CP Logon Page and multiple WiFi Access Points issue



  • Hi, I am not sure if this issue has been already raised up by somebody.

    Some details first:
    HP Server Xeon CPU,
    8GB RAM ECC,
    SSD Drive,
    WAN = PPPoE,
    LAN = 192.168.1.1/24
    OS: 2.2.6-RELEASE (amd64)
    built on Mon Dec 21 14:50:08 CST 2015
    FreeBSD 10.1-RELEASE-p25

    CP auth by usernames and vouchers.

    Issue Details:
    I have installed about 20 Access points in quite big area, all AP's connected by cable (no repeating, bridging etc.), All AP's has different SSID i.e. AP-1, AP-2, AP-3 and so on.

    My problem:
    All is fine as long I am using the same Access Point, once I change Access Point, system is asking me again for uid or voucher what actually wouldn't be a big problem, but with some reasons it wont accept my authorisation, if I enter valid voucher its just keep bouncing me into the same logon page, if I put wrong voucher (not valid or expired etc.) its says its not valid or expired - so it looks like some auth mechanism is working, but it doesn't want me pass any further than logon screen. But, if I reconnect myself to the previous Access Point (where I pass the voucher validation) it's lets me go through without asking for voucher.

    If I disconnect myself from CP active vouchers list screen and then I can connect to any other Access Point and pass authorisation with no problem, but again if I change AP it won't let me go further than logon screen.

    I thought system somehow recognize me with different MAC address or something, but… it may help someone - If I add MAC address of my phone or laptop (it can be anything) into CP MAC allowed list (so it will not ask for voucher or uid and password) then I can use any AP any time I want, I can change them any time I want, walk through all area and I have no problem at all.

    I would like to ask what and where should I start looking for first?! I have no idea it is something to do with AP's or pfsense configuration ?!

    Any help will be appreciated.

    Regards



  • it shouldn't ask for re-authentication. that only happens when you change mac / ip.
    whats in the logs when you are stuck at the auth page ?



  • Hi, this is what I found last night, but its weird, this is how it looks like:

    When I logon first time I am registeres as IP n.1 and MAC n.1, when I change AP system says:

    CONCURRENT LOGIN - REUSING IP n.1 WITH DIFFERENT MAC ADDRESS MAC n.1: [voucher_ID], MAC n.1, IP n.1

    but I am visible in the network under MAC n.2 address and IP n.1 address ?! I cant understand how it happen ?! If system see me under different MAC why is giving me the same IP address? I can understand that DHCP gave me IP n.1 for MAC n.1 but after reconnecting CP see me under different MAC but is not applying me new IP address.

    I think the problem is on DHCP site. I think DHCP is trying give me another IP address for MAC n.2 which is already used by AP with different IP address (not from DHCP range, all AP's addresses are out of DHCP range)?!



  • Hi,

    No need to hide local IP addresses. No need to hide MAC addresses.

    The same device, switching from one AP to another AP in the same (captive portal) network, I wasn't asked to re-login.
    My device (iDevice) was asking for an IP (preferring the one it already had) - my iDevice was presenting the same MAC device (my iDevice has only ONE MAC) so it was given by pfSense the same IP ….

    This set : [MAC + IP] whas already listed in the pfSense Captive portal firewall as "ok - may go through" which explains the fact "when I change AP, I do not have to re-login".

    It's time to have a close look at your AP's, how they are hooked up, how they are set up, etc.

    Btw: this is me hopping from one AP to another - and then a third :

