Pass-through credits per MAC address not being implemented
-
Hi,
Normally, I'm using 'user' + 'password' authentication, so I decided to just add your settings to my portal.
I lowered "Hard timeout (Minutes)" to "5" so I could test fast if I really was thrown out after being logged in for 5 minutes => I was …
I used also your :
[2] Pass-through credits per MAC address: 1
[3] Waiting period to restore pass-through credits (Hours): 1What I saw :
As soon as I used my '5 minutes, I was thrown out.
In my log I found :Jul 8 09:32:12 logportalauth 28313 Zone: cpzone1 - TIMEOUT: unauthenticated, 90:xx:31:77:5e:26, 192.168.2.176 Jul 8 09:26:38 logportalauth 46135 Zone: cpzone1 - ACCEPT: unauthenticated, 90:xx:31:77:5e:26, 192.168.2.176A reattempt showed me the Captive portal login page ….
So, If your captive portal user do not have the credentials (login + password) the only choice they have is staring at this page for 1 hour (I'm testing that right now - if all goes well I'll be able to access the net after 42 minutes from 'now').
Do you see the captive portal login when your were kicked fof / thrown out ?
What did you setup in the "Authentication" section for your captive portal ? -
Thank you for taking time to respond to this query of mine, Gertjan. :D
I also checked the pfsense log, and I saw similar results.
Yes, pretty much the user would just have to stare at the captive portal for an hour before he/she could access the internet again (or they could go do something else while waiting. :D).
I set the captive portal to 'No Authentication' in the configuration panel, so the code in my captive portal only has the following in the form:
Since there's no authentication needed, I don't think I need to add in the username and password fields anymore (besides, like what I've said, this works perfectly fine except for that issue I've mentioned).
My issue is that I don't want the user to be able to access the internet IMMEDIATELY after his/her session ends. I want him/her to wait for an hour before he could access the internet again. Problem is, when he/she returns to the captive portal, all he/she needs to do is click on the 'I Agree' button again, and he/she is able to start a fresh session. It's like the setting Waiting period to restore pass-through credits gets ignored.
-
The 1 hour wait was over.
I reconnected to my captive portal - didn't see any "portal authentication pase" => I went through. I had access again - for another 5 minutes I guess …
I had a
Jul 8 10:31:21 logportalauth 53567 Zone: cpzone1 - ACCEPT: unauthenticated, 90:xx:31:77:5e:26, 192.168.2.176
I advise you to switch the Authentication method to "Local User Manager / Vouchers" (and not "No Authentication").
When you have no users declared in the "user database", people can go anywhere any way.Like this : your setup will the same as mine : and It works for me ;)
Or :adapt your portal page yourself with a message that de "waiting period" is activated.
Still better : surface the countdown values. I did this so I have line like this in my log :Jul 8 09:39:08 logportalauth 53961 Zone: cpzone1 - Time out left : 2850 sec.and show teh value on the (captive) login page (which doesn't allow you to login - but only to wait ;)
-
I got close to using the 'Local User Manager/Vouchers' option, but I refrained. If I understood it correctly, I would be generating vouchers for users to use in order to access the internet, and then I could set these vouchers to have an expiration date. So, for example, I could set the vouchers to expire an hour after they've been used. But as much as possible, I do not want people to use any code to access the net; all I want is for the portal to not allow them to pass through after their session times out. Which is pretty much what I thought the 'Waiting period to restore pass-through credits' was for. But like what I've said, it's not working according to what I've read in the config panel. :-\
-
If I understood it correctly ….
Don't worry : you didn't.
You activate Authentication method to "Local User Manager / Vouchers" (and not "No Authentication").
This doesn't mean you have to
add users …
use vouchers ....
or whatever.
(I would have mentioned that if it was the case)Just activate it - and re test :)
-
I see. The materials I've come across didn't mention that. Anyway, I shall give it a go. Thank you for all of your help! :D
-
Well, this is a bit baffling.
