Captive Portal Archives - Stefcho's Tech Blog

Introduction

In the previous post pfSense 2.0 RC1 Configure Captive Portal for Guests with Local User Management we configured a basic Captive Portal. Now I want to customize a little the web pages that are presented to the guests. Users will send credentials, and it is better to use HTTPS, that’s why will will configure it too.

Scenario

I want to customize the pages put custom colors and logo. Moreover the default page does not have a voucher field available, and I want this too. Granting access to guests, must follow some rules, so Acceptable Use Policy that have to be acknowledged is suitable for such a page

You can see the default pages below

Configuration

Certificate for the HTTPS/SSL

Go to System > Cert Manager

On the CAs leaf, select Create and internal Certificate Authority. Fill in the form to your likings. Make note of the Common name and the Descriptive name.

Go to the Certificates leaf, and Create an internal Certificate, fill in the form. The Common Name for the certificate must match to firewall name. In my case it is pfSense.localdomain. Also note the Descriptive name of the certificate.

Export the Certificates

On the CAs leaf click on the downward pointing triangle with rollover info export ca.

On the Certificate leaf, click on both downward pointing triangles for the Captivate Portal Cert.

You will end up with three file with similar names to this

DNS Record

Go to Services > DNS Forwarder

Add new record that will override the results from the forwarders

Enter Host, Domain, IP Address and Description. In my case the host is pfSense, the domain is localdomain, the IP address is the IP used by pfSense for the Guest network and I’ve entered some useful description.

Put the Certificate data in the fields

Now open the certificates in your favourite text editor. I’ve used Notepad++, and copy and paste the content in the Services > Captive Portal pages.

Paste Captive+Portal+Cert.crt in HTTPS certificate section

Paste Captive+Portal+Cert.key in HTTPS private key section

Paste Captive+Portal+CA.cert in HTTPS intermediate certificate section

Save your configuration.

Upload the logo

Go to the File manager leaf of the Captive portal. Click on the + sign. And choose your logo image.

Then click on the Upload button.

Take a note of the name of the image, if it is different from the one used in your pages update them before uploading.

Upload the pages

Go back to the Captive portal leaf, and scroll down to the Portal page contents section.

Click on Choose File button and select your page file. Do the same for the Authentication error page contents page with the index_error.html page. Save your configuration.

Explanation

I’ve used the build in Certificate Manager, because it works for me. The alternative is to use OpenSSL as explained in the pfSense forums. This is closely related to the DNS record.

By customizing the pages we can brand them and in the same time create more enterprise look and feel. Opening the voucher field is first step to my next post. There the main topic will be configuration of vouchers and RADIUS authentication.

About the pages code:

Index.html

Index_error.html – The only change here is the addition of “Invalid credentials specified.”. I did not add the “$PORTAL_MESSAGE$”, because it is for RADIUS only.

The contents of the HTML/PHP file that you upload here are displayed when an authentication error occurs. You may include “$PORTAL_MESSAGE$”, which will be replaced by the error or reply messages from the RADIUS server, if any.

Invalid credentials specified.

You can download my pages from here:

index

index_error

Testing

Connect to the guest network and try to open a web page. You will see a warning about your certificate, go over it. Now you are supposed to see your new custom page. Enter your username and password, look at the Acceptable Use Policy and Click on the Accept check box. Then on the Continue button. If you don’t tick the Accept check box a warning message windows will appear, that will inform you that you must accept the policy first.

In case that you intentionally or not mistype your user name and/or password, you will see in red Invalid credentials specified. Now you can try to enter then again.

After successful log in you will have internet access, and on the Status > Captive portal page you will be able to see the currently logged on users.

Issues

DNS record surprise me because I have not used it up until now.

