CAPTIVE PORTAL ACCESS CONTROL
-
hi
i study the case, its possible via radius without problems
the problem is really that these public credentials, can be "called" on all our extra services, like password restoring via sms, customer aera…
and it would need a lot of programming to exclude these credentials, from all these services, that can be used by users on a not good way.. like changing the public password...lol
any other idea? I think the best way is Curl, we already do this to take backups from the the backup page in pf.
-
I have similar the "free airing" period as "happy hour" on my system.
This is how to implement:1. create a username and password with no expire.
e.g. username="free", password="q1w2e3r4"
this will be used to login the free period.2. clone your login page, replace input fields with hidden and put in username and password from 1).
e.g.3. obfuscate your html page so nobody can view source to see username and password;
goto: http://www.obfuscatorjavascript.com, put in html code, obfuscate, copy obfuscate code.4. go to shell in pfsense. cd /var/etc. mkdir cp. cd cp
create new file "page-obs", insert, paste your obfuscate code, save file.
cp ../captiveportal_zonename.html page-std
(replace "zonename" with the name you have given to CP zone in setup)
now you have 2 files in directory /var/etc/cp ; "page-obs" and "page-std"5. pfSense sends the contents of file /var/etc/captiveportal_zonename.html to CP clients for login.
you need to switch this file contents for the time you want the "free airing".
therefore, make 2 scripts in /usr/local/etc ; "freeair.sh" and "notfree.sh"
freeair.sh: cp /var/etc/cp/page-obs /var/etc/captiveportal_zonename.html
notfree.sh: cp /var/etc/cp/page-std /var/etc/captiveportal_zonename.html6. put in cron;
when to start freetime : /usr/local/etc/freeair.sh
when to finish freetime : /usr/local/etc/notfree.shportal login page will be switched automatically at the time you have scheduled in cron.
hope that helps.
I am interested to know how to use curl to take backups from the pf backup page.
please can you provide the intructions how to implement.
Thank you. -
ENJOY :)
#!/bin/bash
BECHASEL PFBACKUP_PULL
on prepare le terrain pour recuperer la cookie d'auth sur le BAS
Wget de la cookie
wget -qO/dev/null –keep-session-cookies --save-cookies cookies.txt --post-data 'login=Login&usernamefld=backup_agent&passwordfld=knable1987' --no-check-certificate https://node-XXX.inf.bechasel.bwan:9999/diag_backup.php
on desactive l'alerte SSLC ... (--no-check-certificate)
on y retourne, et cette fois ci, on reprend la session et on envoie l'ordre de DL de la conf
on prend egalement le backup de toutes les stats en memoire
wget --keep-session-cookies --load-cookies cookies.txt --post-data 'Submit=download&donotbackuprrd=0' https://node-XXX.inf.bechasel.bwan:9999/diag_backup.php --no-check-certificate -O BACKUP-XXXXSERVERIDXXXXX-
date +%Y%m%d%H%M%S
.xmlON ECRIT NOTRE FICHIER ET ON IMPRIME LA DATE DE RECUP
#FIN
-
i look on your solution …
but :
your cp zone switches do reload cp???
i dont think so, ... that is a really problem, im not sure free user will be kicked !?
lol
the best way would really be to have a cmd to turn on / off cp ... or act this with a remote "form proedure"
do you know those on/off commands?
they are cmd for log rotate of squid..
I can t believe there is no one for cp on/off ??
-
Even if you stop the CP (from GUI) it does not kick the users.
I call /sbin/reboot after notfree.sh to reboot the system.
This is only way I found to reliably kick all users and restart CP.
My system takes just 2 mins and its back onlineThere must be a better way to do it but have not found it yet.
You could write a script to call functions in /etc/inc/captiveportal.inc
There is a "reinit" function in there, it needs the right variables passing/setup.
Maybe someone can get or already got this to work? -
the only thing that kik user, is a cp change
so resave a on/off authentication on cp will kick the users
thats what im tring via script
i would want to use the existing forms via script
-
I try it with curl but get: CSRF check failed.
what means "you want to use the existing forms via script", which forms?
can you show your script to do CP change? -
CP changes => made a reload that kik everyone !
=> reauth.
