CAPTIVE PORTAL ACCESS CONTROL

Bonline

Hello everybody

we have a project on our networks, (managed by pfsense cp radius auth)

to implement "free airing" periods.

I explain (and sorry for my poor english)

on the CP page, we have a function that turn off access control. (over radius here)
would it be possible to cron something that turn off / turn on access control on the CP page

?

like this we could implement 1-2 hours every day, of promotional free airing of our services…

it would be nice to emplement a schedule on the cp, on the next versions.

by the way, do someone know how to put in the cp conf, more than "2" radius server for auth requests?

indeed, this possibility is quite better to offer roaming auth features to roaming customers

best regards
and thank you for helping me
florian

Nachtfalke

Hi,

I don 't know any feature to disable CP for certain periods of time.

But you could piblish a username/password combination on CP page and write that this user has free access between 10 and 11 o'clock.
You can restrict the access for this user on freeradius and just allow access for this user to predifined times.

Another possibility with CP could be when using pfsense 2.1 to create different CP zones and then allow access from this VLAN/CP-zone with firewall rules and schedules.

Bonline

hi

thanks for replying

yes my idea was with Curl to emulate a login and a "post" to modify CP Conf  via cron.

the thing with the radius IDs, is a good idea, unfortunatly, this method is not so professional on one hand, and not so "comprehensible" to newbes users…

I will study the idea with the radius credentials.

any other proprosals?

Bonline

hi

i study the case, its possible via radius without problems

the problem is really that these public credentials, can be "called" on all our extra services, like password restoring via sms, customer aera…
and it would need a lot of programming to exclude these credentials, from all these services, that can be used by users on a not good way.. like changing the public password...

lol

any other idea?  I think the best way is Curl, we already do this to take backups from the the backup page in pf.

clart

I have similar the "free airing" period as "happy hour" on my system.
This is how to implement:

1. create a username and password with no expire.
  e.g. username="free", password="q1w2e3r4"
  this will be used to login the free period.

2. clone your login page, replace input fields with hidden and put in username and password from 1).
  e.g.

3. obfuscate your html page so nobody can view source to see username and password;
  goto: http://www.obfuscatorjavascript.com, put in html code, obfuscate, copy obfuscate code.

4. go to shell in pfsense. cd /var/etc. mkdir cp. cd cp
  create new file "page-obs", insert, paste your obfuscate code, save file.
  cp ../captiveportal_zonename.html page-std
  (replace "zonename" with the name you have given to CP zone in setup)
  now you have 2 files in directory /var/etc/cp ; "page-obs" and "page-std"

5. pfSense sends the contents of file /var/etc/captiveportal_zonename.html to CP clients for login.
  you need to switch this file contents for the time you want the "free airing".
  therefore, make 2 scripts in /usr/local/etc ; "freeair.sh" and "notfree.sh"
  freeair.sh: cp /var/etc/cp/page-obs /var/etc/captiveportal_zonename.html
  notfree.sh: cp /var/etc/cp/page-std /var/etc/captiveportal_zonename.html

6. put in cron;
  when to start freetime : /usr/local/etc/freeair.sh
  when to finish freetime : /usr/local/etc/notfree.sh

portal login page will be switched automatically at the time you have scheduled in cron.

hope that helps.

I am interested to know how to use curl to take backups from the pf backup page.
please can you provide the intructions how to implement.
Thank you.

Bonline

ENJOY :)

#!/bin/bash

BECHASEL PFBACKUP_PULL

on prepare le terrain pour recuperer la cookie d'auth sur le BAS

Wget de la cookie

wget -qO/dev/null –keep-session-cookies --save-cookies cookies.txt  --post-data 'login=Login&usernamefld=backup_agent&passwordfld=knable1987'  --no-check-certificate https://node-XXX.inf.bechasel.bwan:9999/diag_backup.php

on desactive l'alerte SSLC ... (--no-check-certificate)

on y retourne, et cette fois ci, on reprend la session et on envoie l'ordre de DL de la conf

on prend egalement le backup de toutes les stats en memoire

wget --keep-session-cookies --load-cookies cookies.txt  --post-data 'Submit=download&donotbackuprrd=0' https://node-XXX.inf.bechasel.bwan:9999/diag_backup.php  --no-check-certificate -O BACKUP-XXXXSERVERIDXXXXX-date +%Y%m%d%H%M%S.xml

ON ECRIT NOTRE FICHIER ET ON IMPRIME LA DATE DE RECUP

#FIN

Bonline

i look on your solution …

but :

your cp zone switches do reload cp???

i dont think so, ...  that is a really problem, im not sure free user will be kicked !?

lol

the best way would really be to have a cmd to turn on / off cp ... or act this with a remote "form proedure"

do you know those on/off commands?

they are cmd for log rotate of squid..

I can t believe there is no one for cp on/off ??

clart

Even if you stop the CP (from GUI) it does not kick the users.

I call /sbin/reboot after notfree.sh to reboot the system.
This is only way I found to reliably kick all users and restart CP.
My system takes just 2 mins and its back online

There must be a better way to do it but have not found it yet.

