CP - show number of concurrent users

  • This is probably a dumb question…..

    We use pfsense and captive portal to control access to a guest wireless network. We have a password which changes weekly.

    In the dashboard, it shows the IP, MAC, username and session start for each user. Is this the actual number of authenticated users who've given the proper password, or every user who got to the captive portal page?

    Is there a way to know the number of users who didn't enter the correct password or who didn't bother to enter any password (think iphone that connects to the wireless network but the end user never takes the phone out of their pocket)?

    This is in a school, it's supposed to be used by substitute teachers, guest lecturers, etc... We're pretty certain that teachers are giving the password to students, which is why we have 750 people logged in every day instead of the 20-30 we expected. We want to compare what we see in the wireless controller to what's in the pfsense captive portal page.

  • you may use the voucher feature in order to control the user and to control the time of connectivity.

  • Hi jjeff1,

    when you go to DIAGNOSTICS –> CaptivePortal you can see the users which are connected. You see the start time when the first successfull authentication was made by the user and you can see a column which shows you the last activity of this user. If a user turn off its computer the this MAC address is still authenticated on CP. It will first disconnect after idle or hard timeout.

    I recognized some problems with idle/hard timeout on my CP. It does not work and I can see users still authenticated even if their last activity was days ago. So you could check this first to make sure if you really have 750 concurrent connections or if it consists old ones. (Restarting CP will kick all connected/authenticated users).

    If a user enters a wrong password can be seen on DIAGNOSTICS --> System Logs --> Portal auth. There you can see all successfull and wrong authentication attempts.

    I would suggest you some other things or possibilities:
    Give every teacher its own username/password to find out what teacher gives out its credentials. Further disable "allow concurrent connection". This will make sure that only the last recent user will be authenticated so only one connection per username/password is possible. The teacher will contact you if he will be kicked always because a student connects with its iphone.

    Another possibility could be to use vouchers. Create vouchers for 1 week and disable "allow concurrent connections" on CP. Every teacher will get his own voucher so if one teacher gives out his voucher to students then only on concurrent connection is possible and you can find out what teacher hands out his credentials.

    The third possibility could be to install freeradius2 package on pfsense and connect CP with freeradius2. Then create username/password and if you don't want to give every teacher his own credentials then freeradius2 offers you the possibility to set a number of concurrent connections for this username. So if you have 20 teachers then set this numer to 20 and you will make sure that not more than 20 students can use these credentials concurrently. This will unfortunately not tell you the teacher who gives the credentials out.
    Hint: If you are using the simultaneous connections option of freeradius2 then you need to disable the option on CP of course.

    Another possibility to stop iphones and so on could be to use squid and block the user agent of these devices. Every browser uses its own user agent string. So if you are using IE and your computers and firefox then just allow these user agents or check out what user agent the safari browser on iphone users and then block this user agent.

    This could be an custom setting on squid to block Internet Explorer 8:

    ##### Create the ACL which blocks user agent of Internet Explorer 8 with ACL name "block_internet_explorer"
    acl block_internet_explorer browser MSIE 8.;
    ## deny web access for the ACL "block_internet_explorer"
    # http_access deny block_internet_explorer;

Log in to reply