Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Maximum devices per user?

    Scheduled Pinned Locked Moved Captive Portal
    8 Posts 4 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fourseasons
      last edited by

      Hello,

      I'd like to use the captive portal with very basic authentication using 2.2.4 on a SG4860.

      Would it be possible to give out the same username/password (or ideally just a password) to every one of our visitors or would I run into strange problems with up to 250 concurrent devices using the same (local user manager) credentials?

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        Well, why don't you just use vouchers? (That's basically the same as "ideally just a password").

        1 Reply Last reply Reply Quote 0
        • F
          fourseasons
          last edited by

          I've considered it. That's what we currently use with a Zyxel solution, which actually handles vouchers quite well. Of course it pales in comparison at everything network related.

          Our WLAN is unencrypted so any semi-competent computer user could intercept the voucher codes unless I use HTTPS on the pfsense box, which would require me to buy a SSL-certificate and renew it constantly just for this specific use.

          An unencrypted, shared password would be just slightly better than having the network "open" and would save a lot of overhead at the frontdesk. If somebody really wants to get on this network he would find a way through social engineering (as in walking to the reception and asking for a code).

          The other thing that holds me back is that I don't think there's an easy way to print vouchers on demand at the front desk using a thermal printer and just pfsense supported packages. I tried to request such a thing years ago but the consensus was that there's no demand for such a feature and I accept that.

          I believe somebody got the Epson TM-T88 thermal printer to work using the webinterface, but I'd hate to rely on this solution, have it break during a major pfsense update and then sit here for days/months without options because the maintainer has gone AWOL for whatever reason.

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            Well, sorry but I don't get this "problem". Sharing a password (voucher) among 250 users makes it very much public. I get a feeling that it's actually a lot more than those 250, since you say concurrently. So, if everyone who happens to visit you gets the same password, yeah, you can just leave the network open. If security is your concern, similar nonsense is out of consideration.

            (You can have a certificate for free from https://www.startssl.com/, that's certainly the least of the issues here.)

            Our WLAN is unencrypted so any semi-competent computer user could intercept the voucher codes unless I use HTTPS on the pfsense box

            And how's this different from passwords and local users?

            1 Reply Last reply Reply Quote 0
            • F
              fourseasons
              last edited by

              @doktornotor:

              Well, sorry but I don't get this "problem". Sharing a password (voucher) among 250 users makes it very much public. I get a feeling that it's actually a lot more than those 250, since you say concurrently. So, if everyone who happens to visit you gets the same password, yeah, you can just leave the network open. If security is your concern, similar nonsense is out of consideration.

              (You can have a certificate for free from https://www.startssl.com/, that's certainly the least of the issues here.)

              Our WLAN is unencrypted so any semi-competent computer user could intercept the voucher codes unless I use HTTPS on the pfsense box

              And how's this different from passwords and local users?

              I never claimed it was any different.

              I also don't expect to achieve perfect security on a public hotspot within our budget. Other establishments of our size (small) do indeed run an open network, or simply give out a WPA key to their guests, which would be no different from a captive portal with x users sharing the same password.
              The idea is that at least passers-by would not be able to access it quite as easily.

              It's ok that you don't get my problem, at least you tried to be helpful.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                I don't think the portal cares how many users are using the same credentials.  All my users show as "unauthenticated" and it works fine.

                Who honestly cares if passers-by use the network? Toss a limiter on it to curtail torrenting and help keep one device from being able to hurt you.

                The nasty stuff like DHCP pool exhaustion can be done without going through the portal anyway. A better answer is a WPA2 passphrase.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • awebsterA
                  awebster
                  last edited by

                  If your budget permits, several enterprise grade WiFi equipment vendors have solutions that allow multiple WPA2 passphrases (upto thousands) on a single SSID.  Pretty neat feature!

                  –A.

                  1 Reply Last reply Reply Quote 0
                  • F
                    fourseasons
                    last edited by

                    @Derelict:

                    I don't think the portal cares how many users are using the same credentials.  All my users show as "unauthenticated" and it works fine.

                    Who honestly cares if passers-by use the network? Toss a limiter on it to curtail torrenting and help keep one device from being able to hurt you.

                    The nasty stuff like DHCP pool exhaustion can be done without going through the portal anyway. A better answer is a WPA2 passphrase.

                    Thank you and you are right.
                    I might end up using a WPA2 passphrase and an unauthenticated captive portal to display the AUP upon login and make use of the limiter.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.