You could write a script to call functions in /etc/inc/captiveportal.inc
There is a "reinit" function in there, it needs the right variables passing/setup.
Maybe someone can get or already got this to work?

Bonline

the only thing that kik user, is a cp change

so resave a on/off authentication on cp will kick the users

thats what im tring via script

i would want to use the existing forms via script

clart

I try it with curl but get: CSRF check failed.

what means "you want to use the existing forms via script", which forms?
can you show your script to do CP change?

Bonline

CP changes => made a reload that kik everyone !

=> reauth.

What I want to do, is (via script) emulate a change (on/off) on the CP GUI

what I sent you about bakup

IS an emulation, the script log in, go to the backup page, and make a post/get (i cant remember) on the page form
(like a human would do)

i want to do the same

log in from remote, go to the cp form, turn on/off authentication, post (and the cp will reload and kick everyone like with an "human change")
a) are we happy hour? => transparent, all users continue to surf, new ones comes and take the happy hour
b) are we no more on happy hour? => CP Page come back, and genuine users log in.
  ==> Better :  genuine users realyses, that their abo is usefull, => they are now again exclusives and realyze it (on cp return)

reboot the GW is not a reliable way,

I reboot my PF machines every 3 month, and Im always afraid every time when I remote reboot a GW

(less than when we was on  1.2,)  reboot introduce a network death of 2/3 minutes sometimes more
this is not acceptable. especialy for a happy hour switch

on the second hand, it is very important to do "this reload" from the CP, because of radius, especialy if you do things like me :

• reauth every minut
• interim update
• uid/pwd in combination of mac check (we do "support rights" that mean, the user login-rights are valid for declared cards "support of the login right")
  (like a TV smart card) => container of the rights

and :  simultaneous session control

it would be a really peace of shit if the GW restarts many times with already radius booked instances

it would bring the shit in radius processes (concurrents logins and so on..)

Bonline

and I would no more sleep anymore if I knew that all my CP GW, are allowed to reboot 2 or 3 times a day, with no garantee
that they are fine every time they reboot..

lol, I would do nightmares !! lol

CP GW greets the LAN !  this is very important to me

its not like a web server die
or …  a line die  ... in the loadbalance ...  ....  when the CP GW die, users have no more dhcp, nothing ..
the lan die...

our locals Infrastructures :

LAN A                    LAN B                            LAN C                    LAN IS WIRELESS OR WIRE

§                            §                                    §                      UP TO 10 FLOORS          EVERY LAN DESERVE ONE FLOOR  (10-15 users)
                §                            §                                    §
                §                            §                                    §
              1G                          1G                                  1G
              ------------------------------------------------------
              NAS  /    DHCP    (CP)            pfsense
              ------------------------------------------------------
                                              §
                                              §
                                              §  10G
                                              §
                                              §
              ------------------------------------------------------
              LOAD BALANCER                      pfsense
              ------------------------------------------------------

X  OPTIC FIBER CARDS

-------------------------------------------------------
            T
            R
            A
            N                        VPN TO CORE NETWORK
            S
            I
            T
            -------------------------------------------------------
              LNS  IN PARIS

we do this in every real-estate for students we have

clart

What version you running?

I'm on 2.1 snapshot and run this tests;

While CP user is connected and streaming video I make changes in GUI to CP;
enable/disable, change auth from/to;  none->local->radius and each time save and restart CP service.

None of this kicks the user, the user is still connected and watching video stream.

Only way I find to kick user is go to GUI - Status: Captive portal, click disconnect on selected user.
This needs to be done for each connected user - no good if there are many users to kick.

Bonline

do not do that with caching content (video)

start a download …huge..

download is normally kicked

i noticed the kicking since 1.2
(when you resave conf of cp)

every time

you can see it :  when you resave => user is nomore into statuts> cp

clart

its not work for me;

I try with CP user downloading, when CP settings changed/saved the download is interrupted but the user can resume and still browse Internet.

I setup another CP user watching live CCTV video and does not get kicked, the video still showing and there is no cache because its a live stream.

I even disable the CP and still both users connected and have access to Internet and can still browse. I set them both streaming live CCTV video and look the traffic graph.

image1 shows no users in CP after change/save settings and then disable.

image2 show the traffic graph after 30 mins, users still connected, both watching live CCTV video and using up the bandwidth. CP shows no users.

Once I reboot pfSense, both users live CCTV video stops immediately.
After reboot and pfSense ready, both users get CP login screen.

pfSense needs reliable method to kill sessions and kick users properly.

Bonline

thats normal

streaming act like download resuming

if a call is dropped due to the kick

the player will recall and will be "granted"

so stream goes on..

i dont know what you do with your zones (i dont even know where you configure that)

i will better enable cp on "interfaces"

let me show you a working conf

Bonline

here you can see

one time we had to make a resave on the conf page of cp

and the traffic suddenly died

all user had to reauthenticate

and then the trafic grows up again

clart

I see we have different versions and configs.

I am running pfSense 2.1-BETA1 snapshot - this has the CP "zone" feature.
Also, I have authentication set to "Local User Manager / Vouchers".

Thank you for showing your working config of radius authentication.

I have radius package installed and so will set it up the same and see the result.