News: This forum is now permanently frozen.
Welcome, Guest. Please login or register.

Login with username, password and session length
March 02, 2015, 21:28:41
Pages: [1]
Topic: voucher authentication  (Read 12822 times)
« on: March 26, 2007, 16:21:50 »
mwiget *
Posts: 38

time to contribute back to the excellent m0n0wall and its community ...
(and sorry for the cross-post to the forum, in addition to the m0n0wall-dev list.)

Some time ago we were looking for a simple hotspot solution and found
m0n0wall. We didn't want to use a centralized RADIUS server but rather
have m0n0wall (WRAP platform) do the authentication based on vouchers
that are printed beforehand and handed out to customers.

So I added voucher handling support to m0n0wall. Test images for generic pc
and WRAP , based on the latest beta, 1.3b2, can be found at the
following URL:

Patch has also been committed to the freebsd6 beta branch.

Quick Howto:

To enable, create and manage voucher support via captive portal, there is
a new Tab under Services->Captive Portal: Voucher.

Enable captive portal first, upload a landing page that contains an input field
'auth_voucher'. An example can be found on the the URL above.
Then enable Voucher support on the Voucher tab. Initially you can leave all
fields with its defaults. Every new install will create unique encryption
Now add at least one "Roll" by clicking '+' on the Vouchers page, right
to 'Voucher rolls': Specify a Roll Number, e.g. 0, how many vouchers that
roll shall contain, and how long each voucher allows network access.
Then generate the new vouchers by clicking on the paper logo right to the newly
added roll. This will generate a CSV file and download via your browser.

Each of these generated vouchers can now be used by users for the configured
amount of minutes for that roll. Note that as soon as a voucher has been
activated, its timer will run down to zero and then block access, no matter
if the session is idle or got disconnected due to logout or session termination.

To test the vouchers in the m0n0wall GUI, click on Status->Captive Portal. New
tabs, dedicated to voucher handling, show up when voucher support is enabled.
Click on status->captive portal-> Test Vouchers and enter one or more of the
newly generated vouchers from the downloaded CSV file and click submit.
A message will be shown with the validation and duration of each given

One can add multiple rolls, e.g. to have vouchers with different time credit.
It is also possible, to enter multiple vouchers, separated by space, to gain
the sum of time credit of all entered vouchers.

There is more to it, read the comments to each config parameter on the voucher

Note on the very short public/private RSA keys: I know, those can be cracked
easy and in no time, if one of the keys is known. The idea here was to make
it a little bit harder than simply adding a shared password into the m0n0wall
config file. Unfortunately I'm no expert on encryption but I assume with such
short encrypted vouchers, there is no security difference between the used
RSA keys and a symmetric encryption. Anyhow, all that encryption/decryption
stuff is done in a newly added binary C program voucher.c, that is compiled and
added into the m0n0wall image, and can be modified to increase the usability
and security.

I'm sure there are bugs and issues with this new code, and I'll try my best
to work them out. Any feedback is welcome.

« Reply #1 on: April 21, 2007, 13:29:54 »
doush *
Posts: 3

hi mwiget;
thanks for your support for voucher auth.

I would like to ask few questions about it before using it.

1- does voucher accounts automatically reduces its time regardless of the usage ?
2- Does it have any bugs that you have spotted out ? Because it will be used in a production environment.
3- can i update the test image from 1.23 ?
thanks again
« Last Edit: April 21, 2007, 13:44:32 by doush » Logged
« Reply #2 on: April 22, 2007, 08:40:34 »
mwiget *
Posts: 38

on 1) as soon as a voucher is activated, it is timestamped and expires after the time allocated by the roll the voucher belongs to.

on 2) The 1.3 branch is beta, so there is a good chance of bugs, including vouchers. I strongly recommend testing it in your environment first. I personally run the voucher code on the older 1.2x branch in production. As we all want to move forward, voucher support got submitted into the beta 1.3x branch.

on 3) I haven't upgraded from 1.2 to 1.3 (which is FreeBSD 6.2 based), can't comment.

For production you might want to wait for a next official beta after 1.3b2.

regards, Marcel
« Reply #3 on: June 27, 2007, 12:46:35 »
taufan *
Posts: 1

Hi Mwiget,

Could I report to you some bugs that I encountered when using this version of m0n0?? via email maybe...
I still haven't got to the voucher part yet but been spending days banging my head to make the captive work normally...

Thanks for sunch of excellent work!!


Pages: [1]
Jump to:  

Powered by SMF 1.1.20 | SMF © 2013, Simple Machines