One Voucher Per Device

ajmaltms

@free4 yes..am using voucher code method..because i need to generate almost 500 vouchers every month..

Gertjan

I know it isn't a permanent solution, but here https://forum.netgate.com/topic/136995/one-voucher-per-device/3 I posted the link that locks down a voucher to "one voucher => one user".

I tested that code and it worked.

It needs some code patching .... true, but, hey, it's just PHP ;)

A more permanent solution would be a feature request (check if one already exists first) https://redmine.pfsense.org/projects/pfsense

ajmaltms

@Gertjan for this method we need to install freeradius package ? am not familiar with pfsense..before i used mikrotik for voucher generation...

Gertjan

No.
It concerns vouchers, not an authentication against the local user database or FreeRadius (a "remote" database).

The captive portal code that handles vouchers will disconnect an existing connection, a user that used a voucher, if the voucher is used again on another device (another IP, another MAC).
That situation can be changed as : if a voucher is used (once) then do not accept any other connections any more while the initial user is still logged in.

If you set the soft- and hard time out rather high, no other used could use the voucher any more.

ajmaltms

@Gertjan ok thanks..now got the idea

ajmaltms

This post is deleted!

ajmaltms

@Gertjan i will explain my problem here..

my company providing internet in labourcamps..i want to create vouchers for 30 days..every month i want to provide new voucher..1 voucher for 1 phone..almost 500 members in camp..

disabled concurrent login

i created captive portal and vouchers with the help of youtube video and tried many options..but my voucher can use multiples phones..the last login is active..my problem is peoples using same card for 2 peoples(day shift peoples give voucher to night shift peoples while they going to work ) this is a big problem..any solutions?

Derelict

That SHOULD delete the first MAC address and replace it with the second. There should only be one MAC address passed through at a time. That should stop them from sharing codes.

ajmaltms

@Derelict so no need to disable concurrent login ?
which are them i need to use and i dont need to use ??

Derelict

Of course you should disable concurrent login if you don't want concurrent logins.

Gertjan

@Derelict said in One Voucher Per Device:

That SHOULD delete the first MAC address and replace it with the second. There should only be one MAC address passed through at a time. That should stop them from sharing codes.

It should be working as you stated.
It doesn't.

The last login will be granted, previous user using the same code are ejected.
That's the problem of @ajmaltms .
The code changes I tested out ones - in the linked thread - does just that : ones a voucher is used for a login, another login using the same voucher will be denied. This works as long as the voucher is listed in the "connected user list". For this reason I advise big values for soft and hard time out. If not, the user who obtained the voucher initially can't login again if he gave it to some one else .... (not a bad situation actually ... very educational )

edit : I managed ones to use the same functionality using User/passwords and FreeRadius.
A setting like this for a user :

enforces one user at the time using a unique user/password pair.

You'll be needing FreeRadius (and probably - I advise - some database like MySQL or MariaDB running on some server).

Derelict

@Gertjan said in One Voucher Per Device:

@Derelict said in One Voucher Per Device:

That SHOULD delete the first MAC address and replace it with the second. There should only be one MAC address passed through at a time. That should stop them from sharing codes.

It should be working as you stated.
It doesn't.
The last login will be granted, previous user using the same code are ejected.

How is what you said and I said different?

Gertjan

You :

That SHOULD delete the first MAC address and replace it with the second. There should only be one MAC address passed through at a time. That should stop them from sharing codes.

That's how it works now.

What @ajmaltms wants : Voucher being used ones not usable for a next (concurrent) login.

The actual pfSense approach is based on the fact that some one how obtains a voucher can use it for (his) multiple devices.
For his smartphone,then his tablet, and then his portable PC - to wind up using it on his game box.
Every time the voucher is used 'again', the existent connection is shut down ( note : this should already inhibit non voluntary voucher sharing = when you 'loose' your voucher you loose your connection.)
@ajmaltms has other experiences. As he explained above.

Derelict

That would be a feature request.

Gertjan

Yup - that's what I proposed earlier in this thread - a day or so ago.
But : I have some code to play with that does just what @ajmaltms wants.

Derelict

Then that would be a pull request for that feature request :)

ajmaltms

@Gertjan yes..Voucher being used ones not usable for a next (concurrent) login..is it possible ?

Gertjan

@Derelict well, maybe I should write it out again .... I'll have a try.

He we go : the GUI part first :

@ajmaltms :
This looks good for you :

Btw : writing this up will take some time for me.
I'm writing this on a "live" system, and I'm not using Vouchers, but FreeRadius.

Derelict

This is not the forum for feature and pull requests.

https://redmine.pfsense.org/
https://github.com/pfsense/pfsense/

Gertjan

Don't worry, won't publish any PHP stuff here.
Just want to be sure I'm writing something useful.

When done and tested, I'll locate a feature request if one exists, and add my implementation as a pull request / review.