questions:

Shared configuration

Was this page helpful?