Pass-through credits per MAC address not being implemented

pfsNewDev

I see. The materials I've come across didn't mention that. Anyway, I shall give it a go. Thank you for all of your help! :D

pfsNewDev

Well, this is a bit baffling.

I tried setting up the captive portal with the following settings:

Idle timeout (Minutes): 10
Hard timeout (Minutes): 10
Pass-through credits per MAC address: 1
Waiting period to restore pass-through credits (Hours): 1
Authentication method: Local User Manager/ Vouchers

And then in the captive portal, I decided to just put the following for testing purposes:

<form method="post" action="$POST_ACTION$">

Since I don't need users to log-in, I decided to hide the auth_user and auth_pass fields. Since pass-through credits is enabled, I would be able to access the internet for 10 minutes without authentication. And then when I try to access the internet again after my 10 minutes are up, I'd be redirected to an authentication error page. Then I would have to wait for 1 hour before I could access the internet without authenticating myself.

Apparently, that is not the case.

The moment I click on the 'Continue' button, I get redirected to the authentication page. It's telling me that I'm giving invalid credentials. I assumed that the first time I try logging in (since I've set Pass-through credits to 1), I would be able to pass through without authentication. But why is it asking for authentication?

I got the following log message when I tested it:

Jul 12  10:00:00  logportauth    17222    Zone: test  - Reconfiguring captive portal (test)

I just could not get why Pass-through credits seem to get ignored.

**UPDATE:**

Okay, so I tried putting the following in the custom captive portal:

I was assuming that since I have the Pass-through credits enabled, I would still be able to pass through the captive portal once. But it's still asking for authentication. The same log message I posted earlier appeared. I'm guessing it's pfSense's way of telling me that it's 'restarting' the captive portal.

**UPDATE:**

So I tried adding this line, just to fully mimic what's on the configuration panel:

On the first attempt, I'm not able to pass through, even though I've indicated that a user could pass through the portal once without authentication. This is really odd.
</form>

Gertjan

@pfsNewDev:

I was assuming that since I have the Pass-through credits enabled, I would still be able to pass through the captive portal once. But it's still asking for authentication.

I just tried this again.

I took what you used :
Idle timeout (Minutes): 10
Hard timeout (Minutes): 10
Pass-through credits per MAC address: 1
Waiting period to restore pass-through credits (Hours): 15 ***
Authentication method: Local User Manager/ Vouchers

*** : I cheated a little bit : instead of waiting 1 hour I scaled down the "Waiting period to restore pass-through credits" to minutes.
No need to visit MIT department computer science, just open /etc/inc/captiveportal.inc, locate the function portal_consume_passthrough_credit($clientmac) and in this function, change the 2 occurrences "3600" for "60". Note : 3600 seconds (= 1 hour) so 60 seconds (1 minute),  so my 15 means 15 minutes now :D

Now : I connected to my Captive Portal.
I had an internet connection right away.
The log was saying :

Jul 12 10:06:06 logportalauth 19279 Zone: cpzone1 - ACCEPT: unauthenticated, 90:b9:31:77:5e:26, 192.168.2.176

Some 10 minutes later (approx) is was disconnected :

Jul 12 10:16:37 logportalauth 67650 Zone: cpzone1 - TIMEOUT: unauthenticated, 90:b9:31:77:5e:26, 192.168.2.176

The hard timeout controller will run every 1 minute, and it threw me out.

When I tried to reconnect, I was taken to the Captive Portal Login page …. but, as no visitor has any login credentials, I could just look at it, not knowing what to enter.

Right after 10h21, after several retries, I was reconnected - not seeing the Captive portal :

Jul 12 10:22:34 logportalauth 89888 Zone: cpzone1 - ACCEPT: unauthenticated, 90:b9:31:77:5e:26, 192.168.2.176

@pfsNewDev:

The same log message I posted earlier appeared. I'm guessing it's pfSense's way of telling me that it's 'restarting' the captive portal.

The message just tels you that you  updated the Captive Portal settings when you are login into the GUI as the admin.

@pfsNewDev:

UPDATE:
So I tried adding this line, just to fully mimic what's on the configuration panel:

What about 'don't mimic' but using the default, build in captive portal page ? ;)

Tip : better be sure : before you test drive, wipe this file
/var/db/captiveportalcpzone1.db
It will be auto regenerated.

pfsNewDev

*** : I cheated a little bit : instead of waiting 1 hour I scaled down the "Waiting period to restore pass-through credits" to minutes.
No need to visit MIT department computer science, just open /etc/inc/captiveportal.inc, locate the function portal_consume_passthrough_credit($clientmac) and in this function, change the 2 occurrences "3600" for "60". Note : 3600 seconds (= 1 hour) so 60 seconds (1 minute),  so my 15 means 15 minutes now :D

Since I'm just starting with pfSense, I do believe that would come in handy. Thanks for that bit of info. :D

Anyway…

I actually just restored the captive portal to its default, and still no internet access. What is happening is the following:

1. I access a site. Since I'm not yet 'allowed' to access the internet, pfSense shows me the captive portal first.
2. I just click on 'Continue' since I set 'Pass-through credits per MAC address' to 1. Which means pfSense should allow me to access the internet once, without authentication. But...
3. pfSense shows me the Authentication error page, telling me that I'm using invalid credentials. Which totally defeats the purpose of the 'Pass-through credits per MAC address'.

