Netgate Documentation

latest

Need professional assistance? We offer several levels of support to meet your needs. Sign Up
Now.

 General Information

 Releases

 Installing and Upgrading

 Product Manuals

 Hardware

 Configuration and WebGUI

 Backup and Restore

 Interfaces

 802.11 Wireless

 Cellular Wireless

 Routing and Multi-WAN

 Firewall

 Network Address Translation

 Traffic Shaper

 Certificate Management

 User Management

 Services
o Complex Services
 Captive Portal
 Captive Portal
 Captive Portal Status
 Authenticating Captive Portal Users with Vouchers
 Captive Portal Authentication Logs
 Authenticating Captive Portal Users with FreeRADIUS
 Configuring a Pre-authentication Redirect for Captive Portal Users
 Troubleshooting Captive Portal
 DHCP
 DNS
 Server Load Balancing
o Simple Services
 DHCP

 DNS

 Captive Portal
o Captive Portal
o Captive Portal Status
o Authenticating Captive Portal Users with Vouchers
 Setting Up Vouchers
 Voucher Status/Management
 Portal Page
 Troubleshooting
o Captive Portal Authentication Logs
o Authenticating Captive Portal Users with FreeRADIUS
o Configuring a Pre-authentication Redirect for Captive Portal Users
o Troubleshooting Captive Portal
 Server Load Balancing

 High Availability

 System Monitoring

 Virtualization

 VPN

 Troubleshooting

 Packages

 Cache / Proxy

 IDS / IPS

 Development

REFERENCES
 References
Netgate Documentation

 Docs »

 pfSense »

 Services »

 Captive Portal »

 Authenticating Captive Portal Users with Vouchers

Authenticating Captive Portal Users with
Vouchers
The Voucher functionality of Captive Portal generates codes that can be used to gain Internet
access through the Captive Portal. Each roll of vouchers is generated with a specific time
limit. This is commonly used where authenticated time-limited Internet access is desired,
without needing to provide a username and password to users. Common uses for Vouchers
include Coffee shops, Hotels, Airports, and other similar places.

Users enter their voucher code in the portal page and are granted access for as long as the
voucher is valid. Voucher time does not stop counting down if a user logs out; the voucher is
only valid from the start of the session for the duration of the voucher length. Some
companies have integrated the exported voucher lists into their point of sale applications to
print a voucher on customer receipts.

To use vouchers, a custom portal page must be used that submits the voucher
as auth_voucher.

Setting Up Vouchers

The voucher system creates and verifies vouchers based on public/private key and
configuration settings.

RSA Keys
Before the program can be used, a public/private RSA key pair must be generated. A set is
generated automatically the first time the page is visited that is 32-bits in length, but a new
pair may be manually generated if desired. The maximum key length supported is 64 Bits.
Using shorter keys will make the generated vouchers shorter but eventually less secure.

Generate Larger Keys

To generate a valid RSA key pair using 64 Bits, run the following from the shell on console
or ssh:

$ openssl genrsa 64 > key64.private

$ openssl rsa -pubout < key64.private >key64.public
Then use the contents of the resulting files to paste into those fields.
Character Set
The character set defines the valid characters for voucher text. The set is case sensitive and
should contain printable characters (numbers, lower case and upper case letters) that are hard
to confuse with others. For example, avoid 0 (Digit zero), O (Letter O), and l (Lowercase L),
1 (Digit One). It cannot contain a space, double quote, or comma.

Voucher Fields
The following fields control how the vouchers themselves are generated. Leaving these
values at their defaults is recommended but they may be adjusted as needed. The total of all
these fields must be less than the RSA key size. For example, the default values are 16, 10,
and 5. The sum of these is 31, which is one less than 32.

 Number of Roll Bits: Number of Bits used to store the Roll Id. Set this larger if many
rolls will be active at the same time. Can be from 1-31.

 Number of Ticket Bits: Number of Bits used to store the Ticket Id. Set this larger if
each roll will have a large number of vouchers. Can be from 1-16.

 Number of Checksum Bits:Reserves a range in each voucher to store a simple

checksum over Roll# and Ticket#. Allowed range is 0-31.
Magic Number
The Magic Number is stored in every voucher and verified during voucher check. Size
depends on how many bits are left by Roll+Ticket+Checksum bits. If all bits are used, no
magic number will be used and checked.

Output Example
The following list contains sample voucher codes generated by pfSense:

6UVeTS6II68
kGZ38iBgyx4
gWUhfyvWo43
kiViNq31p7b
jLzSQuZMPJa
The generated vouchers will be different due to the generated RSA key pair, even if the same
config file is used.

Voucher Status/Management

Active vouchers, roll statistics, testing, and expiration of vouchers may all be performed on
the Captive Portal Statuspage for the zone.
 Testing
To test the vouchers, go to Status > Captive Portal, select the zone, and visit the Test
Vouchers tab. See Captive Portal Status.

Portal Page

The portal page must include the following field to accept the voucher code:

Troubleshooting

 User is online after voucher expires

 The session timeout must be enabled in order to allow the voucher session to
expire and deactivate.
Next Previous
Documentation Feedback

For assistance in solving software problems, please post your question on the Netgate Forum.
If you see anything that's wrong or missing with the documentation, please suggest an edit by
using the feedback button in the upper right corner so it can be improved.

© Copyright 2002 - 2019 Rubicon Communications LLC | Privacy Policy

Built with Sphinx using a theme provided by Read the Docs.