One Voucher Per Device
-
Sure.
pfSense portal code on 2.4.4-p2 is different.
There is no development for the 2.3.5 anymore - I don't have it. -
@Gertjan ok..let me chekit out with 2.4.4 p2
-
@Gertjan thanks a lot..finally worked with 2.4.4 p2
-
Ok, great !
I updated these a week or so :
@Gertjan said in One Voucher Per Device:This is the new /etc/inc/captiveportal.inc file:
https://pastebin.com/V6uWHNz5
This is the new /usr/local/www/services_captiveportal.php file.
https://pastebin.com/QLhNhgAWI'll post back here when I make more edits.
-
Hi Gerjan,
I have tried your code it was working fine, when i tried it in live system up to 3000 Captive portal users i got a lot of issue giving message to reuse of identification not allowed . it works only when you manually disconnect user and sometimes after few days again it give same error and not let use to login. i get back to original system ( default PFsense ) using version latest 2.4.4-p3
this is very great feature i think it need more stability. this feature should be by default a part of pfsense
-
Hi,
@wazim4u said in One Voucher Per Device:
it works only when you manually disconnect user
What do you mean by manually disconnecting ?
Why should you ?
What is your idle timeout ? hard timout ?.Keep in mind, users are disconnected from the portal after one of these two becomes "true".
Users can reauth again of course, as long as their voucher isn't expired.
This means that while a user has an active session with his voucher, other reuse attemps are
- accepted - multiple users will get connected with the same vouchers,
- the initial user is thrown out, only the last login persists,
or, new (my patch): - subsequent users are not allowed to login.
Point 1 & 2 is the behaviour pfSense currently offers.
Point 3 is what my patch should offer.Point 3 has a caveat : the user with a valid voucher should be 'logged in' all time onto the captive portal, so subsequent logins can be refused. If not, the 'initial' login with voucher always wins, even if it is a new device ...
This can be enforced with a (example) hard timeout of "0" and a soft time out of at least the maximum voucher time.
This way, vouchers users stay logged, even if there is no activity. Subsequent login attempts will get refused.
Finally, the vouchers expires, and the portal will flush their firewall rules / login info .@wazim4u said in One Voucher Per Device:
after few days again it give same error
What error ?
@wazim4u said in One Voucher Per Device:
i think it need more stability
True it was just an idea.
The thing is, for good development, I should use github and working with a pull request, and thus basing myself on the latest dev version = some 2.5.0.xxxxx file version.
This means that I should have a "2.5.0" somewhere - but not on my work, where I use pfSense already, using Captive Portal coupled to FreeRadius.
Keep in mind that I'm not actively use vouchers myself. The idea of "selling" Internet time doesn't really exists any more (Europe). I can throttle down a user if abuse is detected, that's enough for me. -
In Middle East we have labor camps having 1000-15000 users and everywhere people get internet with very low rate 0.25 Cents per day. So selling internet is a big business here and there are 1000 of labor camp.
i wanted to make Captive portal with FreeRadius it works but i didn't get any option to create bulk users adding 2000 to 3000 plus users from PF GUI. adding one by one user is very difficult.
Also get issue if any changes you make in live system under captive portal users get message you are connected but there is no internet. Using hardtime out & idle time will not require voucher to enter again ? it will re authenticate vouchers automatically.? currently i have no hardtime or idle time set, suggest me your recommended values ( vouchers are for one month time period always ) -
@wazim4u said in One Voucher Per Device:
captive portal users get message you are connected but there is no internet
See the 'other' thread that handles that subject.
See also here : https://github.com/pfsense/pfsense/pull/4042 the solution is in feedback stage. The patch can be imported 'official' (again, see other other thread for details how to do so).I advise you that you install this patch right away.
At least, you can edit your settings (do you have to edit your settings ?) without all connected users being thrown out.
Right now, after an edit you have to purge the connected user list - if you don't, connected users will hit the "You are already connected" text. -
This post is deleted! -
@Gertjan said in One Voucher Per Device:
Ok, great !
I updated these a week or so :
@Gertjan said in One Voucher Per Device:This is the new /etc/inc/captiveportal.inc file:
https://pastebin.com/V6uWHNz5
This is the new /usr/local/www/services_captiveportal.php file.
https://pastebin.com/QLhNhgAWI'll post back here when I make more edits.
