Solutions for simple CP user management?



  • I've setup a Wifi AP on a separate Interface with Captive Portal, and so far everything seems to be working fine.

    I wonder though if there's a (more or less) integrated solution to allow "non-tech" users to manage access to the "guests" network. I need to document a 1:1 User/Person -> voucher code/password relationship for legal reasons. It'd be ideal to have a very simple web interface, where the "Captive Portal manager" person can only add users or "reactivate" users when a Voucher or Password has expired (and maybe print out the access data for convenience).

    So far the solutions I can think of are:

    • Vouchers: I guess I'd need to manually store the data (User -> Code relationship) in an Excel table or something similar, which is not very practical and prone to errors

    • pfSense User Management: I'd need to give the "Captive Portal manager" full access to the pfSense user manager, which is a security risk (also, if I got that right, that'd mean that this user could also change the admin password)

    • User Management in FreeRadius installed on pfSense: GUI is a little overwhelming, and it doesn't seem to be possible to give pfSense users groups access to this function (there's no entry in the "privileges" list)

    • User Management in external FreeRadius + daloRADIUS: a nice solution in principle, though the GUI and functionality is overwhelming for "normal" users. Probably too "big" a solution for what I'm trying to do

    Are there other solutions I've not thought of yet? Have any of you guys implemented something similar and have some pointers for me?



  • What about this one:
    Take the voucher file (the CVS file) and import it into a small database program.
    When you print the record, it will be locked (marked) as used - you add the client name and other details.

    Ones in a while, the real tech-guy creates a new boatload with vouchers, and imports them into the database.

    Even more simpler : print a pile of CVS files full with vouchers - copy them - and when you hand out a voucher-paper (cut out by hand) write on the copy paper the name and other details for recoding reasons : you will be needing : a pen, scissors and "no-brain" people who deal with it ;)

    More simpler ? I can't imagine … keep in mind your still handing out "high tech Internet access", so some 'difficult'' things must persist :)



  • Well, that's actually what I'm doing now - having an Excel file with the voucher codes, where "normal" users add the name of the recipient. After that, the code is pasted into a Word form I've prepared, and printed out for the convenience of the user. This is still far from an "integrated" solution though, and has many possible points of failure ("normal" user forgets to properly edit or save the Excel file, etc.).



  • @SaschaITM:

    ….
    This is still far from an "integrated" solution though, and has many possible points of failure ("normal" user forgets to properly edit or save the Excel file, etc.).

    That's exactly the reason why these users should NOT interact with the firewall.
    A stand alone tool would be better.



  • I prefer the last of your potential solution.

    We have an apartment house with more than 120 users with different price models. RADIUS and daloRADIUS is flexible to build customer groups. It was the best solution what I found. It really works. All other solutions have some limitations. Further daloRadius is a separate web solution which can be used by our staff without a risk.

    There are some disadvantages:

    • You need another Linux or Windows server to install RADIUS and daloradius
    • You need time to find out how to install.
    • you have a further point of potential failure. I use pfsense with CARP (redundant). But if RADIUS or MySQL behind RADIUS fails the hotspot doesn't work anymore. Pfsense has no fallback to regognize a RADIUS error and pass through users in this time. I will try to replicate MySQL and to use Pfsense package RADIUS with two databases. But this needs know how.

    As you see there is no easy solution with one installer software.