    Mar 31 16:46:33 	dhcpd: DHCPACK on 192.168.2.176 to 90:b9:31:77:5e:26 (iPhone-5S-Gertjan) via sis0
    Mar 31 16:46:33 	dhcpd: DHCPREQUEST for 192.168.2.176 (192.168.2.1) from 90:b9:31:77:5e:26 (iPhone-5S-Gertjan) via sis0
    Mar 31 16:46:32 	dhcpd: DHCPOFFER on 192.168.2.176 to 90:b9:31:77:5e:26 (iPhone-5S-Gertjan) via sis0
    Mar 31 16:46:32 	dhcpd: DHCPDISCOVER from 90:b9:31:77:5e:26 (iPhone-5S-Gertjan) via sis0
    Mar 31 16:46:06 	dhcpd: DHCPACK on 192.168.2.176 to 90:b9:31:77:5e:26 (iPhone-5S-Gertjan) via sis0
    Mar 31 16:46:06 	dhcpd: DHCPREQUEST for 192.168.2.176 (192.168.2.1) from 90:b9:31:77:5e:26 (iPhone-5S-Gertjan) via sis0
    Mar 31 16:46:05 	dhcpd: DHCPOFFER on 192.168.2.176 to 90:b9:31:77:5e:26 (iPhone-5S-Gertjan) via sis0
    Mar 31 16:46:05 	dhcpd: DHCPDISCOVER from 90:b9:31:77:5e:26 (iPhone-5S-Gertjan) via sis0
    Mar 31 16:46:04 	dhcpd: DHCPOFFER on 192.168.2.176 to 90:b9:31:77:5e:26 (iPhone-5S-Gertjan) via sis0
    Mar 31 16:46:03 	dhcpd: DHCPDISCOVER from 90:b9:31:77:5e:26 (iPhone-5S-Gertjan) via sis0
    Mar 31 16:44:12 	dhcpd: DHCPACK on 192.168.2.176 to 90:b9:31:77:5e:26 (iPhone-5S-Gertjan) via sis0
    Mar 31 16:44:12 	dhcpd: DHCPREQUEST for 192.168.2.176 (192.168.2.1) from 90:b9:31:77:5e:26 (iPhone-5S-Gertjan) via sis0
    Mar 31 16:44:11 	dhcpd: DHCPOFFER on 192.168.2.176 to 90:b9:31:77:5e:26 (iPhone-5S-Gertjan) via sis0
    Mar 31 16:44:10 	dhcpd: DHCPDISCOVER from 90:b9:31:77:5e:26 via sis0
    
    

    edit : Note : I used also a voucher to acces the portal, just to be sure ;)
    If you went away from the default setup, detail your DHCP (and other) pfSense settings.
    Default == Captive portal on OPT1 - using its own, typical 192.168.2.0/24 segment and its own DHCP server (255 - the number of AP's - for me : 192.168.2.7 -> 192.168.2.254)


  • Netgate

    Changing APs should not change your device's MAC address as long as they are all configured as APs and not routers or in some other funky mode. If routers your IP address would also change to that AP's WAN address so…



  • Problem solved,

    After "hundreds" of tests, running with the laptops all the way around etc. I found that behind AP any device appear in the LAN/WLAN with connected AP MAC address. I.e. Phone connected to AP-1 has been registered in CP/DHCP under AP-1 MAC address and got successful auth/logon, when I connect to the another AP = AP-2, with some reason I am staying with my old IP (there is something wrong) but I am existing under another MAC address (AP-2 MAC) - why?

    So it looks like my AP's are working like routers when they supposed to work as pure access points. Typical router should have DHCP turned on and give me it's local IP address, but this is not happening. I don't see the problem getting IP from DHCP behind/in front of router, but why if they are in AP mode (the other modes are: client, bridge, router, repeater).

    So finally I decided to change AP with another one (brand) and all start works like a charm. Not a deal… over 20 AP's will end up in the bin, but at least I know where I am.

    The whole point is that this is network have to work like: ONE voucher per ONE person/device (concurrent logins=disabled) and now...

    what would happen if someone would install AP as client or proper router = WAN 10.0.0.2/24 + LAN 192.168.1.1/24 having on pfsense (10.0.0.1/24) disabled concurrent logins - what pfsense will do with AP LAN clients? Will client with MAC1 and IP=192.168.1.2 be able to pass auth screen? and then what will happen with another client with MAC2 and IP=192.168.1.3 ? (pfsense works on 10.0.0.1/24)

    I can test it, its just my freshly arrived idea, but someone may have some experience and answer straight away,

    thanks for help.


  • Netgate

    If someone puts a router on your network with the WAN port as a wifi client and connects. The first client behind it will need a voucher and all other clients behind it will be able to use the portal session too because it is the same IP/MAC address as far as the Captive Portal is concerned.

    Not a lot you can do about it.



  • But at least voucher owner will be responsible for dodgy things made in the internet and also speed and bandwidth limit will affect whole group behind. This make sense and explain me something because I had already couple of IP's with reached bandwidth limit in one quarter of normal typical time and it was not continuous downloading, graphs were showing more like browsing websites, watching movies i.e. on fb/youtube etc. I thought I have couple of guys eating, washing, shaving, sleeping, working and all other things in front of their laptops browsing internet :)

    Any way thanks all for help, my problem is solved.

    Regards
    fr0t



  • Use Unfi AP's. They rock!!!  Cheap and work really well!!!  Super easy to provision!!!



  • @kapara:

    Use Unfi AP's. They rock!!!  Cheap and work really well!!!  Super easy to provision!!!

    I know they are brilliant I have few of them in another place, but coming back to place mentioned in this topic I am now using Tenda's (ceiling version) and I must say they do the job. Even it surprised me, because they support IEEE 802.1Q (QVLAN) and I can setup 4 different SSID's with 4 different subnet's using one cable connection and they works perfect with pfSense vlans with tags.