Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captive Portal + Voucher not keeping auto-added "Pass-through MAC Auto Entry"

    Scheduled Pinned Locked Moved
    Captive Portal
    3
    6
    703
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Johan35
      last edited by

      Hello,

      I use pfsense 2.4.4_p3 with a captive portal config. But something seems to be not working as define into netgate documentation for
      creating a portal for BYOD (smartphones).
      I give one voucher code for each user and (one other at each time user bring a new device) when arrive into company.
      The voucher has a 5 minutes life.
      The configuration use Pass-through MAC Auto Entry to Enable because this function save MAC ADDRESS into portal database, so now, device is knowned and not require authentification. For my memory I create this configuration in pfsense 2.3 and it works.
      But now, after 5 minutes, the auto-insert line into MACs tab is auto deleted.

      My Config
      Firewall Rules:
      -> all allow to firewall & all allow to WEB

      Captive Portal Config:
      -> I let all default parameters except:
      #enable= true
      #interface= my interface
      #Pass-through MAC Auto Entry = true
      #Authentication Method : use an authentification backend
      #Authentification server = localdatabase
      #Voucher =enable
      I have created 10 vouchers of 2 minutes
      I check all vouchers into "Status\captive portal" before starting. All are OK.

      Process:
      Laptop connect on BYOD interface.
      I get IP by DHCP service, Portal web page openening.
      I put the first Voucher ID into the web page, connect.
      I'm connected to internet. Perfect.
      -> I look into Services/CaptivePortal/Myportal/MACs , I see the line 'Auto-added for voucher xxxxxxxxxx' with the device MAC address
      After 2 minutes, web access is removed for the device, the MACs line is autoremoved from database too.

      So, can you confirm that "Pass-through MAC Auto Entry" should keep MAC address detected without any duration, event if Voucher code has been used initialy.
      Is it a bug ?
      Have you a solution to "auto-learn" Mac address for BYOD after first connexion?

      Thank you for your help.
      Johan

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by Gertjan

        Hi,

        Can you re test, and showing the Status > System Logs > Captive Portal Auth during login ?
        Also, what shows : Diagnostics >Backup & Restore > Config History ?

        According to https://github.com/pfsense/pfsense/blob/65db20674d716208e340b96471ff98d1bb0c957b/src/etc/inc/captiveportal.inc#L1068 some mac (users) are auto pruned = logged out.
        "Voucher" type logins should be excluded from this.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        GertjanG 1 Reply Last reply Reply Quote 1
        • GertjanG
          Gertjan @Gertjan
          last edited by Gertjan

          @Gertjan said in Captive Portal + Voucher not keeping auto-added "Pass-through MAC Auto Entry":

          "Voucher" type logins should be excluded from this.

          Well ....
          I activated Vouchers. Added a voucher roll with "5 minute duration", and activated :

          27779f5f-a666-421f-b022-134dbf5574a4-image.png

          I used a voucher to login, that was successful.
          It was added to the Services > Captive Portal > [ZONE] > MACs tab with an "Auto-added for voucher ...." description line.

          and I toke a coffee break for 5 minutes.

          Guess what ? The Diagnostics >Backup & Restore > Config History page confirmed that

          d264e96a-cfa3-4ae0-9259-9fafb29d41fa-image.png

          was executed (several times).

          My voucher had expired .... WTF, and the auto added MAC on the Services > Captive Portal > [ZONE] > MACs had disappeared also 👎
          So, @Johan35, you're right.

          I went back to the drawing board, it's here https://github.com/pfsense/pfsense/blob/65db20674d716208e340b96471ff98d1bb0c957b/src/etc/inc/captiveportal.inc#L1068 - the function captiveportal_prune_old_automac().

          Check out the main foreach loop on line 1076 (2019-11-28).
          There are 3 "if" blocks.
          The first one, the test where 'logintype' is not "voucher" test, this one handles all manually added MAC's by the admin, they should be kept in place - not pruned. This part is ok.
          The second if : this part handles the case where the voucher is used again using another device (another MAC). This part is, ok.
          It's the third if block. The MAC is removed if the time has expired ..... that's dead wrong.
          There is no need to test for expired vouchers here, using the function voucher_auth(). That's already being taken care of in the caller function, the main captiveportal_prune_old().

