Captive portal with "access code"
-
I'm working on configuring a captive portal where Authentication Method is currently set to none. I would like to add a text box/field to the login form where the user enters an "access code". I have customized the login page html, and I'm looking into modifying index.php, to possibly add an option for authentication "none", and comparing what's entered in the "access code" text field, before allowing access. Ideally, the captive portal itself would be modified to allow entering/saving the "access code" value in the web gui settings, but I'm OK with periodically updating it directly in index.php, etc.
I have looked over Username Only Captive Portal, Show a username without Authentication, etc., but haven't gotten very far.
Any suggestions for implementing this, perhaps using a different Authentication Method...?Thank you!
-
@regexaurus
An access code is effectively an authentication to use the Captive Portal.You could create an authenticated Captive Portal and use a multiple login option. Then create a user (eg. Enter_Access_Code) and your "access code" is their password. You could have the user name default (set in custom html) or you could provide it through the login screen itself. To change access code, simply change the password in user manager. Set the hard timeout to the duration you want the session valid for. If using Kea DHCP in particular, watch the idle timeout does not exceed the lease duration.
Alternatively, you could create a voucher. This would get rid of the username field. The voucher would respect the "multiple" setting so one voucher would last until the relative timeout values closed it. Then the next voucher is you next access code.
I hope this gets the creative juices flowing.
-
No need to change any 'core' pfSense file like index.php
Create as much portal users as you need where the user name is the "Access Code".
For all these user : enter the same password, for example the foolproof "1234".
Now, create your own portal login page. For example :
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html lang="fr-FR"> <head> <title>Blablablabla</title> <meta name="viewport" content="width=device-width, user-scalable=no" /> </head> <body> <div id="content"> <div class="login-card" style="text-align:center; margin:0 auto;"> <form method="post" action="$PORTAL_ACTION$"> <p>hello, welcome to our captive portal from</p> <a href="http://www.some-domain-here.tld/" ><img src="captiveportal-nvxx-logo.png" width="200%" alt="Your Alt Logo text" ></a> <p>First, start vreading our usage rules.</p> <p>Here it is : <a href="THE-RULES.pdf?zone=$PORTAL_ZONE$">the suage rules</a><br /> (Click on the link !).</p> <hr> <p>Ready to acess the net ?</p> <div class="auth_source"> <input name="auth_user" id="auth_user" type="text" size="12" maxlength="10" value="#USERNAME#" placeholder="Your access code"/> <input name="auth_pass" type="hidden" value="1234" /> </div> <input name="redirurl" type="hidden" value="$PORTAL_REDIRURL$" /> <input name="zone" type="hidden" value="$PORTAL_ZONE$" /> <p><input name='accept' type='submit' class='login login-submit' value='Go to the net' /></p> <?php global $config, $cpzone; if(isset($config['voucher'][$cpzone]['enable'])) { ?> <p><input name="auth_voucher" type="text" value="#VOUCHER#"/></p> <?php } ?> </form> </div> </div> </body> </html>
the magic is here :
<input name="auth_pass" type="hidden" value="1234" />
where the filed name "auth_pass" is set to "1234" - the user won't see it / doesn't have to enter it.
and done ^^
-
Thank you, @EDaleH and @Gertjan! I went with the "username as 'access code" idea, which is working well. And with
"usermod -l newlogin oldlogin" cron jobs, I can automatically change the "access code" on a schedule. As pfSense usernames are case-sensitive, I used a CSS text-transform property to visually force the case I'm using for "access codes", and in index.php, added a
$user = strtolower/upper($user);
call, directly below
$user = trim($_POST['auth_user']);
.
Trying to make it difficult to enter an incorrect "access code". -
I do the same thing since ... not sure, for nearly a decade now.
I 'strtolower()' the user and password field, as more and more people use only uppercase in whatever they write (not sure why ...).When the patch package became available, I wrote my own 'patch' so, when the system updates, chances are great that the patch still applies , and I don't need to manually edit anything.
-
@Gertjan
Since my last post on this topic, I discovered "usermod -l newlogin oldlogin" doesn't work on pfSense (cli). Is there a way to change a username from the cli?Thank you!
-
This usermod ?
You have to re-polish your definition of pfSense
pfSense maintains a (one !) system wide config. Nearly everything you see in the GUI is stored in this file.
When the system boots, every system or process config file, for example the "GUI nginx web server" config file ( here : /var/etc/nginx-webConfigurator.conf ) is re-created with the GUI settings.
Then the process (nginx) is started, and the GUI becomes active.The same thing is valid for system users. As you can see; under /home/, every portal user has actually a (limited) system account there.
If you want to change delete or add a user, use the GUI.
Everything you do with the command line will not be persistent, not taken in account, and undone when the related process restart.'Real' CLI command is still possible, but you need to script things.
For example, adding or modifying a user, see how the GUI does it. Know that, you know how to write your own script.
It could be as simple as modifying the pfSense config.xml file, and then restart related processes.