One Voucher Per Device

ajmaltms

@Gertjan yes..thats what i want...first login..

Gertjan

Good !

I'll post back here when I have a Feature request.
Attached to the feature request I'll be posting a pull request. At that moment, with the System_Patches package you can then retrieve the proposed pull request into your own pfSense to test drive the new code.
Eventually, if the pull request gets granted - IF this happensbolded text, the feature will be build into al new pfSense version.
This will take time - as most attention goes to "2.5.0" these days.

Derelict

It is unclear how someone would just allow all concurrent logins there.

Gertjan

@Derelict said in One Voucher Per Device:

It is unclear how someone would just allow all concurrent logins there.

I agree.
"Disabled" isn't the correct description.

Gertjan

Derelict

@Gertjan that seems more clear.

Gertjan

@ajmaltms : could not 'chat' all this to you, there is a 1000 char limit - so here it is :

Ready for the first try ?
Before you start, throw out all connected users. People that were logged in using Vouchers, in your case, that aren’t expired yet will be able to reconnect afterwards.

Make backup copies of the two files that will get modified.
I advise you to use the console access, option 8.
And/or SFTP access is also advisable – FileZilla does that just fine – Note : use SFTP, NOT to be confused with FTP.

Make a backup copy of this file

cp /etc/inc/captiveportal.inc  /etc/inc/captiveportal.inc.original

Another file to make a copy from :

cp /usr/local/www/services_captiveportal.php /usr/local/www/services_captiveportal.php.original

Thus, now you have spare copies of the 2 files that will be changed.

Here we go:
This is the new /etc/inc/captiveportal.inc file:
https://pastebin.com/V6uWHNz5
This is the new /usr/local/www/services_captiveportal.php file.
https://pastebin.com/QLhNhgAW

When these two files are in place, visit the portal config page, check your “Concurrent user login” settings: check one option out of the 3. I guess it will be “First” for you ^^ (see image above).

If there are any troubles, just copy your backup files back in place, like this (copy – paste these 2 commands will do that ) :

cp /usr/local/www/services_captiveportal.php.original /usr/local/www/services_captiveportal.php
cp /etc/inc/captiveportal.inc.original /etc/inc/captiveportal.inc

You’ll be seeing messages in your captive portal log file like:

.... CONCURRENT VOUCHER LOGIN - NOT ALLOWED - KEEPING OLD SESSION …

Which informs you that the same voucher was used a second time – the connection was refused.

I do not pretend that everything works perfect right now. This is just a first test.

I tested all 3 settings of “concurrent login” myself using Vouchers AND the classic Local manger user logins – both behave now as I want:

• Multiple sessions per username / voucher
• Last sessions per username / voucher
• First sessions per username / voucher

The last one is the one you want to test.

Take your time to test – read the log file – send it over to me if question (use pastebin.org – not here in the forum)

Good luck.

ajmaltms

@Gertjan not showing the three types of concurrent logins..but not working..still voucher can use same time..

Gertjan

@ajmaltms said in One Voucher Per Device:

not showing the three types of concurrent logins..but not working

Not showing but not working ?
Check this file /usr/local/www/services_captiveportal.php (in your pfSense)- for example lines 709 up until line 711 - you should see :

To assure you : the file I upload, is the file I'm using right now. "services_captiveportal.php" is part of the Captive portal settings GUI.
I tend to say : if you don't see anything change (only the "Concurrent user logins" item) you didn't copy the file.

edit : same thing for the file /etc/inc/captiveportal.inc - check line 2323. You should see this comment :

/* Implicit 'first' : refuse the new login - 'username' is already logged in */

ajmaltms

@Gertjan sorry..showing 3 types..but not working

Gertjan

@ajmaltms

Well, show a test case.
Use a voucher on a device.
Use the same voucher on another device.
Show the log.

edit : run this

grep 'noconcurrentlogins' /conf/config.xml

What is the output ?

edit 2019-04-19 :

This is what I see when I set " Concurrent user logins" " to "First".
I have a voucher "TYUURMVP423SB" and use it on a device :

Apr 19 10:20:56 	logportalauth 	52629 	Zone: cpzone1 - Voucher login good for 5 min.: TYUURMVP423SB, b0:70:2d:44:fc:da, 192.168.2.217

Now I use the same voucher on another device :

Apr 19 10:23:10 	logportalauth 	63782 	Zone: cpzone1 - CONCURRENT VOUCHER LOGIN - NOT ALLOWED KEEPING OLD SESSION : TYUURMVP423SB, b0:70:2d:44:fc:da, 192.168.2.217

and I see a message in red on my captive portal "error" login page :

ajmaltms

@Gertjan which pfsense version u are using?

Gertjan

2.4.4-p2

ajmaltms

@Gertjan am using 2.3.5 may be thats the issue

Gertjan

Sure.
pfSense portal code on 2.4.4-p2 is different.
There is no development for the 2.3.5 anymore - I don't have it.

ajmaltms

@Gertjan ok..let me chekit out with 2.4.4 p2

ajmaltms

@Gertjan thanks a lot..finally worked with 2.4.4 p2

Gertjan

Ok, great !

I updated these a week or so :
@Gertjan said in One Voucher Per Device:

This is the new /etc/inc/captiveportal.inc file:
https://pastebin.com/V6uWHNz5
This is the new /usr/local/www/services_captiveportal.php file.
https://pastebin.com/QLhNhgAW

I'll post back here when I make more edits.

wazim4u

Hi Gerjan,

I have tried your code it was working fine, when i tried it in live system up to 3000 Captive portal users i got a lot of issue giving message to reuse of identification not allowed . it works only when you manually disconnect user and sometimes after few days again it give same error and not let use to login. i get back to original system ( default PFsense ) using version latest 2.4.4-p3

this is very great feature i think it need more stability. this feature should be by default a part of pfsense

Gertjan

Hi,

@wazim4u said in One Voucher Per Device:

it works only when you manually disconnect user

What do you mean by manually disconnecting ?
Why should you ?
What is your idle timeout ? hard timout ?.

Keep in mind, users are disconnected from the portal after one of these two becomes "true".
Users can reauth again of course, as long as their voucher isn't expired.

This means that while a user has an active session with his voucher, other reuse attemps are

1. accepted - multiple users will get connected with the same vouchers,
2. the initial user is thrown out, only the last login persists,
   or, new (my patch):
3. subsequent users are not allowed to login.

Point 1 & 2 is the behaviour pfSense currently offers.
Point 3 is what my patch should offer.

Point 3 has a caveat : the user with a valid voucher should be 'logged in' all time onto the captive portal, so subsequent logins can be refused. If not, the 'initial' login with voucher always wins, even if it is a new device ...
This can be enforced with a (example) hard timeout of "0" and a soft time out of at least the maximum voucher time.
This way, vouchers users stay logged, even if there is no activity. Subsequent login attempts will get refused.
Finally, the vouchers expires, and the portal will flush their firewall rules / login info .

@wazim4u said in One Voucher Per Device:

after few days again it give same error

What error ?

@wazim4u said in One Voucher Per Device:

i think it need more stability

True it was just an idea.
The thing is, for good development, I should use github and working with a pull request, and thus basing myself on the latest dev version = some 2.5.0.xxxxx file version.
This means that I should have a "2.5.0" somewhere - but not on my work, where I use pfSense already, using Captive Portal coupled to FreeRadius.
Keep in mind that I'm not actively use vouchers myself. The idea of "selling" Internet time doesn't really exists any more (Europe). I can throttle down a user if abuse is detected, that's enough for me.