One Voucher Per Device

wazim4u · Jun 6, 2019, 2:12 PM

Hi Gerjan,

I have tried your code it was working fine, when i tried it in live system up to 3000 Captive portal users i got a lot of issue giving message to reuse of identification not allowed . it works only when you manually disconnect user and sometimes after few days again it give same error and not let use to login. i get back to original system ( default PFsense ) using version latest 2.4.4-p3

this is very great feature i think it need more stability. this feature should be by default a part of pfsense

Gertjan · Jun 6, 2019, 2:40 PM

Hi,

@wazim4u said in One Voucher Per Device:

it works only when you manually disconnect user

What do you mean by manually disconnecting ?
Why should you ?
What is your idle timeout ? hard timout ?.

Keep in mind, users are disconnected from the portal after one of these two becomes "true".
Users can reauth again of course, as long as their voucher isn't expired.

login-to-view

This means that while a user has an active session with his voucher, other reuse attemps are

accepted - multiple users will get connected with the same vouchers,
the initial user is thrown out, only the last login persists,
or, new (my patch):
subsequent users are not allowed to login.

Point 1 & 2 is the behaviour pfSense currently offers.
Point 3 is what my patch should offer.

Point 3 has a caveat : the user with a valid voucher should be 'logged in' all time onto the captive portal, so subsequent logins can be refused. If not, the 'initial' login with voucher always wins, even if it is a new device ...
This can be enforced with a (example) hard timeout of "0" and a soft time out of at least the maximum voucher time.
This way, vouchers users stay logged, even if there is no activity. Subsequent login attempts will get refused.
Finally, the vouchers expires, and the portal will flush their firewall rules / login info .

@wazim4u said in One Voucher Per Device:

after few days again it give same error

What error ?

@wazim4u said in One Voucher Per Device:

i think it need more stability

True it was just an idea.
The thing is, for good development, I should use github and working with a pull request, and thus basing myself on the latest dev version = some 2.5.0.xxxxx file version.
This means that I should have a "2.5.0" somewhere - but not on my work, where I use pfSense already, using Captive Portal coupled to FreeRadius.
Keep in mind that I'm not actively use vouchers myself. The idea of "selling" Internet time doesn't really exists any more (Europe). I can throttle down a user if abuse is detected, that's enough for me.

wazim4u · Jun 6, 2019, 3:15 PM

In Middle East we have labor camps having 1000-15000 users and everywhere people get internet with very low rate 0.25 Cents per day. So selling internet is a big business here and there are 1000 of labor camp.
i wanted to make Captive portal with FreeRadius it works but i didn't get any option to create bulk users adding 2000 to 3000 plus users from PF GUI. adding one by one user is very difficult.
Also get issue if any changes you make in live system under captive portal users get message you are connected but there is no internet. Using hardtime out & idle time will not require voucher to enter again ? it will re authenticate vouchers automatically.? currently i have no hardtime or idle time set, suggest me your recommended values ( vouchers are for one month time period always )

Gertjan · Jun 6, 2019, 3:55 PM

@wazim4u said in One Voucher Per Device:

captive portal users get message you are connected but there is no internet

See the 'other' thread that handles that subject.
See also here : https://github.com/pfsense/pfsense/pull/4042 the solution is in feedback stage. The patch can be imported 'official' (again, see other other thread for details how to do so).

I advise you that you install this patch right away.
At least, you can edit your settings (do you have to edit your settings ?) without all connected users being thrown out.
Right now, after an edit you have to purge the connected user list - if you don't, connected users will hit the "You are already connected" text.

colleytech · Jul 12, 2019, 3:46 PM

This post is deleted!

colleytech · Jul 12, 2019, 3:48 PM

@Gertjan said in One Voucher Per Device:

Ok, great !

I updated these a week or so :
@Gertjan said in One Voucher Per Device:

This is the new /etc/inc/captiveportal.inc file:
https://pastebin.com/V6uWHNz5
This is the new /usr/local/www/services_captiveportal.php file.
https://pastebin.com/QLhNhgAW

I'll post back here when I make more edits.

