Captive Portal authentication system



  • Hello,

    I am planning to build my own manageable Captive Portal system for pfSense.

    The intention is to build a specific site where all the AD users are loaded in, from there we can choose which user can authenticate through the CP with eventually a personal message for the CP page.
    We also want to disable an already authenticated account via that site (for example, if the user is not paying the bills on time).

    I am testing some things before I am gonna build the site, but I have a problem at the moment.
    To disconnect a user from the CP, you can click on a generated link within pfSense. That link has an ID in it, but I can't find back where that ID is coming from.
    Can I somehow check which username has which unique ID? If I know username "X" his/her ID is "12345", I can easily open the site within a script to kick that user from the network (is the idea…) :)

    So, does someone know how where I can lookup the CP ID of a specific user ?



  • I may be missing some crucial aspect of what you're asking, but normally the login IDs are listed within the CP status page (Status\Captive Portal). Surely the ID has to correspond to the user account, or am I missing something here?



  • If I go to Status -> Captive Portal, I only see the following fields:

    • IP address

    • MAC address

    • Username

    • Session start

    If you click on the "X" to disconnect a user from the CP, you get the following link:

    http://firewall.ramboflat.nl/status_captiveportal.php?zone=gast&order=&showact=&act=del&id=9c9280ad2173ea8b
    

    If you can see the ID in the url is: 9c9280ad2173ea8b.

    Can I somehow retrieve (with a script) which user(name) has which ID?



  • In order to authenticate, the user must enter a username, which shows up under the status page. You've indicated you've seen this already. The username has to be associated with the account/name of the user in question. What are you using for authentication? Local database? RADIUS? Vouchers?

    You mention building a 'site' where all the AD users are 'loaded'. How so? Are you importing user IDs in some fashion? Are you binding this to AD using RADIUS?

    User IDs are assigned by you, so you ought to be able to correspond login IDs with AD accounts one way or another. So how are you doing it?



  • CP is authentication against my Windows Server (2012 R2) Active Directory.

    What I mean is that, if a user is already logged in, we want to kick him off the network (disconnection his connection).
    Normally this is done by click on the 'X' to disconnect the user, but I want an external site or script to do this action automatically on the firewall (so no direct acces to the firewall / pfSense).

    I almost managed it by building a user manager with ldap connection to my AD, if a user his account is disabled, CP will kick him automatically from the network (is the idea :) )



  • hola instale el pfsense por tarea de la escuela y necesito hacer 1 portal cautivo.

    Despues de configurar el portal cautivo y pruebo si me redirecciona a la pagina de login no lo hace, solo lo hace si coloco esta direccion ip 192.168.99.1:8000. Una vez en la pagina de login inicio sesion pero no me hace nada solo se queda ahi alguien que me ayude. Por favor me urge


  • Banned

    English, please.



  • @ Chrisiesmit93: To my knowledge AD is providing the authentication mechanism for the captive portal. Once authentication takes place, the captive portal handles when the session times out. Disabling the account within AD simply prevents any further authentication from taking place on that account, but won't trigger the active session on the PFS to end. My only suggestion is that you set the expiry time on the session to something short-ish and when you disable the account within AD the session will timeout shortly afterwards.



  • I maybe solved my problem.
    I've built myself a website where all the AD user accounts can be enabled or disabled with one button (in the AD)

    Captive Portal reauthenticates users every minute, so if I click on the button to disable a user account in the AD.
    The user will automatically be kicked off the network :)

    No testing done so far…



  • My "problem" is not (yet) solved.

    Can I kick users authenticated through RADIUS (MS Active Directory) from CLI or a .php script on another host and/or webserver?



  • @Chrisiesmit93:

    .
    Can I kick users authenticated through RADIUS (MS Active Directory) from CLI or a .php script on another host and/or webserver?

    'kicking' means 'disconnecting' means the Captive Portal firewall rules should be modified. So something has to execute on pfSense to 'kick'.
    Putting a script on another system won't do 'the job'.

    Btw : Userid's are stored into a SQLLIGHT3 database on the pfSense file syem (see source for the "how to access and retrieve").



  • @Gertjan:

    @Chrisiesmit93:

    .
    Can I kick users authenticated through RADIUS (MS Active Directory) from CLI or a .php script on another host and/or webserver?

    'kicking' means 'disconnecting' means the Captive Portal firewall rules should be modified. So something has to execute on pfSense to 'kick'.
    Putting a script on another system won't do 'the job'.

    Btw : Userid's are stored into a SQLLIGHT3 database on the pfSense file syem (see source for the "how to access and retrieve").

    Thank you! This is wat I searched for! :)


Log in to reply