Pin code login



  • Hey all,

    I recently switched from coovap to pfSense and am very happy overall.  However, there is one minor (well, not-so-minor) difficulty I am experiencing with the the html code for the CP login, to whit:

    There are two ways in which our freeradius validates users against a mysql database, user/pass (for prepaid cards) and a pin code which is generated by our daloRadius setup for users who self-provision using credit/debit/paypal – this worked perfectly under coovap - all a user had to do was to type in his/her pin code in the user name field but leave password blank for self-provisioned login.  However under pfSense the pincode login isn't working.  With a pin code, the freeradius server isn't even consulted.  An "Invalid Credentials" screen comes back immediately without even having checked with our freeradius machine (I verified this by running freeradius -X on our freeradius machine while trying to use a pincode).  In fact, even having created a login page with a special box for pin code logins, the behavior is the same.  Below is the pasted login code on the html page for handling pincode logins:
    **"…Paypal/Debit/Credit Card Login:

    <center>Please Enter Pin Code Here
    </center>**

    <center>..."

    What has me thinking this is a pfSense issue (or at least that pfSense is the place to start looking) is the fact that when a pincode is used, freeradius isn't even consulted.  It just never even checks.

    Any insights would be greatly valued and appreciated.</center>



  • Seems to me there are two components to what you want to do:
    1. Browser (client) side: get PIN code from user and send to server
    2. Server side: retrieve PIN code from user response and act on it (send to radius, decode response etc).

    I haven't looked at the captive portal login handling recently but it seems to me you have provided evidence of the first component but not the second.



  • Perhaps I was unclear.

    The form works IF I am using a username/password combination.  If, however, I am trying to use a pin code, the radius server is not even consulted in the transaction – pfSense responds immediately with an invalid credentials message.  I have verified this by watching the radius debugging output.



  • @islandwifibill:

    Perhaps I was unclear.

    The form works IF I am using a username/password combination.

    I must have been unclear also.

    @islandwifibill:

    If, however, I am trying to use a pin code, the radius server is not even consulted in the transaction – pfSense responds immediately with an invalid credentials message.  I have verified this by watching the radius debugging output.

    The last time I looked at the pfSense captive portal login page (probably about a year ago) it had code to act on a browser supplied Voucher code or a browser supplied username and pasword. I don't recall it having code to act on a browser supplied PIN code but that might be because I wasn't interested in PIN code authentication at that time. Where is the code to act on a user supplied PIN code - is it in pfSense? did you provide it? If it is not in pfSense and you didn't provide it then "missing code" is the explanation for the PIN code not getting to the radius server.

    I SUSPECT the "invalid credentials" message is because the pfSense Captive Portal login page hasn't been given a voucher code or username and password pair, that is, it hasn't been modified to accept:

    • Voucher code; or

    • username and password pair; or

    • PIN code

    I have reread your posts a couple of times. Maybe you are wanting pfSense to send the PIN code to RADIUS as a usename and send a null password. If so, you might need to tweak the pfSense captive portal login page to accept a username without a password. Also, the HTML snippet you provided doesn't send the PIN code as username to server in the form expected by  pfSense:```

    <center>Please Enter Pin Code Here
    </center>

    probably needs to be something like

    <center>Please Enter Pin Code Here
    </center>

    or even

    <center>Please Enter Pin Code Here
    </center>



  • Maybe my use of "pin code" is causing some confusion here, so I'll try to clear things up  :)

    I have an external radius server, as you may gather.  That radius server checks a mysql database which contains accounts – some of those accounts are set up as user/pass, some are set up as pin codes, or vouchers, or what ever it is one may wish to call them.  It all boils down to one thing, namely, that if a valid 8 character combination is sent which matches one of these 8 character user names, a password is not required.  That's simply a construct of my php setup and mysql database interaction, and it exists completely outside of pfSense's world.  pfSense is simply told to check the radius server at IP so-and-so, and to act on an Access-Accept or Access-Reject response.  This works when the user/pass combo is used, but not when the pin code is entered as the username without a password.  Moreover, it doesn't seem to work even with a seperate form that doesn't ask for a password  (forgive me, I tend to start stuffing the wrong information into run-on sentences at times, and it creates havoc, lol).

    I have tried the "auth_pass" both with and without a null, hidden password field.  But your response does give me a few ideas for troubleshooting, and I thank you for taking the time :)



  • As far as I know pfsense captive portal does not allow an username without password.
    So if you leave the passwod field empty this causes a problem. But I am not 100% sure.

    http://redmine.pfsense.org/issues/2377



  • @Nachtfalke:

    As far as I know pfsense captive portal does not allow an username without password.
    So if you leave the passwod field empty this causes a problem. But I am not 100% sure.

    http://redmine.pfsense.org/issues/2377

    Ok, that fixed it.  Next time you're in Galveston, look me up.  I owe you a beer.  ;D



  • How about adding some javascript to the auth form so that the password field on not 'empty' to begin with?

    What I though was, pre-populate the 'password' field with, say, a few spaces so it looks blank, then use a javascript OnClick() or OnSelect() - or whatever it is - function so that if the user selects the field to enter a proper password the spaces are removed.

    i.e.
    "username" [ Tab / click ] "password" [ Enter / click ] –->>  "username"/"password" > {radius}
    "pin" [ Enter / click ] –->> "pin"/"    " > {radius}


Locked