I tried setting up the captive portal with the following settings:
Idle timeout (Minutes): 10
Hard timeout (Minutes): 10
Pass-through credits per MAC address: 1
Waiting period to restore pass-through credits (Hours): 1
Authentication method: Local User Manager/ VouchersAnd then in the captive portal, I decided to just put the following for testing purposes:
<form method="post" action="$POST_ACTION$"> Since I don't need users to log-in, I decided to hide the auth_user and auth_pass fields. Since pass-through credits is enabled, I would be able to access the internet for 10 minutes without authentication. And then when I try to access the internet again after my 10 minutes are up, I'd be redirected to an authentication error page. Then I would have to wait for 1 hour before I could access the internet without authenticating myself. Apparently, that is not the case. The moment I click on the 'Continue' button, I get redirected to the authentication page. It's telling me that I'm giving invalid credentials. I assumed that the first time I try logging in (since I've set Pass-through credits to 1), I would be able to pass through without authentication. But why is it asking for authentication? I got the following log message when I tested it:Jul 12 10:00:00 logportauth 17222 Zone: test - Reconfiguring captive portal (test)
I just could not get why Pass-through credits seem to get ignored. **UPDATE:** Okay, so I tried putting the following in the custom captive portal: I was assuming that since I have the Pass-through credits enabled, I would still be able to pass through the captive portal once. But it's still asking for authentication. The same log message I posted earlier appeared. I'm guessing it's pfSense's way of telling me that it's 'restarting' the captive portal. **UPDATE:** So I tried adding this line, just to fully mimic what's on the configuration panel: On the first attempt, I'm not able to pass through, even though I've indicated that a user could pass through the portal once without authentication. This is really odd. </form> -
I was assuming that since I have the Pass-through credits enabled, I would still be able to pass through the captive portal once. But it's still asking for authentication.
I just tried this again.
I took what you used :
Idle timeout (Minutes): 10
Hard timeout (Minutes): 10
Pass-through credits per MAC address: 1
Waiting period to restore pass-through credits (Hours): 15 ***
Authentication method: Local User Manager/ Vouchers*** : I cheated a little bit : instead of waiting 1 hour I scaled down the "Waiting period to restore pass-through credits" to minutes.
No need to visit MIT department computer science, just open /etc/inc/captiveportal.inc, locate the function portal_consume_passthrough_credit($clientmac) and in this function, change the 2 occurrences "3600" for "60". Note : 3600 seconds (= 1 hour) so 60 seconds (1 minute), so my 15 means 15 minutes now :DNow : I connected to my Captive Portal.
I had an internet connection right away.
The log was saying :Jul 12 10:06:06 logportalauth 19279 Zone: cpzone1 - ACCEPT: unauthenticated, 90:b9:31:77:5e:26, 192.168.2.176
Some 10 minutes later (approx) is was disconnected :
Jul 12 10:16:37 logportalauth 67650 Zone: cpzone1 - TIMEOUT: unauthenticated, 90:b9:31:77:5e:26, 192.168.2.176
The hard timeout controller will run every 1 minute, and it threw me out.
When I tried to reconnect, I was taken to the Captive Portal Login page …. but, as no visitor has any login credentials, I could just look at it, not knowing what to enter.
Right after 10h21, after several retries, I was reconnected - not seeing the Captive portal :
Jul 12 10:22:34 logportalauth 89888 Zone: cpzone1 - ACCEPT: unauthenticated, 90:b9:31:77:5e:26, 192.168.2.176
The same log message I posted earlier appeared. I'm guessing it's pfSense's way of telling me that it's 'restarting' the captive portal.
The message just tels you that you updated the Captive Portal settings when you are login into the GUI as the admin.
UPDATE:
So I tried adding this line, just to fully mimic what's on the configuration panel:What about 'don't mimic' but using the default, build in captive portal page ? ;)
Tip : better be sure : before you test drive, wipe this file
/var/db/captiveportalcpzone1.db
It will be auto regenerated. -
*** : I cheated a little bit : instead of waiting 1 hour I scaled down the "Waiting period to restore pass-through credits" to minutes.
No need to visit MIT department computer science, just open /etc/inc/captiveportal.inc, locate the function portal_consume_passthrough_credit($clientmac) and in this function, change the 2 occurrences "3600" for "60". Note : 3600 seconds (= 1 hour) so 60 seconds (1 minute), so my 15 means 15 minutes now :DSince I'm just starting with pfSense, I do believe that would come in handy. Thanks for that bit of info. :D
Anyway…
I actually just restored the captive portal to its default, and still no internet access. What is happening is the following:
- I access a site. Since I'm not yet 'allowed' to access the internet, pfSense shows me the captive portal first.
- I just click on 'Continue' since I set 'Pass-through credits per MAC address' to 1. Which means pfSense should allow me to access the internet once, without authentication. But...
