Embedded Pasword Config page?



  • I was wondering if anyone has found a way to embed the Password change section of the GUI to there logout page or such.

    I want to try and block GUI access to the guest accounts, aside from the Password change.

    Or restrict certain groups logins, like the admin group cannot log in from the guest network.


  • Rebel Alliance Developer Netgate

    If you assign someone the "WebCfg - System: User Password Manager" privilege, or put them in a group with that privilege – and that is their only privilege, then when they login all they can see/reach is the password change page and a logout menu entry.



  • I am aware of that. Not really what I am trying to do however.

    Okay so atm, I am doing that, and that works. However, that leads them to a PFsense login screen, where normals get confused, and a bunch of nav for things they cant access anyway.

    I dont want all that, its not needed, and it just confuses less techie people.

    Now from the other side, from the techies and people trying to do wrong.

    They now see the PFsense logo, and now I am running PFsense and can begin trying to break in, with that somewhat helpful knowledge.

    They are allowed Full GUI access on the Guest Lan, so they can begin to try and brute force into the networks admin account.

    So what I am wanting to do, is deny access to the GUI from the Guest Lan, and have the 1 Password change screen, be added through some type of Iframe, or even just a data entry method from Captive portal screens would actually be better. So once they are logged in, they have the ability to edit their account on the logout page.

    EDIT: I did find a post talking about this, and some small snippet of example code, not sure if its java or PHP or what though. So I guess it is possible, the how is what I need to know :).



  • Okay so I have been doing a little more digging, and it turns out this is doable with PHP? As is discussed here https://forum.pfsense.org/index.php?topic=57907.0

    So this PHP is greek to me lol.

    Has anyone got this to work, or have any tips of how to go about it?



  • @cyberlocc:

    So this PHP is greek to me lol.

    In that case, you should 'limit' yourself to functionality of the GUI.
    Blindly (not knowing what your are doing) patching the GUI is not advisable.

    edit : maybe it's possible to write your own "html portal login page", and extend that with some PHP lines (as stated in the other thread) so users can do what you want.
    But, then again, asking to drive that car and stating you do not have the license … well ....  ;)



  • @Gertjan:

    @cyberlocc:

    So this PHP is greek to me lol.

    In that case, you should 'limit' yourself to functionality of the GUI.
    Blindly (not knowing what your are doing) patching the GUI is not advisable.

    edit : maybe it's possible to write your own "html portal login page", and extend that with some PHP lines (as stated in the other thread) so users can do what you want.
    But, then again, asking to drive that car and stating you do not have the license … well ....  ;)

    I am not trying to patch the GUI, I want to as you said, add the ability to my already custom made Captive Portal Page.

    Well I agree, that is why I am asking for help, how in fact to add that PHP in a workable manner. I mean its code not rocket science :P there is a snippet or some, that will do that and only that, and fit in with the custom HTML/PHP that I already have. That is where I seek guidance, from more PHP inclined.

    Because like we discussed in the other thread, cant have cake and eat it too. I cant lock them from the GUI without them the ability to change there passwords, through the captive portal. So its a lose lose, and even right now its a lose lose.

    With my current config, I am having more issues, explaining to them how to change their passwords and such then just using the mac filtering I was doing. I went to the captive portal to make life easier. However that isnt what is happening lol.

    The "GUI Password Change" would work fine for techies, like I said. However I am in a small tourist town, running Hotel wifi, these people dont even know what OS they are running, must less how to operate all these hoops :P.



  • @Gertjan:

    @cyberlocc:

    So this PHP is greek to me lol.

    In that case, you should 'limit' yourself to functionality of the GUI.
    Blindly (not knowing what your are doing) patching the GUI is not advisable.

    edit : maybe it's possible to write your own "html portal login page", and extend that with some PHP lines (as stated in the other thread) so users can do what you want.
    But, then again, asking to drive that car and stating you do not have the license … well ....  ;)

    I am not trying to patch the GUI, I want to as you said, add the ability to my already custom made Captive Portal Page.

    Well I agree, that is why I am asking for help, how in fact to add that PHP in a workable manner. I mean its code not rocket science :P there is a snippet or some, that will do that and only that, and fit in with the custom HTML/PHP that I already have. That is where I seek guidance, from more PHP inclined.

    Because like we discussed in the other thread, cant have cake and eat it too. I cant lock them from the GUI without them the ability to change there passwords, through the captive portal. So its a lose lose, and even right now its a lose lose.

    With my current config, I am having more issues, explaining to them how to change their passwords and such then just using the mac filtering I was doing. I went to the captive portal to make life easier. However that isnt what is happening lol.

    The "GUI Password Change" would work fine for techies, like I said. However I am in a small tourist town, running Hotel wifi, these people dont even know what OS they are running, must less how to operate all these hoops :P.

    As right now, I have the rooms all with an account, When they want it, I tell them its "Room_**", Password is Password, change it after. I also have a link, to change it, Saying "Password Management Interface" in the connection successful screen.

