Maximum devices per user?



  • Hello,

    I'd like to use the captive portal with very basic authentication using 2.2.4 on a SG4860.

    Would it be possible to give out the same username/password (or ideally just a password) to every one of our visitors or would I run into strange problems with up to 250 concurrent devices using the same (local user manager) credentials?


  • Banned

    Well, why don't you just use vouchers? (That's basically the same as "ideally just a password").



  • I've considered it. That's what we currently use with a Zyxel solution, which actually handles vouchers quite well. Of course it pales in comparison at everything network related.

    Our WLAN is unencrypted so any semi-competent computer user could intercept the voucher codes unless I use HTTPS on the pfsense box, which would require me to buy a SSL-certificate and renew it constantly just for this specific use.

    An unencrypted, shared password would be just slightly better than having the network "open" and would save a lot of overhead at the frontdesk. If somebody really wants to get on this network he would find a way through social engineering (as in walking to the reception and asking for a code).

    The other thing that holds me back is that I don't think there's an easy way to print vouchers on demand at the front desk using a thermal printer and just pfsense supported packages. I tried to request such a thing years ago but the consensus was that there's no demand for such a feature and I accept that.

    I believe somebody got the Epson TM-T88 thermal printer to work using the webinterface, but I'd hate to rely on this solution, have it break during a major pfsense update and then sit here for days/months without options because the maintainer has gone AWOL for whatever reason.


  • Banned

    Well, sorry but I don't get this "problem". Sharing a password (voucher) among 250 users makes it very much public. I get a feeling that it's actually a lot more than those 250, since you say concurrently. So, if everyone who happens to visit you gets the same password, yeah, you can just leave the network open. If security is your concern, similar nonsense is out of consideration.

    (You can have a certificate for free from https://www.startssl.com/, that's certainly the least of the issues here.)

    Our WLAN is unencrypted so any semi-competent computer user could intercept the voucher codes unless I use HTTPS on the pfsense box

    And how's this different from passwords and local users?



  • @doktornotor:

    Well, sorry but I don't get this "problem". Sharing a password (voucher) among 250 users makes it very much public. I get a feeling that it's actually a lot more than those 250, since you say concurrently. So, if everyone who happens to visit you gets the same password, yeah, you can just leave the network open. If security is your concern, similar nonsense is out of consideration.

    (You can have a certificate for free from https://www.startssl.com/, that's certainly the least of the issues here.)

    Our WLAN is unencrypted so any semi-competent computer user could intercept the voucher codes unless I use HTTPS on the pfsense box

    And how's this different from passwords and local users?

    I never claimed it was any different.

    I also don't expect to achieve perfect security on a public hotspot within our budget. Other establishments of our size (small) do indeed run an open network, or simply give out a WPA key to their guests, which would be no different from a captive portal with x users sharing the same password.
    The idea is that at least passers-by would not be able to access it quite as easily.

    It's ok that you don't get my problem, at least you tried to be helpful.


  • LAYER 8 Netgate

    I don't think the portal cares how many users are using the same credentials.  All my users show as "unauthenticated" and it works fine.

    Who honestly cares if passers-by use the network? Toss a limiter on it to curtail torrenting and help keep one device from being able to hurt you.

    The nasty stuff like DHCP pool exhaustion can be done without going through the portal anyway. A better answer is a WPA2 passphrase.



  • If your budget permits, several enterprise grade WiFi equipment vendors have solutions that allow multiple WPA2 passphrases (upto thousands) on a single SSID.  Pretty neat feature!



  • @Derelict:

    I don't think the portal cares how many users are using the same credentials.  All my users show as "unauthenticated" and it works fine.

    Who honestly cares if passers-by use the network? Toss a limiter on it to curtail torrenting and help keep one device from being able to hurt you.

    The nasty stuff like DHCP pool exhaustion can be done without going through the portal anyway. A better answer is a WPA2 passphrase.

    Thank you and you are right.
    I might end up using a WPA2 passphrase and an unauthenticated captive portal to display the AUP upon login and make use of the limiter.


Log in to reply