@Gertjan this worked great for me, as i wanted, but one challenge i have, just one,,,, instead of one login per user, i wanted 2logins per user, so that a guest could log in with laptop and phone, after the two devices, every subsequent logins with the same credential will be dropped..
kindly guide me through if it is possible.. -
Using vouchers ?
Don't think so. That means changing the code - > more php editing in this case.But I'm doing exactly that right know at my work : a hotel.
Classic login users (not vouchers) - and a unique password for each room.
And freeradius, that limit just fine each user at 2 max logins. -
@Gertjan said in One Voucher Per Device:
Using vouchers ?
Don't think so. That means changing the code - > more php editing in this case.But I'm doing exactly that right know at my work : a hotel.
Classic login users (not vouchers) - and a unique password for each room.
And freeradius, that limit just fine each user at 2 max logins.@Gertjan , not for voucher, but usernames and passwords...almost same environment.. users can log in with room number and surname as username and password..... then vouchers can be for conference guests... where a particular voucher can be adjusted for the amount of conference participants
-
A voucher can be for one device or anyone with the code. There is no numeric limit that can be applied.
-
@Gertjan said in One Voucher Per Device:
Using vouchers ?
Don't think so. That means changing the code - > more php editing in this case.But I'm doing exactly that right know at my work : a hotel.
Classic login users (not vouchers) - and a unique password for each room.
And freeradius, that limit just fine each user at 2 max logins.@Gertjan would you mind sharing your progress and code when you successfully get it to work on 2 devices per user.. regards
-
No progress, no code needed.
As said, you need Freeradius. The package.
On the first user you declare in Freeradius, you add this in the advanced section :
All further user will use this setting : not more then 2 logins per account.
How to set up Freeradius ?
That's not a question. This thing is huge and needs to be studied. It's like a mail server or web server, there is no such thing as "a click here and click therr and your up".I advise that you start looking at the videos from Netgate on Youtube.
Not that it really matters, but I'm using a MySQL (Maria) DB server for the Freeradius storage needs. That just a choice, none is needed actually, Freeradius can also work with a flat file data base, stored on the pfSense drive.
-
This post is deleted! -
@Gertjan said in One Voucher Per Device:
No progress, no code needed.
As said, you need Freeradius. The package.
On the first user you declare in Freeradius, you add this in the advanced section :
All further user will use this setting : not more then 2 logins per account.
@Gertjan ...ok.. i have added this above line in the freeRadius, with option 3 (First sessions per username / voucher) selected in non concurrent login, but only one device can log in, the second device comes wit the error "reuse of id not allowed'
am i missing something?? -
@colleytech said in One Voucher Per Device:
the second device comes wit the error "reuse of id not allowed'
am i missing something??Ah, so you're using my code that changes somewhat the way how vouchers login :
- many
- only last
- only first
Right ?
You can't change that behavior, except if you are will to "play"with the code (PHP script).If you are willing to drop voucher usage, and step over to the classic user/password,
and
you use FreeRadius
then
you could have something like
" Simultaneous-Use := 3 "
(maximum 2 user per login now ) -
@Gertjan said in One Voucher Per Device:
@colleytech said in One Voucher Per Device:
the second device comes wit the error "reuse of id not allowed'
am i missing something??Ah, so you're using my code that changes somewhat the way how vouchers login :
- many
- only last
- only first
Right ?
You can't change that behavior, except if you are will to "play"with the code (PHP script).If you are willing to drop voucher usage, and step over to the classic user/password,
and
you use FreeRadius
then
you could have something like
" Simultaneous-Use := 3 "
(maximum 2 user per login now )@Gertjan your code works with freeRadius users, thats what i use it for.. i dont mind going without vouchers..
if you use the default pfsense php code, the simultaneous-use =3 will work, but it wil always disconnect the logged in user, to make way for the new login...
just like what your code is doing, stopping reuse of id without disconnecting the current user,, is there a way to achieve that with freeRadius.. whereby, after two devices logs in, the third one will be dropped, instead of the already logged in devices..
Regards -
you use FreeRadius
then
you could have something like
" Simultaneous-Use := 3 "
(maximum 2 user per login now )@Gertjan i am still battling with this
... is there a way i could use this and stil not get my two connected devices disconnected when a third login attempt is done..
the goal is to get two devices per user, then a third login will be dropped instead of it, disconnecting an already connected device..thanks in advance