- pfSense shows me the Authentication error page, telling me that I'm using invalid credentials. Which totally defeats the purpose of the 'Pass-through credits per MAC address'.
According to the configuration panel, I should include the auth_user, auth_pass and/or auth_voucher input fields if I enabled authentication, for if I don't the log-in would surely fail. That is why in the custom captive portal I made, I made sure to include those when I changed authentication methods. Still, pfSense won't allow me to pass through.
Tip : better be sure : before you test drive, wipe this file
/var/db/captiveportalcpzone1.db
It will be auto regenerated.That one I could try doing. :D
-
I actually just restored the captive portal to its default, and still no internet access.
Without any historical "records", you should have access right away. But …. there is a record.
Check out what I said above (and you quoted below) when I was giving you a "Tip" ;)What is happening is the following:
- I access a site. Since I'm not yet 'allowed' to access the internet, pfSense shows me the captive portal first.
As said just above, your IP/MAC/Time is still less then one hours in the past. NO acces is granted, the portal login page is shown. - I just click on 'Continue' since I set 'Pass-through credits per MAC address' to 1. Which means pfSense should allow me to access the internet once, without authentication. But...
but you will provoke an auth error, and the eroor page will be shown. - pfSense shows me the Authentication error page, telling me that I'm using invalid credentials. Which totally defeats the purpose of the 'Pass-through credits per MAC address'.
When you are blocked on the portal login or login-error page, our are actually in the "one hour cool down period" (maybe a minute or so more). After this delay, you will have access.
Tip : better be sure : before you test drive, wipe this file
/var/db/captiveportal [cpzone].db
It will be auto regenerated.That one I could try doing. :D
You'll see : the first time you will have access right away up until you 'used' the hard timeout time.
Afterwards : one hour of "login page viewing" before access is granted again. - I access a site. Since I'm not yet 'allowed' to access the internet, pfSense shows me the captive portal first.
-
Oh, I should've clarified it. When I encountered the problem (me being redirected to the error page and all) I waited for two hours or so, to make sure that the waiting period was indeed over. After two hours passed by, I went back to pfSense and restored the captive portal to its default. I thought that, since two hours had already gone, pfSense would allow my MAC to pass through again. But still, I was not able to pass through. I've only just logged in again and have yet to try your tip.
UPDATE:
Since I just logged back in into my account, I tried testing pfSense again. Surely, after more than 12 hours, the waiting period's definitely over, yes? Which means I could try and pass through the portal using the default captive portal, and the settings I've used. But even so, I'm still being redirected to the error page. PfSense is still looking for credentials, even though I've set Pass-through credits to 1.
-
Definitely right.
Btw : I just activated again :
Pass-through credits per MAC address: 1
Waiting period to restore pass-through credits (Hours): 15 ***
[the rest was already ok]
Validated.Used my device to get in and had a connection right away.
So, I hate to say this, but "it's something else".
IF you add a user and password to the local user Manager
and
Make this user member of a Group called "PortalUsers"
and
assign to this group the right :
User - Services: Captive Portal loginCan you then use that user and password to gain access when you see the login page ?
To see what's up, I need you to agree to (temporary) edit your /etc/inc/captiveportal.inc so it will produce more log info. I'll guide you how to do so.
As soon as we found the issue, you can restore to the default, original file. -
I actually don't have access to the back-end (yet), one reason why I've been trying to figure things out from the front-end side of the tool. What I did, though, was download the installer from github, and trace what's happening there. So far, what I've done is restore the portal to its default state, set the parameters to what I've shown you, and used Local User Manager/Vouchers as the Authentication method. I'll be testing it again in 20 minutes (by that time, it'd have been two hours since my last test. I've set the Waiting period to 1 hour, so surely my MAC address would be assigned a new passthru credit). I've been reading the scripts relevant to the captive portal; I'll post again with more info should I encounter the error again.
Thank you, though, for taking time to take a look into this. :)
-
I have the exact same problem. Will be trying your suggestions tomorrow. :D
-
It works!! Somewhat. I get disconnected after 30 minutes and cannot get internet without authenticating with an username and password for another hour which is good. But I have another problem. When pass-through-credits for a user is 1 and I connect to the captive portal network, I get a notification about logging in (usual). But when I tap that, I get no landing page to accept the terms and service and directly get redirected to connectivitycheck.gstatic.com (or something lke that) and I get internet access. I want my guests to accept to my terms first and after that get internet access. Is that possible with this method? Thanks