          Consider this : MAC entries on the Services > Captive Portal > [ZONE] > MACs page that are auto added using the " Pass-through MAC Auto Entry - Enable Pass-through MAC automatic additions" setting should NOT be pruned from the MAC list when they are expired.

          The (my) solution is easy :

          Comment out this block of code :

          			if (voucher_auth($emac['username']) <= 0) {
				$pipeno = captiveportal_get_dn_passthru_ruleno($emac['mac']);
				if ($pipeno) {
					captiveportal_free_dn_ruleno($pipeno);
					$macrules .= "table {$cpzone}_pipe_mac delete any,{$emac['mac']}\n";
					$macrules .= "table {$cpzone}_pipe_mac delete {$emac['mac']},any\n";
					$macrules .= "pipe delete {$pipeno}\n";
					++$pipeno;
					$macrules .= "pipe delete {$pipeno}\n";
				}
				$writecfg = true;
				captiveportal_logportalauth($emac['username'], $emac['mac'],
				    $emac['ip'], "EXPIRED {$emac['username']} LOGIN - TERMINATING SESSION");
				unset($config['captiveportal'][$cpzone]['passthrumac'][$eid]);
			}

          like this :

          /* commented out			
			if (voucher_auth($emac['username']) <= 0) {
				$pipeno = captiveportal_get_dn_passthru_ruleno($emac['mac']);
				if ($pipeno) {
					captiveportal_free_dn_ruleno($pipeno);
					$macrules .= "table {$cpzone}_pipe_mac delete any,{$emac['mac']}\n";
					$macrules .= "table {$cpzone}_pipe_mac delete {$emac['mac']},any\n";
					$macrules .= "pipe delete {$pipeno}\n";
					++$pipeno;
					$macrules .= "pipe delete {$pipeno}\n";
				}
				$writecfg = true;
				captiveportal_logportalauth($emac['username'], $emac['mac'],
				    $emac['ip'], "EXPIRED {$emac['username']} LOGIN - TERMINATING SESSION");
				unset($config['captiveportal'][$cpzone]['passthrumac'][$eid]);
			}
end commented out */

          I tested this. It works now, Auto added MAC (when logged in) stay in place.
          No matter if it concerns vouchers or classic user/password logins.

          edit : @free4, if you have 5 minutes, can you check my reasoning ? I know you know you way around in /etc/inc/captiveportal.inc very well.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 0
          • J
            Johan35
            last edited by

            Hello Gertjan,

            Thanks for your help.
            Regarding your process, it's totally logical and your proposal works like a charm . I don't see any "lateral" effects on my TEST Portal.
            So you are a chief and you save my day!

            Finally, I will test this code tonigth into PROD portal (after working hours) :

            if (voucher_auth($emac['username']) <= 0) {
				/* Not removing MAC ADDRESS
				$pipeno = captiveportal_get_dn_passthru_ruleno($emac['mac']);
				if ($pipeno) {
					captiveportal_free_dn_ruleno($pipeno);
					$macrules .= "table {$cpzone}_pipe_mac delete any,{$emac['mac']}\n";
					$macrules .= "table {$cpzone}_pipe_mac delete {$emac['mac']},any\n";
					$macrules .= "pipe delete {$pipeno}\n";
					++$pipeno;
					$macrules .= "pipe delete {$pipeno}\n";
				}
				$writecfg = true; 
				end commented out */
				captiveportal_logportalauth($emac['username'], $emac['mac'],
				    $emac['ip'], "EXPIRED {$emac['username']} LOGIN - TERMINATING SESSION");
				unset($config['captiveportal'][$cpzone]['passthrumac'][$eid]);
			}

            As I'm not totally sure of what happend with unset, I let it and will test .

            Anyway, it was a great help, thanks for all !
            I will report it as a bug .

            Johan

            GertjanG 1 Reply Last reply Reply Quote 0
            • GertjanG
              Gertjan @Johan35
              last edited by

              @Johan35 said in Captive Portal + Voucher not keeping auto-added "Pass-through MAC Auto Entry":

              As I'm not totally sure of what happend with unset

              Comment out as I did : the entire "if" block.
              Not some part of it.

              The unset will destroy the in memory config(xml) and when written out to disk later on by some other condif update, your auto-added MAC will get removed from the list.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 0
              • viktor_gV
                viktor_g Netgate
                last edited by

                See https://redmine.pfsense.org/issues/9933

                1 Reply Last reply Reply Quote 2
                • First post
                  Last post