time to contribute back to the excellent m0n0wall and its community ...
(and sorry for the cross-post to the forum, in addition to the m0n0wall-dev list.)
Some time ago we were looking for a simple hotspot solution and found
m0n0wall. We didn't want to use a centralized RADIUS server but rather
have m0n0wall (WRAP platform) do the authentication based on vouchers
that are printed beforehand and handed out to customers.
So I added voucher handling support to m0n0wall. Test images for generic pc
and WRAP , based on the latest beta, 1.3b2, can be found at the
following URL:
http://homepage.mac.com/mwiget/FileSharing17.htmlPatch has also been committed to the freebsd6 beta branch.
Quick Howto:To enable, create and manage voucher support via captive portal, there is
a new Tab under Services->Captive Portal: Voucher.
Enable captive portal first, upload a landing page that contains an input field
'auth_voucher'. An example can be found on the the URL above.
Then enable Voucher support on the Voucher tab. Initially you can leave all
fields with its defaults. Every new install will create unique encryption
keys.
Now add at least one "Roll" by clicking '+' on the Vouchers page, right
to 'Voucher rolls': Specify a Roll Number, e.g. 0, how many vouchers that
roll shall contain, and how long each voucher allows network access.
Then generate the new vouchers by clicking on the paper logo right to the newly
added roll. This will generate a CSV file and download via your browser.
Each of these generated vouchers can now be used by users for the configured
amount of minutes for that roll. Note that as soon as a voucher has been
activated, its timer will run down to zero and then block access, no matter
if the session is idle or got disconnected due to logout or session termination.
To test the vouchers in the m0n0wall GUI, click on Status->Captive Portal. New
tabs, dedicated to voucher handling, show up when voucher support is enabled.
Click on status->captive portal-> Test Vouchers and enter one or more of the
newly generated vouchers from the downloaded CSV file and click submit.
A message will be shown with the validation and duration of each given
voucher.
One can add multiple rolls, e.g. to have vouchers with different time credit.
It is also possible, to enter multiple vouchers, separated by space, to gain
the sum of time credit of all entered vouchers.
There is more to it, read the comments to each config parameter on the voucher
page.
Note on the very short public/private RSA keys: I know, those can be cracked
easy and in no time, if one of the keys is known. The idea here was to make
it a little bit harder than simply adding a shared password into the m0n0wall
config file. Unfortunately I'm no expert on encryption but I assume with such
short encrypted vouchers, there is no security difference between the used
RSA keys and a symmetric encryption. Anyhow, all that encryption/decryption
stuff is done in a newly added binary C program voucher.c, that is compiled and
added into the m0n0wall image, and can be modified to increase the usability
and security.
I'm sure there are bugs and issues with this new code, and I'll try my best
to work them out. Any feedback is welcome.
m0n0wall Forum > m0n0wall Support (English) > Services > Captive Portal
Topic: voucher authentication
