CP command line Login / bash



  • Hey Guys,

    I want to login to the pfsense Captive Portal via command line (aim is to write a bash script).

    I need this because, I want an auto login for my raspberry.

    My first thought was to send an post to the CP with all the information for the login.

    some examples:

    curl –data "auth_user=kali&auth_pass=password&accept=Login&redirurl=http://wwww.gmx.de/" http://192.168.24.1:8002/
    curl -F "auth_user=kali&auth_pass=password&accept=Login" http://192.168.24.1:8002/index.php?zone=cpzone

    The analysis of the http traffic with wireshark shows that my POST an the POST from the Login-Pages has all the necessary data.
    What's the point, I haven't mentioned.

    In this forum I've found an batch-script with wget, but this doesn't work.
    Some parts of this script are in french ( i guess), which I doesn't understand.

    Has anyone a solution?

    Thanks for help.
    Kali


  • Netgate

    Isn't adding the MAC address to MAC address passthrough easier than cobbling something together?



  • Hey Derelict,

    thanks for you answer.

    Sorry this isn't a solution, because this would be a bypass from our logging server. And bypassing traffic is in our case forbidden.

    The reason for this ban is the German law. The owner of an internet-access is responsible for everything, even for criminal activities of third user. The owner has to proof his innocence, because the court doesn't matter if the owner is guilty or not. And this is the reason for the pfsense with the captive portal.

    By the way, a bash script wouldn't work only on the raspberry Pi. I would use it on my mac and android phone too.
    For my phone I bought 2 app, which doesn't work. That is so frustrating.


  • Netgate

    Not quite sure what you think a bash script would do for you.

    Can't you just set up a "staff-only" network and use that? Connect WPA2/WPA2 Enterprise and have no portal?



  • @Kali:


    Sorry this isn't a solution, because this would be a bypass from our logging server. And bypassing traffic is in our case forbidden.

    The reason for this ban is the German law. The owner of an internet-access is responsible for everything, even for criminal activities of third user. The owner has to proof his innocence, because the court doesn't matter if the owner is guilty or not. And this is the reason for the pfsense with the captive portal.
    ....

    and this, is why you really should consider that the 'visitor' that uses YOUR network (and you are responsible for the acts done using YOUR network) should SEE (with their eyes) the conditions so you can say later on to the judge in court : this visitor saw the conditions - he was informed … If you automate the login, the visitor could say for his defense : I wasn't been 'informed' that I couldn't do what I've being doing on that (your) network, that I was using his (yours) network.
    Btw : I'm in France (this country is in some state of war, right now, so believe me, we have identical laws right now)

    So, IF legal matters are important to you, be explicit to the visitor, have him login in manually. You'll be better of in court room.
    Devices that do not have navigators and use functional locked-down apps to login can be broken (reverse engineered), your login code will fall in the wrong hands - The MAC can be forged ... bad things happen, and of to court you go with a bad start.

    Focus on this one : "third users" that you can not trust somehow, do not give them the possibility to use your network.

    PS : try using curl.
    PS2: the 'smart bad as" will VPN out, so you wind up having a VPN-server-IP in your log .... and no proof, just scrambled data, and nothing can be held against you ;)


  • Netgate

    The chair is against the wall. John has a long mustache.



  • @Gertjan
    thank for your long explanation. And I'm glad to hear that our neighbor has the same shitty law.

    In our case the third member are renter in our house (Student flat). Normally we can trust them. But confidence is good, control is better.  ;)

    VPN was the first idea. I saw the all the problems from configuration to compatibility and our user don't have much experience in computing. So VPN is to complex. Setting up an VPN server is no option, because we are glad to have a stable server now. So never change a running system. ( I keep thin option in mind, but my primary aim is to login via the web interface)

    I noticed your judicial aspect. The pf-Sense should only protect the internet access owner. If a user get hacked, give the password to a friend or something else, than it is the problem of the user. We need to lists internal IP <-> web IP (collected by the firewall) and internal IP <-> user (collected by the CP).
    BTW to get access to the pf sense you have to login in our intranet over some AccessPoints which are protected by WPA2 password.

    – back to the problem
    My aim is to login via web interface to send an POST request via command line to server.

    @Gertjan

    PS : try using curl.

    That is what I had tried. (see the quote of my first post). But this doesn't work.

    curl -F ...
    

    Response is nothing, no request, no login.

    curl -- data ...
    

    The response is an new login form. no login. The POST-URL is copied in the redirect field.

    I think there is another security feature, which reject my POST requests.