One Voucher Per Device

wazim4u

@Gertjan

did you get any way to unbind MAC with IP ? if only MAC is authentication for second login with same voucher so system can work perfectly . DHCP sometimes renew IP of some clients so we have to disconnect them to let them use the voucher again because it binds with MAC & IP . else your patch is working perfectly .

Gertjan

@wazim4u said in One Voucher Per Device:

did you get any way to unbind MAC with IP ?

That means a rather big rewrite of most functions in /etc/inc/captiveportal.inc ....
Portal code is IP and MAC based ....
This exists :

but that one doesn't interest you ...

@wazim4u said in One Voucher Per Device:

DHCP sometimes renew IP of some clients so

Yep, and the DHCP will renew the IP -> and it will grant the SAME IP.
One exception : if this IP is already used by some other device (pool to small, so IP's get recycled).
On my portal, I always receive the same IP when I connect with my PC or Phone.

Iahmad

hi all,
voucher to device binding is must require feather i ma requesting net gate management to add this feather to coming version..
@Gertjan @wazim4u @colleytech

layek

@Gertjan how to get this option.

Gertjan

You mean a pfsense feature requests ?

layek

@Gertjan thanks for your reply. i want to setup vouchers for 1st device only.

free4

@layek sure

the feature request is here : https://redmine.pfsense.org/issues/9432

feel free to make a pull request for implementing this feature !

layek

@free4 thats mean this feature not possible right now with latest version?

ajmaltms

upto 2.4.3 version its working fine..hope they will implement in latest version too in 2.4.4 series

Gertjan

I can propose some kind sort of temporary solution :

First, tell people that they can't use vouchers on more then one device. If the voucher is used more then one device, it will expire right away.
This means : the initial, first connection also stops, the person using it will now really understand he shouldn't share the voucher - not even with himself on his other device.

Then, execute your warning :

Open file /etc/inc/captiveportal.inc
Locate this line : https://github.com/pfsense/pfsense/blob/64031495039dcbfa2f3d5a6eb09f70a46d74d83f/src/etc/inc/captiveportal.inc#L2369
Just before the "break;" instruction, add these two lines :

			voucher_expire($username); /* added */
			captiveportal_logportalauth($cpentry[4], $cpentry[3], $cpentry[2], "CONCURRENT LOGIN - TERMINATING THE VOUCHER"); /* added */

It should look like :

			/* This user was already logged in so we disconnect the old one */
			captiveportal_disconnect($cpentry, 13);
			captiveportal_logportalauth($cpentry[4], $cpentry[3], $cpentry[2], "CONCURRENT LOGIN - TERMINATING OLD SESSION");
			$unsetindexes[] = $cpentry[5];
			voucher_expire($username); /* added */
			captiveportal_logportalauth($cpentry[4], $cpentry[3], $cpentry[2], "CONCURRENT LOGIN - TERMINATING THE VOUCHER"); /* added */
			break;

Note :
I didn't try this out myself.
Users will not get disconnected right away. If all goes as planned, they will get disconnected the next time the 'pruning' process runs, that's in : after 60 seconds.

Tell me if this works

wazim4u

@ajmaltms @ishtiaqaj @layek i took a risk as mentioned before and deployed 2.5 development version of pfsense on my two sites one about 2500 captive portal users & second 1500 captive portal users. i have applied patch given by Gertjan with some tricks ( DHCP Lease ) to make it work. since 2 months not a single issue i have found and everything works smoothly.

only one device able to login no concurrent login " Reuse of identification not allowed" is message if you try to login with same voucher to other device. i have given details above in this thread already. Until we get some permanent solution you can go with this.

@Gertjan as development version daily snapshot keep updating day by day so i request you to provide guide to make changes to /etc/inc/captiveportal.inc as its not logical to copy paste the captiveportal.inc old file with new updated one each time, can have multiple issues because of some code changes in new version. for me i have stopped updating development version since its working fine.

Gertjan

@wazim4u said in One Voucher Per Device:

i took a risk as mentioned before and deployed 2.5 development version of pfsense on my two sites one about 2500 captive portal users & second 1500 captive portal users. i have applied patch given by Gertjan with some tricks ( DHCP Lease ) to make it work. since 2 months not a single issue i have found and everything works smoothly.
only one device able to login no concurrent login " Reuse of identification not allowed" is message if you try to login with same voucher to other device. i have given details above in this thread already. Until we get some permanent solution you can go with this.

Your talking about the other thread where I proposed another " Reuse of (voucher) identification not allowed " solution ?

wazim4u

@Gertjan yes you mentioned in another thread but we have already discussed this in detail about this patch in this thread if you get back a little bit you will find our discussion. I was having two basic issues, First one is when Reuse of identification not allowed" appears it shows two login forms side by side & other problem was if IP changes for already logged in user it gives same error Reuse of identification not allowed" even this device is same.
I have made 1 year Lease in DHCP & increase the IP Pool to make it work and there is no more issue.

colleytech

@Gertjan , this edited codes below were of great help to me, in ensuring one voucher per device and second device will not get connected with same voucher,,,,,

now i installed a new pfsense 2.4.4 p3, but the code doesnt seem to be working,,,,
@ajmaltms @Gertjan do u, by any chance still have the iso for 2.4.4 p2

Here we go:
This is the new /etc/inc/captiveportal.inc file:
https://pastebin.com/V6uWHNz5
This is the new /usr/local/www/services_captiveportal.php file.
https://pastebin.com/QLhNhgAW

Gertjan

Noop.

2.4.4-p2 doesn't exist any more.

The code/script - several lines of PHP here and there, would most probably still work, it needed to be phrased in by hand.

Iahmad

@wazim4u dear can you provide the two files links to download.

Gertjan

The links are present above.

See them as guidelines to change the "concurrent behavior" of vouchers.
For me it was just a 'proof of concept', I'm not using vouchers myself.

wazim4u

@ishtiaqaj Files are same as given above. Test them if they are not working let me know.
I am currently doing testing with FreeRADIUS server & Daloradius which is working perfectly with one voucher per device & Accounting. once my testing is over will move all built-in pfSense voucher system to Radius Based Voucher.

colleytech

@Gertjan is there any update to the php script for one voucher for one device? when i use your code for one voucher a device, it allows every code to connect multiple devices, even if u select first login... kindly help review the code for 2.4.4 p3

wazim4u

@colleytech I have no issue with Pfsense 2.5-Dev. 1200 Users 800 plus concurrent
recent log from 24-April-2020 given below. if someone tries to use same voucher, not allowed.

Apr 24 09:03:16	logportalauth	22958	Zone: Camp - CONCURRENT VOUCHER LOGIN - NOT ALLOWED KEEPING OLD SESSION : 1688815233, 94:14:7a:55:b5:0e, 10.20.25.154