What I want to do, is (via script) emulate a change (on/off) on the CP GUI
what I sent you about bakup
IS an emulation, the script log in, go to the backup page, and make a post/get (i cant remember) on the page form
(like a human would do)i want to do the same
log in from remote, go to the cp form, turn on/off authentication, post (and the cp will reload and kick everyone like with an "human change")
a) are we happy hour? => transparent, all users continue to surf, new ones comes and take the happy hour
b) are we no more on happy hour? => CP Page come back, and genuine users log in.
==> Better : genuine users realyses, that their abo is usefull, => they are now again exclusives and realyze it (on cp return)reboot the GW is not a reliable way,
I reboot my PF machines every 3 month, and Im always afraid every time when I remote reboot a GW
(less than when we was on 1.2,) reboot introduce a network death of 2/3 minutes sometimes more
this is not acceptable. especialy for a happy hour switchon the second hand, it is very important to do "this reload" from the CP, because of radius, especialy if you do things like me :
- reauth every minut
- interim update
- uid/pwd in combination of mac check (we do "support rights" that mean, the user login-rights are valid for declared cards "support of the login right")
(like a TV smart card) => container of the rights
and : simultaneous session control
it would be a really peace of shit if the GW restarts many times with already radius booked instances
it would bring the shit in radius processes (concurrents logins and so on..)
-
and I would no more sleep anymore if I knew that all my CP GW, are allowed to reboot 2 or 3 times a day, with no garantee
that they are fine every time they reboot..lol, I would do nightmares !! lol
CP GW greets the LAN ! this is very important to me
its not like a web server die
or … a line die ... in the loadbalance ... .... when the CP GW die, users have no more dhcp, nothing ..
the lan die...our locals Infrastructures :
LAN A LAN B LAN C LAN IS WIRELESS OR WIRE
§ § § UP TO 10 FLOORS EVERY LAN DESERVE ONE FLOOR (10-15 users)
§ § §
§ § §
1G 1G 1G
------------------------------------------------------
NAS / DHCP (CP) pfsense
------------------------------------------------------
§
§
§ 10G
§
§
------------------------------------------------------
LOAD BALANCER pfsense
------------------------------------------------------X OPTIC FIBER CARDS
-------------------------------------------------------
T
R
A
N VPN TO CORE NETWORK
S
I
T
-------------------------------------------------------
LNS IN PARISwe do this in every real-estate for students we have
-
What version you running?
I'm on 2.1 snapshot and run this tests;
While CP user is connected and streaming video I make changes in GUI to CP;
enable/disable, change auth from/to; none->local->radius and each time save and restart CP service.None of this kicks the user, the user is still connected and watching video stream.
Only way I find to kick user is go to GUI - Status: Captive portal, click disconnect on selected user.
This needs to be done for each connected user - no good if there are many users to kick. -
do not do that with caching content (video)
start a download …huge..
download is normally kicked
i noticed the kicking since 1.2
(when you resave conf of cp)every time
you can see it : when you resave => user is nomore into statuts> cp
-
its not work for me;
I try with CP user downloading, when CP settings changed/saved the download is interrupted but the user can resume and still browse Internet.
I setup another CP user watching live CCTV video and does not get kicked, the video still showing and there is no cache because its a live stream.
I even disable the CP and still both users connected and have access to Internet and can still browse. I set them both streaming live CCTV video and look the traffic graph.
image1 shows no users in CP after change/save settings and then disable.
image2 show the traffic graph after 30 mins, users still connected, both watching live CCTV video and using up the bandwidth. CP shows no users.
Once I reboot pfSense, both users live CCTV video stops immediately.
After reboot and pfSense ready, both users get CP login screen.pfSense needs reliable method to kill sessions and kick users properly.
-
thats normal
streaming act like download resuming
if a call is dropped due to the kick
the player will recall and will be "granted"
so stream goes on..
i dont know what you do with your zones (i dont even know where you configure that)
i will better enable cp on "interfaces"
let me show you a working conf
-
here you can see
one time we had to make a resave on the conf page of cp
and the traffic suddenly died
all user had to reauthenticate
and then the trafic grows up again
-
I see we have different versions and configs.
I am running pfSense 2.1-BETA1 snapshot - this has the CP "zone" feature.
Also, I have authentication set to "Local User Manager / Vouchers".Thank you for showing your working config of radius authentication.
I have radius package installed and so will set it up the same and see the result.