Option to authenticate CP via vouchers is missing
-
I am trying to set up a CP on my pfSense 2.4.4-p3. While setting up the CP, I have enabled the use of vouchers on the vouchers tab, and have created a roll of vouchers. However, when I go back to edit the CP settings, there is no option available to use vouchers to authenticate. The only choice I have is local authentication (see screenshot below). How can I get pfSense to use vouchers instead?
-
@pfguy2018 are you using a custom captive portal login page?
If yes, could you revert to original login page and try again?
-
Nope, just the default page. Anything else I can try?
-
@pfguy2018 yeah...could you ensure that "enable vouchers" is checked on the voucher page?
There should be an option for using vouchers on the login page as soon as you enabled vouchers in the voucher page
-
Yep, enable vouchers is checked on the voucher page, and I have created a roll of vouchers. And saved again for good measure. But when I return to the configuration tab, there is still no option to use vouchers for authentication (see screenshot posted earlier).
-
@pfguy2018 yes, this is normal
Once you enabled on the voucher page, there is nothing to do on the configuration page. Vouchers login will be enabled as soon as you checked the checkbox.
Could you go to the captive portal login page and check if you can login using vouchers ?
-
Tried - it never reached the captive portal, just times out eventually. And unable to connect to internet.
-
@pfguy2018 hum...you probably have other issues. You should fix tout internet connection before actually enabling the captive portal
-
There are no problems with my internet connection. What I meant was that when attempting to connect to the guest network where the CP should be (but is not showing up), the device cannot connect to the internet (presumably because it has not authenticated itself yet, which is because pfSense doesn't seem to allow me to use voucher authentication!)
-
The only issue seems to be that the option for using vouchers as the authentication method is not showing up where expected (on the configuration tab). That is what I am trying to solve.
-
@pfguy2018 i will make a more detailed reponse in few hours (i'm on my phone now...hard to make a long response) but in short :
- on the GUI, Vouchers is not supposed to appear on the list in the configuration page.
- you should be able to reach the captive portal login page(no matter which method you are using for login, you should still be able to reach the captive portal login page)...the problem seems related to that
- Can you ping the pfsense (the gateway) from your client ?
-
Your response has the key to my solution. I have a firewall rule on the guest network that blocks any traffic to the gateway except for port 53 (to use DNS resolver). This must be stopping access on the CP as well. Is there a particular protocol and port I should allow in the firewall rules to allow CP traffic through?
-
I spoke too soon I think. I created a firewall rule to pass port 80 traffic to the gateway, but the CP still times out. I am stumped.
Also, when I try to save the CP configuration, I cannot save unless I select an authentication method. If vouchers is not one of the choices listed, what am I supposed to click on prior to saving?
-
@pfguy2018 you need to allow :
- port 8002, 8003 (captive portal login page) TCP. If you are having multiple zones, you may have multiple zones, you may allow port 8004, 8005, etc...(2 port to allow per zone)
- port 53 (DNS) TCP/UDP
- port DHCP 67, 68 UDP
- (Optionnal) ICMP, for debugging
-
I created a pass rule, and I can see (from the browser address bar) that traffic is being redirected to the gateway address port 8002 (which I presume is the CP port), but nothing ever loads - the connection times out. I ha
-
Just saw your post. Have created pass rules corresponding to the ports you mention in your posts, but the connection to the CP still times out.
I also changed the authentication method to none, to see if I could take that part out of the equation. Still no connection to the CP.
-
@pfguy2018 said in Option to authenticate CP via vouchers is missing:
. While setting up the CP, I have enabled the use of vou
Does the "login page" gets loaded ?
Inspect the htlm code, and compare it with the page that's beeing used by pfSense.
Check both the login page and the error page - basically,, they are same, the latter only adds a red "$message text" indicating the error.Check you config.xml.
You should find :..... <voucher> <cpzone1> <charset>2345678ABCDEFGHJKLMNPQRSTUVWXYZ</charset> <rollbits>16</rollbits> <ticketbits>10</ticketbits> ...... // snip // **** <descrmsgnoaccess><![CDATA[Voucher invalid]]></descrmsgnoaccess> <descrmsgexpired><![CDATA[Voucher expired]]></descrmsgexpired> <roll> ...... // snip // **** <lastsync>1574929058</lastsync> </roll> <enable></enable> </cpzone1> </voucher> .....Note : "cpzone1" is my captive portal zone name.
There should be this :
<enable></enable>The presence of that line makes the (default) login page and error page show the voucher input box.
See https://github.com/pfsense/pfsense/blob/23328e8d11ea506e5ee25f6fda4ee57bb5e382d4/src/etc/inc/captiveportal.inc#L140 -
Thank you for these instructions. However, I am not at all handy with computer code, so where exactly do I find this code to examine?
-
@pfguy2018 said in Option to authenticate CP via vouchers is missing:
However, I am not at all handy with computer code, so where exactly do I find this code to examine?
As you might know, you can backup the settings of your pfSense.
That's also the main advantage : everything is in one human readable xml file.So, make a backup - see here how to do that :
and have the file opened in your favourite text-editor.
Now look it up using the old system (line by line) or use Ctrl-F ^^
(search for <voucher> ) -
Thank you for this! I am not at home now, but will definitely check this when I return and report in with my findings. Appreciate the assistance.