@Gertjan this worked great for me, as i wanted, but one challenge i have, just one,,,, instead of one login per user, i wanted 2logins per user, so that a guest could log in with laptop and phone, after the two devices, every subsequent logins with the same credential will be dropped..
kindly guide me through if it is possible..

Gertjan · Jul 12, 2019, 9:20 PM

Using vouchers ?
Don't think so. That means changing the code - > more php editing in this case.

But I'm doing exactly that right know at my work : a hotel.
Classic login users (not vouchers) - and a unique password for each room.
And freeradius, that limit just fine each user at 2 max logins.

colleytech · Jul 12, 2019, 9:35 PM

@Gertjan said in One Voucher Per Device:

Using vouchers ?
Don't think so. That means changing the code - > more php editing in this case.

But I'm doing exactly that right know at my work : a hotel.
Classic login users (not vouchers) - and a unique password for each room.
And freeradius, that limit just fine each user at 2 max logins.

@Gertjan , not for voucher, but usernames and passwords...almost same environment.. users can log in with room number and surname as username and password..... then vouchers can be for conference guests... where a particular voucher can be adjusted for the amount of conference participants

Derelict · Jul 13, 2019, 1:30 AM

A voucher can be for one device or anyone with the code. There is no numeric limit that can be applied.

colleytech · Jul 13, 2019, 12:13 PM

@Gertjan said in One Voucher Per Device:

Using vouchers ?
Don't think so. That means changing the code - > more php editing in this case.

But I'm doing exactly that right know at my work : a hotel.
Classic login users (not vouchers) - and a unique password for each room.
And freeradius, that limit just fine each user at 2 max logins.

@Gertjan would you mind sharing your progress and code when you successfully get it to work on 2 devices per user.. regards

Gertjan · Jul 13, 2019, 4:16 PM

No progress, no code needed.

As said, you need Freeradius. The package.

On the first user you declare in Freeradius, you add this in the advanced section :

login-to-view

All further user will use this setting : not more then 2 logins per account.

How to set up Freeradius ?
That's not a question. This thing is huge and needs to be studied. It's like a mail server or web server, there is no such thing as "a click here and click therr and your up".

I advise that you start looking at the videos from Netgate on Youtube.

Not that it really matters, but I'm using a MySQL (Maria) DB server for the Freeradius storage needs. That just a choice, none is needed actually, Freeradius can also work with a flat file data base, stored on the pfSense drive.

colleytech · Jul 15, 2019, 9:24 AM

This post is deleted!

colleytech · Jul 15, 2019, 9:27 AM

@Gertjan said in One Voucher Per Device:

No progress, no code needed.

As said, you need Freeradius. The package.

On the first user you declare in Freeradius, you add this in the advanced section :

login-to-view

All further user will use this setting : not more then 2 logins per account.

@Gertjan ...ok.. i have added this above line in the freeRadius, with option 3 (First sessions per username / voucher) selected in non concurrent login, but only one device can log in, the second device comes wit the error "reuse of id not allowed'
am i missing something??

Gertjan · Jul 15, 2019, 2:27 PM

@colleytech said in One Voucher Per Device:

the second device comes wit the error "reuse of id not allowed'
am i missing something??

Ah, so you're using my code that changes somewhat the way how vouchers login :

many
only last
only first

Right ?
You can't change that behavior, except if you are will to "play"with the code (PHP script).

If you are willing to drop voucher usage, and step over to the classic user/password,
and
you use FreeRadius
then
you could have something like
" Simultaneous-Use := 3 "
(maximum 2 user per login now )

colleytech · Jul 15, 2019, 7:16 PM

@Gertjan said in One Voucher Per Device:

@colleytech said in One Voucher Per Device:

the second device comes wit the error "reuse of id not allowed'
am i missing something??

Ah, so you're using my code that changes somewhat the way how vouchers login :

many

only last

only first

Right ?
You can't change that behavior, except if you are will to "play"with the code (PHP script).

