One Voucher Per Device

Gertjan

@ajmaltms

Well, show a test case.
Use a voucher on a device.
Use the same voucher on another device.
Show the log.

edit : run this

grep 'noconcurrentlogins' /conf/config.xml

What is the output ?

edit 2019-04-19 :

This is what I see when I set " Concurrent user logins" " to "First".
I have a voucher "TYUURMVP423SB" and use it on a device :

Apr 19 10:20:56 	logportalauth 	52629 	Zone: cpzone1 - Voucher login good for 5 min.: TYUURMVP423SB, b0:70:2d:44:fc:da, 192.168.2.217

Now I use the same voucher on another device :

Apr 19 10:23:10 	logportalauth 	63782 	Zone: cpzone1 - CONCURRENT VOUCHER LOGIN - NOT ALLOWED KEEPING OLD SESSION : TYUURMVP423SB, b0:70:2d:44:fc:da, 192.168.2.217

and I see a message in red on my captive portal "error" login page :

ajmaltms

@Gertjan which pfsense version u are using?

Gertjan

2.4.4-p2

ajmaltms

@Gertjan am using 2.3.5 may be thats the issue

Gertjan

Sure.
pfSense portal code on 2.4.4-p2 is different.
There is no development for the 2.3.5 anymore - I don't have it.

ajmaltms

@Gertjan ok..let me chekit out with 2.4.4 p2

ajmaltms

@Gertjan thanks a lot..finally worked with 2.4.4 p2

Gertjan

Ok, great !

I updated these a week or so :
@Gertjan said in One Voucher Per Device:

This is the new /etc/inc/captiveportal.inc file:
https://pastebin.com/V6uWHNz5
This is the new /usr/local/www/services_captiveportal.php file.
https://pastebin.com/QLhNhgAW

I'll post back here when I make more edits.

wazim4u

Hi Gerjan,

I have tried your code it was working fine, when i tried it in live system up to 3000 Captive portal users i got a lot of issue giving message to reuse of identification not allowed . it works only when you manually disconnect user and sometimes after few days again it give same error and not let use to login. i get back to original system ( default PFsense ) using version latest 2.4.4-p3

this is very great feature i think it need more stability. this feature should be by default a part of pfsense

Gertjan

Hi,

@wazim4u said in One Voucher Per Device:

it works only when you manually disconnect user

What do you mean by manually disconnecting ?
Why should you ?
What is your idle timeout ? hard timout ?.

Keep in mind, users are disconnected from the portal after one of these two becomes "true".
Users can reauth again of course, as long as their voucher isn't expired.

This means that while a user has an active session with his voucher, other reuse attemps are

1. accepted - multiple users will get connected with the same vouchers,
2. the initial user is thrown out, only the last login persists,
   or, new (my patch):
3. subsequent users are not allowed to login.

Point 1 & 2 is the behaviour pfSense currently offers.
Point 3 is what my patch should offer.

Point 3 has a caveat : the user with a valid voucher should be 'logged in' all time onto the captive portal, so subsequent logins can be refused. If not, the 'initial' login with voucher always wins, even if it is a new device ...
This can be enforced with a (example) hard timeout of "0" and a soft time out of at least the maximum voucher time.
This way, vouchers users stay logged, even if there is no activity. Subsequent login attempts will get refused.
Finally, the vouchers expires, and the portal will flush their firewall rules / login info .

@wazim4u said in One Voucher Per Device:

after few days again it give same error

What error ?

