One Voucher Per Device



  • This post is deleted!


  • @Gertjan said in One Voucher Per Device:

    Captive portal users get message you are connected but there is no internet

    I was trying to apply this patch and I'm getting below error:

    Patch can NOT be applied cleanly (detail)
    Patch can NOT be reverted cleanly (detail)

    I can apply the patch by editing the below files,

    src/etc/inc/captiveportal.inc
    src/etc/inc/system.inc
    src/usr/local/captiveportal/index.php

    but I'm using your version of 'src/etc/inc/captiveportal.inc'

    What is the solution for this?

    Thanks in advance



  • @rayyanthameem said in One Voucher Per Device:

    I was trying to apply this patch and I'm getting below error:
    Patch can NOT be applied cleanly (detail)
    Patch can NOT be reverted cleanly (detail)

    So :

    @Gertjan said in One Voucher Per Device:

    See the 'other' thread that handles that subject.
    See also here : https://github.com/pfsense/pfsense/pull/4042 the solution is in feedback stage. The patch can be imported 'official' (again, see other other thread for details how to do so).

    This thread handles an entire other issue.



  • @Gertjan Thanks for your help, I hope this is the patch I've to apply: https://patch-diff.githubusercontent.com/raw/pfsense/pfsense/pull/4042.diff



  • @rayyanthameem said in One Voucher Per Device:

    https://patch-diff.githubusercontent.com/raw/pfsense/pfsense/pull/4042.diff

    That's the one.
    As you noticed, the patch can't be applied against a 2.4.4-p3 on your device.
    This is because the actual version of pfSense on github is more recent (like a 2.4.4-p4) then the version you have (2.4.4-p3).
    So, first, you have to retrieve from github the most recent files for :
    /etc/inc/captiveportal.inc
    /usr/local/captiveportal/index.php
    /etc/inc/system.inc

    Then the patch can be applied.

    I using it right now :

    43a21d06-4afb-4f7f-84d2-e8efcfaded1a-image.png



  • @Gertjan said in One Voucher Per Device:

    Here we go:
    This is the new /etc/inc/captiveportal.inc file:
    https://pastebin.com/V6uWHNz5

    Now I am using your version of 'captiveportal.inc'

    Are you suggesting except 'captiveportal.inc' use everything els and apply patch?



  • @rayyanthameem said in One Voucher Per Device:

    Now I am using your version of 'captiveportal.inc'

    That won't (probably) work with the 4042 patch.

    The issue of this thread, the "One Voucher use" is something different.
    Because I didn't publish a patch on github (== a pull request) there is only one way to make my patch work : you have to distil yourself the modifications out of the two files mentioned above (the pastbin ones).

    I made a case-study of the issue because it pops up often : limiting a voucher to ONE device.
    A fact is : when some one proposes a patch against github, the patch should be supported by the author during the entire implementation time and test phase.
    I'm not using vouchers myself .... and lack the time to support such an issue.



  • Basically, I want to fix both problems, I need to use the One voucher per device and also fix the 4042 issue.

    by distil you mean to compare two codes and do the changes?

    I've tried to do it, but there is some extra code in github version(Line 228). Please see the attached screenshot.Screenshot 2019-08-19 at 11.08.16.jpg



  • @rayyanthameem said in One Voucher Per Device:

    by distil you mean to compare two codes and do the changes?

    Exact.

    @rayyanthameem said in One Voucher Per Device:

    I've tried to do it, but there is some extra code in github version(Line 228). Please see the attached screenshot.

    I advise you to take the latest version from github, include the patch "4042" and then, if you feel up to it, implement the voucher issue.
    There are two patches :
    Some updates for the GUI captive portal settings page :
    https://pastebin.com/QLhNhgAW

    Several lines have to be taken from
    https://pastebin.com/V6uWHNz5 ( /etc/inc/captiveportal.inc )



  • hi all,
    i started this thread but now seems alot of people have same problem so i am requesting management to add this function one voucher per device or for two devices in official release.

    thanks @ajmaltms @Derelict @free4 @Gertjan @wazim4u @colleytech @rayyanthameem



  • @Gertjan Do you have the original captiveportal.inc file? then I can compare to your modification and do that modification in github version.



  • Noop.

    The pastebin files are what's left.
    I went back to version stock version.


  • Rebel Alliance



  • @free4 : you're probably right : I based my edits on that file / version 2.4.4-p3.
    @rayyanthameem : a diff will tell you ^^



  • @Gertjan Failed!!.

    Patch didn't load, the device was able to connect internet without the voucher, CP changes took longer to save.

    in short multiple issues, not sure what is the problem.

    Here is the modified version: https://pastebin.com/66y1UgZf



  • Tip :

    The easiest file to edit / change first the https://pastebin.com/QLhNhgAW : the GUI web config page.

    Search for 'noconcurrentlogins' occurrences in that file.

    The only thing that changes in that file is that the state of 'noconcurrentlogins', it chances from

    //      $newcp['noconcurrentlogins'] = $_POST['noconcurrentlogins'] ? true : false;
    

    = true or false

    to true, false or multiple.

