pfSense » pfSense Plus

When DHCP Leases are cleared, Captive Portal User Logins may cease to be functional due to a change from the IP used when the authentication/login occurred. When the DHCP server assigns a new IP address to the same device on the next connection it will result in the device being presented with a new login screen and once logged in, a duplicate entry in the Captive Portal database for that Mac address, each with a different IP associated with it.

In addition, if the original IP is assigned to a different device/Mac the login screen will not be displayed for that user, instead they will receive the logout screen as Captive Portal will report a validated IP. Unless the device requests a disconnect from the logout screen, it will not be able to log in and in order to disconnect through status, captive portal, you must know which IP is assigned to the device you wish to disconnect as it will be associated with the wrong Mac address in the Captive Portal database. When this situation arises, the captive portal is expecting a login response but the captive portal will display the logout screen. No internet connectivity is enabled due to this conflict.

Proposal: When there are activated logins in Captive Portal, it would be useful to prompt as to this conflict or to offer to disconnect all Captive Portal logins when a DHCP Server request to Clear All DHCP Leases is initiated.
Alternatively, Captive Portal could check for a disassociation between IP/Mac in it's database and the actual IP/Mac of the device requesting the connection and send the login screen instead of logout. When a successful login occurs: disconnect all other associations where either the Mac or IP did not match the new credentials.