@wazim4u said in One Voucher Per Device:

i think it need more stability

True it was just an idea.
The thing is, for good development, I should use github and working with a pull request, and thus basing myself on the latest dev version = some 2.5.0.xxxxx file version.
This means that I should have a "2.5.0" somewhere - but not on my work, where I use pfSense already, using Captive Portal coupled to FreeRadius.
Keep in mind that I'm not actively use vouchers myself. The idea of "selling" Internet time doesn't really exists any more (Europe). I can throttle down a user if abuse is detected, that's enough for me.

wazim4u

In Middle East we have labor camps having 1000-15000 users and everywhere people get internet with very low rate 0.25 Cents per day. So selling internet is a big business here and there are 1000 of labor camp.
i wanted to make Captive portal with FreeRadius it works but i didn't get any option to create bulk users adding 2000 to 3000 plus users from PF GUI. adding one by one user is very difficult.
Also get issue if any changes you make in live system under captive portal users get message you are connected but there is no internet. Using hardtime out & idle time will not require voucher to enter again ? it will re authenticate vouchers automatically.? currently i have no hardtime or idle time set, suggest me your recommended values ( vouchers are for one month time period always )

Gertjan

@wazim4u said in One Voucher Per Device:

captive portal users get message you are connected but there is no internet

See the 'other' thread that handles that subject.
See also here : https://github.com/pfsense/pfsense/pull/4042 the solution is in feedback stage. The patch can be imported 'official' (again, see other other thread for details how to do so).

I advise you that you install this patch right away.
At least, you can edit your settings (do you have to edit your settings ?) without all connected users being thrown out.
Right now, after an edit you have to purge the connected user list - if you don't, connected users will hit the "You are already connected" text.

colleytech

This post is deleted!

colleytech

@Gertjan said in One Voucher Per Device:

Ok, great !

I updated these a week or so :
@Gertjan said in One Voucher Per Device:

This is the new /etc/inc/captiveportal.inc file:
https://pastebin.com/V6uWHNz5
This is the new /usr/local/www/services_captiveportal.php file.
https://pastebin.com/QLhNhgAW

I'll post back here when I make more edits.

@Gertjan this worked great for me, as i wanted, but one challenge i have, just one,,,, instead of one login per user, i wanted 2logins per user, so that a guest could log in with laptop and phone, after the two devices, every subsequent logins with the same credential will be dropped..
kindly guide me through if it is possible..

Gertjan

Using vouchers ?
Don't think so. That means changing the code - > more php editing in this case.

But I'm doing exactly that right know at my work : a hotel.
Classic login users (not vouchers) - and a unique password for each room.
And freeradius, that limit just fine each user at 2 max logins.

colleytech

@Gertjan said in One Voucher Per Device:

Using vouchers ?
Don't think so. That means changing the code - > more php editing in this case.

But I'm doing exactly that right know at my work : a hotel.
Classic login users (not vouchers) - and a unique password for each room.
And freeradius, that limit just fine each user at 2 max logins.

@Gertjan , not for voucher, but usernames and passwords...almost same environment.. users can log in with room number and surname as username and password..... then vouchers can be for conference guests... where a particular voucher can be adjusted for the amount of conference participants

Derelict

A voucher can be for one device or anyone with the code. There is no numeric limit that can be applied.

colleytech

@Gertjan said in One Voucher Per Device:

Using vouchers ?
Don't think so. That means changing the code - > more php editing in this case.

But I'm doing exactly that right know at my work : a hotel.
Classic login users (not vouchers) - and a unique password for each room.
And freeradius, that limit just fine each user at 2 max logins.

@Gertjan would you mind sharing your progress and code when you successfully get it to work on 2 devices per user.. regards

Gertjan

No progress, no code needed.

As said, you need Freeradius. The package.

On the first user you declare in Freeradius, you add this in the advanced section :

All further user will use this setting : not more then 2 logins per account.

How to set up Freeradius ?
That's not a question. This thing is huge and needs to be studied. It's like a mail server or web server, there is no such thing as "a click here and click therr and your up".

I advise that you start looking at the videos from Netgate on Youtube.

Not that it really matters, but I'm using a MySQL (Maria) DB server for the Freeradius storage needs. That just a choice, none is needed actually, Freeradius can also work with a flat file data base, stored on the pfSense drive.

colleytech

This post is deleted!