    This is handled in several places, and easy to spot.

    Test this one first. You can see in the GUI that it works : changing settings in the GUI can be tested using the 'viconfig' command : you should see the state of (noconcurrentlogins) in captive portal settings page.



  • @Gertjan said in One Voucher Per Device:

    caveat

    I would like to know if you have some latest development on your patch ( one voucher per device ) for 2.5.0 version. I have taken risk to use 2.5-Development version for captive portal service up to 2200 user with voucher system. testing service is running for one week and so far there is no issue and all issues i was facing like reboot system or changing setting in 2.4.4-p3 captive portal gone... made life easy for me. i have implemented your patch again to lock user with first login. It is working fine since 1 week. with a little bit of issues so far which i think fixable.

    1-when you try to login again with already active voucher it gives error page in two forms field. one is giving notice ( reuse of authentication not allowed ) and second form ( voucher expired ) it should be only first one in this case.
    reuse voucher.jpg

    2- Secondly it should be MAC based authentication not MAC & IP. if someone add voucher and his lease is changed from 1.1.1.1 to 2.2.2.2 he will not able to login again even MAC ( device ) is same. this is major problem at the moment.
    Auth log.jpg

    3- Getting some crash error but doesn't effect captive portal operation.

    non numeric-value  encountered in etc/inc/captiveportal.inc on line 1955
    


  • @wazim4u said in One Voucher Per Device:

    1-

    These two 'error' screen show one after the other ?

    2

    I guess I understand. When a device comes back, and its original DHCP lease is already reused - re assigned - to another device this happens. The MAC/IP pair will be different.
    Simple solution : make the DHCP lease pool size for the portal really big.
    Furthermore, the portal_allow() function scans over the connected user database using this selection criteria :

    	/* read in client database */
    	$query = "WHERE ip = '{$clientip}'";
    

    which implies that the IP should be the same ...
    ( change this to {$clientmac} and see what happens ^^)

    3 ....

    You changed the etc/inc/captiveportal.inc file so I don't know what is this '1955' line is doing.
    Can you show some code on that sport ?



  • @Gertjan said in One Voucher Per Device:

    $clientmac

    1- Yes it comes side by side on Desktop like the image and on mobile view it comes up and down.

    2- DHCP lease already one month. do you want me to make it more ? that's first solution secondly the option you have given to change client ip query to client mac. this option is in two places which one to change if you can please guide i will test and let you know.

    A:

    /* read in client database */
    	$query = "WHERE ip = '{$clientip}'";
    	if (isset($config['captiveportal'][$cpzone]['noconcurrentlogins'])) {
    		$tmpusername = SQLite3::escapeString(strtolower($username));
    		$query .= " OR (username != 'unauthenticated' AND lower(username) = '{$tmpusername}')";
    	}
    	$cpdb = captiveportal_read_db($query);
    

    B:

    /* read in client database */
    	$query = "WHERE ip = '{$clientip}'";
    	$cpdb = captiveportal_read_db($query);
    	foreach ($cpdb as $cpentry) {
    		return $cpentry;
    	}
    

    3- I didn't change anything in code for reference i will give 1955 image attached below.

    portal 1955_Line.png



    Hummmm.

    See https://pastebin.com/V6uWHNz5 - that's the file, right ?
    Convert line 2353 and 2370 into comments (put a // at the beginning of the line ).

    DHCP pool size, not lease size.
    Bigger pool means : leases will be recycled less faster == more chance that the same device gets the same IP when it reconnects.

    For A: that one, yes.
    Not B : you'll be changing the behaviuour that that function ( function captiveportal_isip_logged($clientip) ) and you'll break things.

    $ridx +=2 is a very classic numerical expression for "add 2 to $ridx". Also, $rdix is set to "2000" up front, which is also a number - at least, last time I checked, it was.
    So, your

    non numeric-value encountered in etc/inc/captiveportal.inc on line 1955

    scares me ....
    You're running out of place for the dual rules (env ( 64500-2000) / 2 ) or 31250registred "logged in user" rules .... ???
    You should see log messages like "Zone: {$cpzone} - WARNING! Captive portal has reached maximum login capacity"



  • @Gertjan

    1. Converted line 2353 & 2370 as mentioned ( // ) now i can see only single page but message is Expired voucher " it should be reuse authentication not allowed or similar custom like concurrent login not allowed .

    2- DHCP pool is already /19 8190 Available IPs and only 2500 users the lease time is 1 month.

    /* read in client database */
    	$query = "WHERE ip = '{$clientip}'";
    

    changing $clientip to $clientmac has no impact. i disabled whole line starting from $query and it worked with some error but connected me with other IP with same MAC . ( just tested or played around ) other MAC still not allowed to login.

    3- there is no warning in logs for maximum login capacity we have only 2500 users as mentioned before.

    i think DHCP option will be best to handle this at the moment. to keep same ip assigned to clients always.