If you are willing to drop voucher usage, and step over to the classic user/password,
and
you use FreeRadius
then
you could have something like
" Simultaneous-Use := 3 "
(maximum 2 user per login now )

@Gertjan your code works with freeRadius users, thats what i use it for.. i dont mind going without vouchers..
if you use the default pfsense php code, the simultaneous-use =3 will work, but it wil always disconnect the logged in user, to make way for the new login...
just like what your code is doing, stopping reuse of id without disconnecting the current user,, is there a way to achieve that with freeRadius.. whereby, after two devices logs in, the third one will be dropped, instead of the already logged in devices..
Regards

colleytech · Aug 3, 2019, 6:36 PM

you use FreeRadius

then
you could have something like
" Simultaneous-Use := 3 "
(maximum 2 user per login now )

@Gertjan i am still battling with this... is there a way i could use this and stil not get my two connected devices disconnected when a third login attempt is done..
the goal is to get two devices per user, then a third login will be dropped instead of it, disconnecting an already connected device..

thanks in advance

Gertjan · Aug 5, 2019, 5:56 AM

@colleytech said in One Voucher Per Device:

@Gertjan i am still battling with this... is there a way i could use this and stil not get my two connected devices disconnected when a third login attempt is done..
the goal is to get two devices per user, then a third login will be dropped instead of it, disconnecting an already connected device..

That what's I'm doing right now. With FreeRadius.
Without it : I guess not.

colleytech · Aug 5, 2019, 12:19 PM

@Gertjan

@Gertjan said in One Voucher Per Device:

@colleytech said in One Voucher Per Device:

@Gertjan i am still battling with this... is there a way i could use this and stil not get my two connected devices disconnected when a third login attempt is done..
the goal is to get two devices per user, then a third login will be dropped instead of it, disconnecting an already connected device..

That what's I'm doing right now. With FreeRadius.
Without it : I guess not.

@Gertjan ,
kindly indulge me, whenever i do it with freeradius, two devices will connect, but a third device attempting to log in will always disconnect one of the already logged in devices, thats what i am trying to avoid,,, if there is any additional setting or line of code to be added, kindly point me to it,

Gertjan · Aug 5, 2019, 2:36 PM

@colleytech said in One Voucher Per Device:

whenever i do it with freeradius, two devices will connect, but a third device attempting to log in will always disconnect one of the already logged in devices

??
That's not my experience.

The " Simultaneous-Use := 2 " statement will not allow a third login.
It doesn't kick out one of the two already logged in users.

Example :

login-to-view

Room number (== uiser) 116 : 2 parents and 3 kids.
2 iPads, 3 iPhones, some Samsung device, a Kindle and some other wifi device (a portable PC ?).

The first two logins for user "116" work fine, a third one get authenticated (same user = "116" and password) but gets thrown out a couple of seconds during the REAUTHENTICATION process : the max user threshold was reached.

colleytech · Aug 5, 2019, 2:36 PM

@Gertjan said in One Voucher Per Device:

@colleytech said in One Voucher Per Device:

whenever i do it with freeradius, two devices will connect, but a third device attempting to log in will always disconnect one of the already logged in devices

??
That's not my experience.

The " Simultaneous-Use := 2 " statement will not allow a third login.
It doesn't kick out one of the two already logged in users.

Example :

login-to-view

Room number (== uiser) 116 : 2 parents and 3 kids.
2 iPads, 3 iPhones, some Samsung device, a Kindle and some other wifi device (a portable PC ?).

The first two logins for user "116" work fine, a third one get authenticated (same user = "116" and password) but gets thrown out a couple of seconds during the REAUTHENTICATION process : the max user threshold was reached.

@Gertjan i must be missing something,,,
i have restored the box to factory and setup captive portal fresh, with no concurrent checked, and Simultaneous-Use := 3 placed in the freeRad user, i can get just one user connected, other subsequent users disconnects the first user "not what i want"..............

no concurrent unchecked and Simultaneous-Use := 3 placed in the freeRad user, i can log in with multiple devices, "not what i want"

applying your patch to select
1.many
2. only last
3. only first
and Simultaneous-Use := 3 placed in the freeRad user, doesnt still get the job done,,,,
what can i post here for you to check