    Well its been what 2 about weeks? And I have already had to re explain that about 50 times 2nd and third times, and people tell me they were trying to change their passwords for days, "It takes me to a screen that Says PFsense and wants me to Login?"

    And while I am not great at PHP, I am decent with code in general so if I can find a full example of the PHP needed, I can make it work, or reverse engineer it and tinker enough to make it work lol. Hints why I said, I am going to try to grab templates from OPNsense or IPFire or Sophos and see if I can figure that feature out. As they all have that in there stock Captive portals, only PFsense doesn't, even M0n0wall did, which is why it makes no sense that PFsense doesn't.



  • Yep.
    Your have to are explain the fact that, if people want to change the default password, they should login using that default password to change it to their own personalized password.
    I've been there. Done that. That was about 10 years ago - when pfSense started.
    I'm like you :
    " I am in a small tourist town, running Hotel wifi, these people dont even know what OS they are running, …"
    What I did :
    Rooms numbers are the user names - and I tell on the login page that a 3 digit (room) number has to be typed in as a "user" like "205".
    The password is printed on the room-dfirecory in the room.
    But, don't tell this to any body, the password is for every room the same : "climat".

    That works great for the last several years. I know where to look for when there is abuse (clients using not their own room number).
    My advise is : keep it simple. IMHO Users having to change their own password is already is complicated task.

    Btw : I'm NOT selling any access time.


  • Rebel Alliance Developer Netgate

    @cyberlocc:

    I am aware of that. Not really what I am trying to do however.

    It's exactly what you're trying to do.

    @cyberlocc:

    Okay so atm, I am doing that, and that works. However, that leads them to a PFsense login screen, where normals get confused, and a bunch of nav for things they cant access anyway.

    I dont want all that, its not needed, and it just confuses less techie people.

    If you only assign them the permission for the password change page, they get that page when they login, and nothing else. The menus are irrelevant and they're empty anyhow, if not hidden.

    @cyberlocc:

    They now see the PFsense logo, and now I am running PFsense and can begin trying to break in, with that somewhat helpful knowledge.

    So? If you follow proper practices, that gives them nothing.

    @cyberlocc:

    They are allowed Full GUI access on the Guest Lan, so they can begin to try and brute force into the networks admin account.

    The GUI has anti-brute force protection. If they try 15 times unsuccessfully, they are locked out of the GUI for an hour (minimum).

    @cyberlocc:

    So what I am wanting to do, is deny access to the GUI from the Guest Lan, and have the 1 Password change screen, be added through some type of Iframe, or even just a data entry method from Captive portal screens would actually be better. So once they are logged in, they have the ability to edit their account on the logout page.

    You can't deny access to the GUI and then allow access to the GUI through an iframe. That is not possible, since their browser must reach the GUI to access any pages served by the GUI.

    What you're describing would involve setting up a second web server on the firewall for just that one task, and would likely have less security than just using the firewall directly.

    If you don't like how it's already handled in the GUI, then use RADIUS authentication off the firewall and then use whatever user/password management pages are provided by the authentication server software.

    If your users are confused by the pfSense logo, then you need to give them better instructions.



  • @jimp:

    @cyberlocc:

    I am aware of that. Not really what I am trying to do however.

    It's exactly what you're trying to do.

    @cyberlocc:

    Okay so atm, I am doing that, and that works. However, that leads them to a PFsense login screen, where normals get confused, and a bunch of nav for things they cant access anyway.

    I dont want all that, its not needed, and it just confuses less techie people.

    If you only assign them the permission for the password change page, they get that page when they login, and nothing else. The menus are irrelevant and they're empty anyhow, if not hidden.

    @cyberlocc:

    They now see the PFsense logo, and now I am running PFsense and can begin trying to break in, with that somewhat helpful knowledge.

    So? If you follow proper practices, that gives them nothing.

    @cyberlocc:

    They are allowed Full GUI access on the Guest Lan, so they can begin to try and brute force into the networks admin account.

    The GUI has anti-brute force protection. If they try 15 times unsuccessfully, they are locked out of the GUI for an hour (minimum).

    @cyberlocc:

    So what I am wanting to do, is deny access to the GUI from the Guest Lan, and have the 1 Password change screen, be added through some type of Iframe, or even just a data entry method from Captive portal screens would actually be better. So once they are logged in, they have the ability to edit their account on the logout page.

    You can't deny access to the GUI and then allow access to the GUI through an iframe. That is not possible, since their browser must reach the GUI to access any pages served by the GUI.

    What you're describing would involve setting up a second web server on the firewall for just that one task, and would likely have less security than just using the firewall directly.

    If you don't like how it's already handled in the GUI, then use RADIUS authentication off the firewall and then use whatever user/password management pages are provided by the authentication server software.

    If your users are confused by the pfSense logo, then you need to give them better instructions.

    Well using the PHP commands, they wouldn't need access to the GUI would they?

    Also, you said if they are not hidden. That would be a very good start for me right there, I have read that is possible still trying to locate how. It was said in other threads it was doable, but the links to how are broken.