References

Here are some materials that could help you further develop the Captive Portal Pages:

http://doc.pfsense.org/index.php/Category:Captive_Portal

Free, cool, and easy Captive Portal (Guest portal)

How To: Using m0n0wall to create a Wireless Captive Portal – Step 4: Create the Captive Portal Page

pfSense: Captive Portal Logo Edit

Как в pfsense 2.0 сделать Captive portal доступным из разных сетей

Установка и настройка Wi-FI HOT-SPOT системы на примере программного роутера PfSense 2.0.(Часть 1)

A good base for the Acceptable Use Policy:

Acceptable Use Policy for the Wireless Network

Acceptable Use Policy for Wireless Access

Acceptable Use Policy

Conclusion

Now we have better looking pages displayed to our guest, and well communicated Acceptable Use Policy of the Guest Network. The credentials of our users are transferred using SSL cannel and are not in plain text.

Posted in TechnicalTagged Captive Portal, Network, pfSense, pfSense 2.0 RC113 Comments
pfSense 2.0 RC1 Configure Captive Portal for Guests with Local User Management

Posted on 19/06/2011 - 18/02/2019 by Stefan

Introduction

More or less it is expected from a company to provide some form of Wireless Internet Access to guest, clients and partner visiting their premises. Providing them with such could pose a security risk if you use just a simple wireless access point directly connected to your LAN. It is better to isolate them in separate network segment without access to your LAN. For that purpose we will use an Optional Interface and the Captive Portal feature of pfSense 2.0 RC1.

Scenario

You want to provide your guest with Internet Access using single of multiple Wireless Access Point, but you want to prevent them from lurking around your servers and workstations. Even worse they can be infected with some malicious code that could try to take over your network. You have probably seen what enterprise grade wireless solutions offer as functionality, but the price of these solutions is prohibitive to implement for Small Office Home Office (SoHo) uses.

In this post we will look at the basic configuration of Captive Portal, a feature of pfSense, and how to implement a basic scenario with required authentication of guests, which will be quarantined from our internal network, but will have almost full Internet Access at their disposal.

Setup

We have a simple setup of pfSense 2.0 RC1 with three network interfaces. The WAN gives us access to the Internet, behind the LAN interface resides our servers and workstations, and we will put the guests behind the GUESTS interface. For reference take a look at the network diagram.

Some hardware appliance on which pfSense is running might have Wireless Network Interface Cards installed initially, in that case you can use that interface for GUESTS, but currently I do not have such card available for testing. At near future when I do get one, I will test this scenario too.

If you are unfortunate enough to have only two network interfaces, but you are fortunate to have a VLAN capable switch you can separate the LAN and the GUESTS into separate VLANs. Take a look at the network diagram below for reference. Yet again this is a separate scenario that I will leave for the future posts.

Configuration

Configure the Guests Interface.

If you haven’t configured the third network interface already, let’s configure it now.

Go to Interface > (assign), and click on the + button, and then click on Save button to save the configuration.

Not go to you newly added interface, the name by default is OPT1.

Tick the Enable Interface and click Save.

Now you can enter a Description for this interface, in my example I used Guests.

Select Static as Type.

In the Static IP configuration section, enter IP Address for the interface and a subnet mask. In my case these are 192.168.0.1/24.

Then click on the Save button, and Apply changes.

Setup a DHCP Server for this Interface

Go to Services > DHCP Server,

on the Guests leaf, tick the Enable DHCP server on Guests Interface.

Enter a Range aka Pool of IP addresses available for our guests, in my case 192.168.0.10-20.

Enter 192.168.0.1 as value for DNS Server and a Gateway, then Save the configuration.

Apply Firewall rules on the Guests Interface

As we stated in the Scenario section, we want to provide our guests only with Internet access, and NO access to our LAN resources, also preventing them from accessing the Web GUI of the pfSense is a good idea.

I used for a base for the required firewall rules this wonderful article here: How To: Using m0n0wall to create a Wireless Captive Portal – Security

As you know pfSense is a fork of m0n0wall, so the rules still apply.

So here are my rules:

The NetBIOS Block rules do exactly that the description states.

Web GUI Block prevent guest from accessing the management interface of the pfSense from the wireless network.

