Bug #14178
openCaptive Portal Pass-through MAC Auto Entry registering MAC address for unauthenticated users when using Pass-through credits
0%
Description
The Captive Portal "Pass-through MAC Auto Entry" feature is adding an Allowed Client MAC address registration for unauthenticated users, when the Captive Portal is configured for "Pass-through credits per MAC address". The net result is the user is not sent to the portal authentication page when their Pass Through Credits and timeouts expire.
High level Captive Portal Setup:- Hard Timeout: 1
- Pass-through credits per MAC address: 1
- Waiting period to restore pass-through credits. (Hours): 1
- Pass-through MAC Auto Entry: Checked/Enabled
- Authentication: Use authentication backend -> RADIUS
- When client fist attaches to the guest network they should see no login/portal prompt. They are can use network/internet until their pass-through credits expire. No MAC address is registered as the user not not yet unauthenticated with the backend.
- When pass-through credits expire, they are sent to the portal login page, and authenticate with the backend (RADIUS).
- On Successful authentication, the client's MAC address is registered as an allowed/Pass.
- The client can continue to use the network/internet and will not be prompted again.
- When client fist attaches to the guest network do not see the portal login prompt. They are can use network/internet.
- An allowed/Pass MAC address registration is created for the user, even though in the Captive Portal Authentication log they are noted as being unauthenticated.
- They see the login/portal prompt.
The description & documentation of the "Pass-through MAC Auto Entry" feature states "When enabled, a MAC passthrough entry is automatically added after the user has successfully authenticated". The emphasis being "after the user has successfully authenticated".
Summary: The "Pass-through MAC Auto Entry" should not create an Allowed MAC address registration for unauthenticated users. Being temporally allowed to use the portal with "Pass-through credits per MAC address" is not the same and being authenticated against a backend.
See screenshots showing Unauthenticated client log message, and the Auto added MAC address Pass record.
Note the portal works as expected, shows login/prompt pages and authenticates against RADIUS etc, when "Pass-through MAC Auto Entry" is not used.
This issues occurs on 22.05 & 23.01. I suspect it also affects 2.6 & 2.7.
Files