How tracking a user

kapvcop

Hello Friends, I recently activated a captive portal, it is working well for me, I created it without authentication since the user scans the WIFI network in a QR and if he accepts the usage policies, he uses the network (that is how the company asked me), but I was recently asked for something that I don't know how to do, it requires that there be a record somewhere of who connected to the guest network.
Although the user is anonymous, I need to somehow create a record that, for example, User, Mac-address xxx, on that date, connected to the service, this is being asked of me because if there is inappropriate behavior with the use of this internet you can know who was for the records or creation of blacklists.
I don't know if it is possible, for example, to force the person to use his email to validate her entry without neglecting that he has to accept that he has read and understood the rules of use.
So the mission is to ensure that whoever uses this network may not be so anonymous, that is, we can have a record of who it was.
Can you help me with this topic? , Thanks a lot

Gertjan

@kapvcop said in How tracking a user:

for example, User, Mac-address xxx, on that date, connected to the service

Go have a look at Status > System Logs > Authentication > Captive Portal Auth

@kapvcop said in How tracking a user:

I don't know if it is possible, for example, to force the person to use his email to validate her entry

pfSense permit you to create your own login page, a html file that can contain also PHP.
Store the email as the :

<input name="auth_user" type="text">

so the mail will also get logged.

Be aware : IPs can be forged, like the MAC, and very often people don't type in their email address correctly, or use something else ;)

edit :

There is a way to validate the email address.
Make your own login page ( the "Portal page contents" - see Captive portal settings), and ask for the mail. Hide the password on this page so the user can't enter one except his mail address. When the user validates, the login will fail, and the error login page ( "Auth error page contents" ) will get shown.
On this page the portal user sees the email again, and can now enter a challenge code.

I advise you to use the FreeRadius page, so you can store the email and the randomly generated challenge code in the back end SQL database. This challenge code will be the password that the suer should receive by mail, and will get asked on the second, error page ( "Auth error page contents" ).
So, yeah, use the FreeRadius package, so you don't have to interface with the internal pfSense user manager.

Be aware : you will have to modify a pfSense script file ( this one /etc/inc/captiveportal.inc ).
And worse, you have to know how to add rules into ifw, the firewall used by pfSense for the captive portal. The thing is : when the user initially connects to the portal, everything is blocked. You will have to open ports : 110 (POP),143 (IMAP) ,993 (IMAPS) and 995 (POPS).
Have a look here.
You also need the manual of ipfw used by FreeBSD..

Inform the user that only mail clients are supported, not web mail access, as web mail would imply that you have to open port 443, as this is the port every https web servers uses. Doing that will render you captive portal useless.
With these 4 ports open, clients can receive the mail you've send with pfSense upon first page validation, to get the challenge code.

Implement this and consider that you passed a above average firewall admin exam.

Take note : upon pfSense update, the "/etc/inc/captiveportal.inc" will get overwritten. You will have to re implement your "ipfw rule creation" where you aloow ports TCP 110,143,993 and 995 (probably a PHP line or two).
Be assured, yu can use PHP? it's worlds most simplistic scripts language, and looks like BASIC that everybody used in the eighties/nineties.