[ previous ] [ next ] [ threads ]
 
 From:  Marcel Wiget <mwiget at mac dot com>
 To:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Voucher support in captive portal
 Date:  Mon, 26 Mar 2007 11:15:24 +0200
time to contribute back to the excellent m0n0wall and its community ...

Some time ago we were looking for a simple hotspot solution and found
m0n0wall. We didn't want to use a centralized RADIUS server but rather
have m0n0wall (WRAP platform) do the authentication based on vouchers
that are printed beforehand and handed out to customers.

So I added voucher handling support to m0n0wall. Test images for  
generic pc
and WRAP , based on the latest beta, 1.3b2, can be found at the
following URL:

http://homepage.mac.com/mwiget/FileSharing17.html

Patch has also been committed to the freebsd6 beta branch.

Quick Howto:

To enable, create and manage voucher support via captive portal,  
there is
a new Tab under Services->Captive Portal: Voucher.

Enable captive portal first, upload a landing page that contains an  
input field 'auth_voucher'. An example can be found on the the URL  
above.
Then enable Voucher support on the Voucher tab. Initially you can  
leave all
fields with its defaults. Every new install will create unique  
encryption
keys.
Now add at least one "Roll" by clicking '+' on the Vouchers page, right
to 'Voucher rolls': Specify a Roll Number, e.g. 0, how many vouchers  
that
roll shall contain, and how long each voucher allows network access.
Then generate the new vouchers by clicking on the paper logo right to  
the newly
added roll. This will generate a CSV file and download via your browser.

Each of these generated vouchers can now be used by users for the  
configured
amount of minutes for that roll. Note that as soon as a voucher has been
activated, its timer will run down to zero and then block access, no  
matter
if the session is idle or got disconnected due to logout or session  
termination.

To test the vouchers in the m0n0wall GUI, click on Status->Captive  
Portal. New
tabs, dedicated to voucher handling, show up when voucher support is  
enabled.
Click on status->captive portal-> Test Vouchers and enter one or more  
of the
newly generated vouchers from the downloaded CSV file and click submit.
A message will be shown with the validation and duration of each given
voucher.

One can add multiple rolls, e.g. to have vouchers with different time  
credit.
It is also possible, to enter multiple vouchers, separated by space,  
to gain
the sum of time credit of all entered vouchers.

There is more to it, read the comments to each config parameter on  
the voucher
page.

Note on the very short public/private RSA keys: I know, those can be  
cracked
easy and in no time, if one of the keys is known. The idea here was  
to make
it a little bit harder than simply adding a shared password into the  
m0n0wall
config file. Unfortunately I'm no expert on encryption but I assume  
with such
short encrypted vouchers, there is no security difference between the  
used
RSA keys and a symmetric encryption. Anyhow, all that encryption/ 
decryption
stuff is done in a newly added binary C program voucher.c, that is  
compiled and
added into the m0n0wall image, and can be modified to increase the  
usability
and security.

I'm sure there are bugs and issues with this new code, and I'll try  
my best
to work them out. Any feedback is welcome.

Best regards,

Marcel