Allow anonymous for a time period but only allow one session per day

  • I'm trying to see if pfSense's captive portal would allow me to implement the following kind of configuration:

    1. User gets redirected to a splash page with terms of service
    2. User clicks accept and is connect to the Internet for 30 minutes
    3. After 30 minutes, user is disconnected AND not allowed to reconnect for another 12 hours or until the following day (tracking by MAC address is acceptable to me for this config)

    I can use a combination of the session timeout and the hard timeout to accomplish the disconnect, but has anyone written a script or something that would block the disconnected MAC from being allowed back through the CP for a period of time afterward?

    If not, I'll happily post a bounty to get a feature like this added.

  • You should be able to accomplish this with an external radius accounting server I think.

  • I could, and I already have radius running for other things.  The problem is that I don't want to create user accounts for anyone who wants to use it.  Radius operates on the basis of user accounts, so what I'm trying to do doesn't translate very well.

  • hm, maybe you could fake the submit button of your splashpage to send a hidden user/pass combination automatically? However, this then would always be the same logged on user. Not sure if there is a radiusserver that can handle the same user with different accountings per IP or MAC.

  • I thought of that too…it's a common method to use for some CP's that don't support just a splash page with no auth, like Chillispot.  The problem still exists, though, of the radius server not knowing how to disconnect a particular user due to timeout or the fact that user has already used their session for the day.

    It seems to me to be more the responsibility of the software running the CP to say "OK, this particular MAC address has already been online for 30 minutes today...time to disconnect it until tomorrow."  I wonder if one could tie in to the disconnect event of the CP to trigger a rule that would block communication from the disconnected MAC alltogether or force redirection to an alternate "you've reached your session limit" page?  Then, a script could run nightly to flush out all of those rules and start fresh for the next day.

    It doesn't seem to be difficult to me, but then again, I'm not a dev.  ;D

    I think I'll post a bounty to see if there are any takers.

  • The easy way i could think of this, create new page for captive portal (index.php). The psuedo will be something like this.

    1. Insert an account in mysql (if you are using freeradius with mysql) to accept the account. Radius will check based on MAC address to reply Accept.
    2. Call radius auth procedure.
    3. Update account status to reject.
    4. Redirect to user page.

    5. Run cron everynight to clear out reject acc. * another procedure.

    The problem right now is, I just playing out with pfense n freeradius a week ago.. I still trying to figure out whether hard-time out can be set by radius or only pfsense. If only pfsense, then you can set hard-timeout lets said to one hour.. But all acc will be disconnect after one hour.. Guest acc cannot re-login but other account can re-login. The second one, if the guest user disconnect (even they still not using up to 1 hour) they cannot reconnect until cron clear the account. If wanna user to be able to login need to change no 3. Maybe using cron also to update reject status.

  • Don't forget that you can run php on a cp page. Let the user click on create guest account at your CP page and save his mac adress as passthrough mac. Now add a script at the backend that removes this mac again after some given time. Just a suggestion  ;)

  • Good idea too…  I'm hoping for one-click ease, though.  All the user should have to do is open a browser, try to go somewhere, get redirected to the splash, click accept, and arrive at their intended destination.  Something that can do that will aid my project greatly.

  • We also really need this.  If you come up with a viable solution, or want someone to pitch in on a bounty, please let me know.

  • This would be a one click solution.  The initial .htm captive portal page can meta-redirect and or javascript redirect as a backup to the .php page where the splash page/etc could be displayed.  Granted your talking about a custom php splash page at this point but it would work.

  • I guess I don't have the technical wherewithall to pull this off by myself.  I'll have to rely on the bounty.

  • i have bean modding the captive portal for guest use

    make a portal html file

    blabla bla

    copy the atached file to /usr/local/captiveportal/splash.php


  • Although I haven't tried this yet, the code looks like it's capable of doing what I need, or at least close to that.  A few questions:

    1. This has a dependence on radius, correct?
    2. I didn't spot in the code where someone could specify a time limit and keep that MAC address off the network after their time expired, did I miss it?
    3. The client db is a file on the local system, so this wouldn't be a good idea on a device that uses CF as it's storage media?

    1. no it don't it needs the No authentication mode on the captive portal setup page
    2. use the times on the captive portal setup page this will disconnect the guest when the time is gone
      no support for no reconnect just guest mode
    3. the file was from the normal captive portal
      on embeded /var is on memory

  • I've tried your add-ons, but I can still reconnect following a timeout.  Is there a something I can test to see what is or isn't happening?

  • there is no support for that

    it works with code already in the portal
    i yust removed the username and password check

  • I can do that with no modification to the existing code…why did you feel you needed to create a mod?

Log in to reply