According to the configuration panel, I should include the auth_user, auth_pass and/or auth_voucher input fields if I enabled authentication, for if I don't the log-in would surely fail. That is why in the custom captive portal I made, I made sure to include those when I changed authentication methods. Still, pfSense won't allow me to pass through.

Tip : better be sure : before you test drive, wipe this file
/var/db/captiveportalcpzone1.db
It will be auto regenerated.

That one I could try doing. :D

Gertjan

@pfsNewDev:

I actually just restored the captive portal to its default, and still no internet access.

Without any historical "records", you should have access right away. But …. there is a record.
Check out what I said above (and you quoted below) when I was giving you a "Tip" ;)

What is happening is the following:

1. I access a site. Since I'm not yet 'allowed' to access the internet, pfSense shows me the captive portal first.
   As said just above, your IP/MAC/Time is still less then one hours in the past. NO acces is granted, the portal login page is shown.
2. I just click on 'Continue' since I set 'Pass-through credits per MAC address' to 1. Which means pfSense should allow me to access the internet once, without authentication. But...
   but you will provoke an auth error, and the eroor page will be shown.
3. pfSense shows me the Authentication error page, telling me that I'm using invalid credentials. Which totally defeats the purpose of the 'Pass-through credits per MAC address'.
   When you are blocked on the portal login or login-error page, our are actually in the "one hour cool down period" (maybe a minute or so more). After this delay, you will have access.

Tip : better be sure : before you test drive, wipe this file
/var/db/captiveportal [cpzone].db
It will be auto regenerated.

That one I could try doing. :D

You'll see : the first time you will have access right away up until you 'used' the hard timeout time.
Afterwards : one hour of "login page viewing" before access is granted again.

pfsNewDev

Oh, I should've clarified it. When I encountered the problem (me being redirected to the error page and all) I waited for two hours or so, to make sure that the waiting period was indeed over. After two hours passed by, I went back to pfSense and restored the captive portal to its default. I thought that, since two hours had already gone, pfSense would allow my MAC to pass through again. But still, I was not able to pass through. I've only just logged in again and have yet to try your tip.

UPDATE:

Since I just logged back in into my account, I tried testing pfSense again. Surely, after more than 12 hours, the waiting period's definitely over, yes? Which means I could try and pass through the portal using the default captive portal, and the settings I've used. But even so, I'm still being redirected to the error page. PfSense is still looking for credentials, even though I've set Pass-through credits to 1.

Gertjan

Definitely  right.

Btw : I just activated again :
Pass-through credits per MAC address: 1
Waiting period to restore pass-through credits (Hours): 15 ***
[the rest was already ok]
Validated.

Used my device to get in and had a connection right away.

So, I hate to say this, but "it's something else".

IF you add a user and password to the local user Manager
and
Make this user member of a Group called "PortalUsers"
and
assign to this group the right :
User - Services: Captive Portal login

Can you then use that user and password to gain access when you see the login page ?

To see what's up, I need you to agree to (temporary) edit your /etc/inc/captiveportal.inc so it will produce more log info. I'll guide you how to do so.
As soon as we found the issue, you can restore to the default, original file.

pfsNewDev

I actually don't have access to the back-end (yet), one reason why I've been trying to figure things out from the front-end side of the tool. What I did, though, was download the installer from github, and trace what's happening there. So far, what I've done is restore the portal to its default state, set the parameters to what I've shown you, and used Local User Manager/Vouchers as the Authentication method. I'll be testing it again in 20 minutes (by that time, it'd have been two hours since my last test. I've set the Waiting period to 1 hour, so surely my MAC address would be assigned a new passthru credit). I've been reading the scripts relevant to the captive portal; I'll post again with more info should I encounter the error again.

Thank you, though, for taking time to take a look into this. :)

CtrlAltDelete

I have the exact same problem. Will be trying your suggestions tomorrow. :D

CtrlAltDelete

It works!! Somewhat. I get disconnected after 30 minutes and cannot get internet without authenticating with an username and password for another hour which is good. But I have another problem. When pass-through-credits for a user is 1 and I connect to the captive portal network, I get a notification about logging in (usual). But when I tap that, I get no landing page to accept the terms and service and directly get redirected to connectivitycheck.gstatic.com (or something lke that) and I get internet access. I want my guests to accept to my terms first and after that get internet access. Is that possible with this method? Thanks