One Voucher Per Device

Gertjan

@Derelict said in One Voucher Per Device:

That SHOULD delete the first MAC address and replace it with the second. There should only be one MAC address passed through at a time. That should stop them from sharing codes.

It should be working as you stated.
It doesn't.

The last login will be granted, previous user using the same code are ejected.
That's the problem of @ajmaltms .
The code changes I tested out ones - in the linked thread - does just that : ones a voucher is used for a login, another login using the same voucher will be denied. This works as long as the voucher is listed in the "connected user list". For this reason I advise big values for soft and hard time out. If not, the user who obtained the voucher initially can't login again if he gave it to some one else .... (not a bad situation actually ... very educational )

edit : I managed ones to use the same functionality using User/passwords and FreeRadius.
A setting like this for a user :

enforces one user at the time using a unique user/password pair.

You'll be needing FreeRadius (and probably - I advise - some database like MySQL or MariaDB running on some server).

Derelict

@Gertjan said in One Voucher Per Device:

@Derelict said in One Voucher Per Device:

That SHOULD delete the first MAC address and replace it with the second. There should only be one MAC address passed through at a time. That should stop them from sharing codes.

It should be working as you stated.
It doesn't.
The last login will be granted, previous user using the same code are ejected.

How is what you said and I said different?

Gertjan

You :

That SHOULD delete the first MAC address and replace it with the second. There should only be one MAC address passed through at a time. That should stop them from sharing codes.

That's how it works now.

What @ajmaltms wants : Voucher being used ones not usable for a next (concurrent) login.

The actual pfSense approach is based on the fact that some one how obtains a voucher can use it for (his) multiple devices.
For his smartphone,then his tablet, and then his portable PC - to wind up using it on his game box.
Every time the voucher is used 'again', the existent connection is shut down ( note : this should already inhibit non voluntary voucher sharing = when you 'loose' your voucher you loose your connection.)
@ajmaltms has other experiences. As he explained above.

Derelict

That would be a feature request.

Gertjan

Yup - that's what I proposed earlier in this thread - a day or so ago.
But : I have some code to play with that does just what @ajmaltms wants.

Derelict

Then that would be a pull request for that feature request :)

ajmaltms

@Gertjan yes..Voucher being used ones not usable for a next (concurrent) login..is it possible ?

Gertjan

@Derelict well, maybe I should write it out again .... I'll have a try.

He we go : the GUI part first :

@ajmaltms :
This looks good for you :

Btw : writing this up will take some time for me.
I'm writing this on a "live" system, and I'm not using Vouchers, but FreeRadius.

Derelict

This is not the forum for feature and pull requests.

https://redmine.pfsense.org/
https://github.com/pfsense/pfsense/

Gertjan

Don't worry, won't publish any PHP stuff here.
Just want to be sure I'm writing something useful.

When done and tested, I'll locate a feature request if one exists, and add my implementation as a pull request / review.

Derelict

No problem posting it. It's just that it probably won't get looked at by the right people unless it is put in the right places.

ajmaltms

@Gertjan which version is this ? i am using 2.4.4 i cant see that 3 options in my version...

Gertjan

I already went through the Forum => Redmine => Github phase twice, I guess.

@ajmaltms :
I'm using the same version as you. pfSense 2.4.4p2

I just have edited the code on my own pfSense setup.

Does the image looks good to you ?
As @Derelict stated, there is a whole procedure to respect when one want to change the 'official' code.
As said, this will take some time.

ajmaltms

@Gertjan yes..thats what i want...first login..

Gertjan

Good !

I'll post back here when I have a Feature request.
Attached to the feature request I'll be posting a pull request. At that moment, with the System_Patches package you can then retrieve the proposed pull request into your own pfSense to test drive the new code.
Eventually, if the pull request gets granted - IF this happensbolded text, the feature will be build into al new pfSense version.
This will take time - as most attention goes to "2.5.0" these days.

Derelict

It is unclear how someone would just allow all concurrent logins there.

Gertjan

@Derelict said in One Voucher Per Device:

It is unclear how someone would just allow all concurrent logins there.

I agree.
"Disabled" isn't the correct description.

Gertjan

Derelict

@Gertjan that seems more clear.

Gertjan

@ajmaltms : could not 'chat' all this to you, there is a 1000 char limit - so here it is :

Ready for the first try ?
Before you start, throw out all connected users. People that were logged in using Vouchers, in your case, that aren’t expired yet will be able to reconnect afterwards.

Make backup copies of the two files that will get modified.
I advise you to use the console access, option 8.
And/or SFTP access is also advisable – FileZilla does that just fine – Note : use SFTP, NOT to be confused with FTP.

Make a backup copy of this file

cp /etc/inc/captiveportal.inc  /etc/inc/captiveportal.inc.original

Another file to make a copy from :

cp /usr/local/www/services_captiveportal.php /usr/local/www/services_captiveportal.php.original

Thus, now you have spare copies of the 2 files that will be changed.

Here we go:
This is the new /etc/inc/captiveportal.inc file:
https://pastebin.com/V6uWHNz5
This is the new /usr/local/www/services_captiveportal.php file.
https://pastebin.com/QLhNhgAW

When these two files are in place, visit the portal config page, check your “Concurrent user login” settings: check one option out of the 3. I guess it will be “First” for you ^^ (see image above).

If there are any troubles, just copy your backup files back in place, like this (copy – paste these 2 commands will do that ) :

cp /usr/local/www/services_captiveportal.php.original /usr/local/www/services_captiveportal.php
cp /etc/inc/captiveportal.inc.original /etc/inc/captiveportal.inc

You’ll be seeing messages in your captive portal log file like:

.... CONCURRENT VOUCHER LOGIN - NOT ALLOWED - KEEPING OLD SESSION …

Which informs you that the same voucher was used a second time – the connection was refused.

I do not pretend that everything works perfect right now. This is just a first test.

I tested all 3 settings of “concurrent login” myself using Vouchers AND the classic Local manger user logins – both behave now as I want:

• Multiple sessions per username / voucher
• Last sessions per username / voucher
• First sessions per username / voucher

The last one is the one you want to test.

Take your time to test – read the log file – send it over to me if question (use pastebin.org – not here in the forum)

Good luck.