The WAN Address / Subnet Block, prevent the guest from accessing any devices connected directly on our WAN port in case you have something like modem or anything else that could be configured using web or other interface.

The last Guests to Any Other Than LAN network provide our guest with the so much needed Internet Access.

As additional test I’ve made a rule that block all traffic on this interface during no business hours. This is the first time that I used a Schedule for a rule, so accept is as experimental. The idea for this rule is inspired by this blog post: pfSense Captive Portal with Firewall Schedules

If you’re providing Wifi access you certainly don’t want to worry about some jackass out in the parking lot in the middle of the night trying to hack on your portal.

Configure Captive Portal

Go to Services > Captive Portal.

Tick the Enable captive portal, and select our Guests Interface. You can leave to the defaults values for now Maximum concurrent connection, Idle timeout. For Hard timeout you can choose a period depending on the average stay of your guests, for my test purposes a value of 60 minutes is fine.

If you really believe that you guest a conscience enough you can enable the Logout popup window, and give then the possibility to logout by themselves, but for the sake of simplicity I will not enable this feature.

Very nice feature is the Per-user bandwidth restriction, you can limit the amount of bandwidth that each user can consume. This will slow down their access but will provide resources for more concurrent users. It is up to you to decide whether to use this or not. In my setup, I’ve enabled this feature for testing purposes, and the results were satisfactory.

For Authentication, we have three options, No authentication can be used for a page with Acceptable Use Policy for the Wireless Network, which your guest must only acknowledge.

For this example I will use Local User Manager. In a future blog post I will take a look at RADIUS Authentication.

For now scroll down to the end of the page and click Save.

User Management

Go to System > User Manager and create new user.

For my example User name is guest, type in a Password, and Full name.

Explanation

The purpose of the Captive Portal is to force guest users to visit a page before they are provided with Internet Access, whether you will simply require them to accept a use policy, or to authenticate in some manner it is up to you and your needs.

Testing

Now I suppose that you have connected one or more Wireless Access Points to the Guests Interface of the pfSense, and configured a SSID for guests. After that you have connected to this Wireless Network. Now when you open a browser and type in some website address, you will be redirected to the Captive Portal page and be required to enter user name and password, use the guest account. After successful authentication you will be redirected back to the original web site address that you have entered.

Conclusion
Now you can connect one or more Wireless Access Point to the Guest interface of pfSense and distributed the guest user name and password to clients coming over. Whether you will limit the services on to normal business hours, or limit the bandwidth for each user I leave up to you.
In the following post I will look at the possibilities to customize the Captive Portal pages, and implementation of Vouchers and RADIUS authentication.

Posted in TechnicalTagged Captive Portal, Network, pfSense, pfSense 2.0 RC1, Wireless20 Comments

Tags
ADDS AES-NI Asterisk ASUS Azure Captive Portal Cell Phone CentOS Certification Creative DD-WRT DNS Hyper-V LDAP Learning Linksys Microsoft Mikrotik RouterBoard RB250G Network OpenLDAP OpenVPN OpenWrt pfCenter pfSemse pfSense pfSense 2.0 RC1 pfSense 2.0 RC3 pfSense 2.2 PKI RADIUS Raspberry Pi Routing Site To Site Technical Uncategorized VLAN VMWare VoIP Vyatta Web Sites Windows Server 8 Windows Server 2008 R2 Windows Server 2012 R2 Wireless Workstation 8

Archives

April 2020

July 2019

May 2019

March 2019

February 2019

October 2018

August 2018

March 2016

April 2015

March 2015

January 2015

February 2012

October 2011

September 2011

August 2011

July 2011

June 2011

May 2011

April 2011

March 2011

February 2011

July 2010

Proudly powered by WordPress | Theme: micro, developed by DevriX.

Tag: Captive Portal

pfSense 2.0 RC1 – Captive Portal with RADIUS Authentication and Vouchers

pfSense 2.0 RC1 – Customize Captive Portal Pages and implement HTTPS

index

index_error

pfSense 2.0 RC1 Configure Captive Portal for Guests with Local User Management