  • @Gertjan

    did you get any way to unbind MAC with IP ? if only MAC is authentication for second login with same voucher so system can work perfectly . DHCP sometimes renew IP of some clients so we have to disconnect them to let them use the voucher again because it binds with MAC & IP . else your patch is working perfectly .



  • @wazim4u said in One Voucher Per Device:

    did you get any way to unbind MAC with IP ?

    That means a rather big rewrite of most functions in /etc/inc/captiveportal.inc ....
    Portal code is IP and MAC based ....
    This exists :
    2d6c4cd1-5ac9-41e0-8a99-06b946f56dd0-image.png
    but that one doesn't interest you ...

    @wazim4u said in One Voucher Per Device:

    DHCP sometimes renew IP of some clients so

    Yep, and the DHCP will renew the IP -> and it will grant the SAME IP.
    One exception : if this IP is already used by some other device (pool to small, so IP's get recycled).
    On my portal, I always receive the same IP when I connect with my PC or Phone.



  • hi all,
    voucher to device binding is must require feather i ma requesting net gate management to add this feather to coming version..
    @Gertjan @wazim4u @colleytech



  • @Gertjan how to get this option.





  • @Gertjan thanks for your reply. i want to setup vouchers for 1st device only.


  • Rebel Alliance

    @layek sure

    the feature request is here : https://redmine.pfsense.org/issues/9432

    feel free to make a pull request for implementing this feature !



  • @free4 thats mean this feature not possible right now with latest version?



  • upto 2.4.3 version its working fine..hope they will implement in latest version too in 2.4.4 series



  • I can propose some kind sort of temporary solution :

    First, tell people that they can't use vouchers on more then one device. If the voucher is used more then one device, it will expire right away.
    This means : the initial, first connection also stops, the person using it will now really understand he shouldn't share the voucher - not even with himself on his other device.

    Then, execute your warning :

    Open file /etc/inc/captiveportal.inc
    Locate this line : https://github.com/pfsense/pfsense/blob/64031495039dcbfa2f3d5a6eb09f70a46d74d83f/src/etc/inc/captiveportal.inc#L2369
    Just before the "break;" instruction, add these two lines :

    			voucher_expire($username); /* added */
    			captiveportal_logportalauth($cpentry[4], $cpentry[3], $cpentry[2], "CONCURRENT LOGIN - TERMINATING THE VOUCHER"); /* added */
    

    It should look like :

    			/* This user was already logged in so we disconnect the old one */
    			captiveportal_disconnect($cpentry, 13);
    			captiveportal_logportalauth($cpentry[4], $cpentry[3], $cpentry[2], "CONCURRENT LOGIN - TERMINATING OLD SESSION");
    			$unsetindexes[] = $cpentry[5];
    			voucher_expire($username); /* added */
    			captiveportal_logportalauth($cpentry[4], $cpentry[3], $cpentry[2], "CONCURRENT LOGIN - TERMINATING THE VOUCHER"); /* added */
    			break;
    

    Note :
    I didn't try this out myself.
    Users will not get disconnected right away. If all goes as planned, they will get disconnected the next time the 'pruning' process runs, that's in : after 60 seconds.

    Tell me if this works ☺



  • @ajmaltms @ishtiaqaj @layek i took a risk as mentioned before and deployed 2.5 development version of pfsense on my two sites one about 2500 captive portal users & second 1500 captive portal users. i have applied patch given by Gertjan with some tricks ( DHCP Lease ) to make it work. since 2 months not a single issue i have found and everything works smoothly.

    only one device able to login no concurrent login " Reuse of identification not allowed" is message if you try to login with same voucher to other device. i have given details above in this thread already. Until we get some permanent solution you can go with this.

    @Gertjan as development version daily snapshot keep updating day by day so i request you to provide guide to make changes to /etc/inc/captiveportal.inc as its not logical to copy paste the captiveportal.inc old file with new updated one each time, can have multiple issues because of some code changes in new version. for me i have stopped updating development version since its working fine.



  • @wazim4u said in One Voucher Per Device:

    i took a risk as mentioned before and deployed 2.5 development version of pfsense on my two sites one about 2500 captive portal users & second 1500 captive portal users. i have applied patch given by Gertjan with some tricks ( DHCP Lease ) to make it work. since 2 months not a single issue i have found and everything works smoothly.
    only one device able to login no concurrent login " Reuse of identification not allowed" is message if you try to login with same voucher to other device. i have given details above in this thread already. Until we get some permanent solution you can go with this.

    Your talking about the other thread where I proposed another " Reuse of (voucher) identification not allowed " solution ?



  • @Gertjan yes you mentioned in another thread but we have already discussed this in detail about this patch in this thread if you get back a little bit you will find our discussion. I was having two basic issues, First one is when Reuse of identification not allowed" appears it shows two login forms side by side & other problem was if IP changes for already logged in user it gives same error Reuse of identification not allowed" even this device is same.
    I have made 1 year Lease in DHCP & increase the IP Pool to make it work and there is no more issue.


Log in to reply