Project

General

Profile

Actions

Feature #15904

open

Built-in Captive Portal Support for RFC8910, DHCP option 114 in Kea.

Added by Dale Harron 16 days ago. Updated 4 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
DHCP (IPv4)
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default

Description

Add an option in Kea to automatically support RFC8910, DHCP Option 114 through a GUI option for all Captive Portals. This DHCP 114 option is now a default option in KEA, "v4-captive-portal". This would take the form of a simple checkbox (something like "send DHCP114 default string for Captive Portals") that would enable index.php to send the required JSON information for the Device to load the Captive Portal Logon, Logout page as applicable if this box was checked in Kea Setup GUI. There is also a Vendor URL option in RFC8910 that should default to the logout page for the "automatic" checkbox.

I assume Kea will be supporting the entry of string(s) for both logon and vendor url and this is an option to simplify support for the captive portal on smart phones. The JSON simply contains the login url and for the "Captive Portal Page" in iOS it is the logout page or a custom page if desired.

Currently all iOS and many smart devices can not log into the captive portal because they do not support html until after they have internet access. Internet access can only be obtained by launching the login page within the internal temporary browser which obtains the URL from the JSDON string values sent in DHCP option 114. They also do not permit an https:// url until internet access is provided. The only option for them to work with captive portal is through RFC8910 and it can be complex for many pfSense users to understand. This would simplify Captive Portal and make it work with all devices. Thus, it is a logical upgrade.

I have attached a file from the user support forum that implements this currently with ISC (and KEA thru Redmine #15321 for Plus 24.11) and is commonly used to solve this problem. It is derived from index.php which has changed for Plus 24.11 and this implementation would ensure compatibility with future releases of pfSense as index.php evolves over time.


Files

RFC8910-w-allowed-MAC-IP-fix.php (2.74 KB) RFC8910-w-allowed-MAC-IP-fix.php RFC8910 implementation CE 2.7.2 and later. Dale Harron, 12/05/2024 10:48 PM
RFC8910-Dec10.php (3.79 KB) RFC8910-Dec10.php Check MAC instead of IP to verify T/F in RFC8910 JSON Dale Harron, 12/11/2024 10:36 AM
index-2411-Dec10.php (21.5 KB) index-2411-Dec10.php associate MAC instead of IP for CP database verification Dale Harron, 12/11/2024 10:36 AM
index-2411-Dec11.php (21.5 KB) index-2411-Dec11.php Dale Harron, 12/12/2024 12:54 AM
index-2411-Dec11.php (21.5 KB) index-2411-Dec11.php Dale Harron, 12/12/2024 12:55 AM
RFC8910-Dec11.php (3.86 KB) RFC8910-Dec11.php Dale Harron, 12/12/2024 11:09 AM
index-2411-Dec17.php (19.8 KB) index-2411-Dec17.php Dale Harron, 12/17/2024 11:10 AM
Actions #1

Updated by Dale Harron 10 days ago

Support for Kea requires handling the Reclamation and reassignment of IPs which has changed dramatically from that implemented in the ISC DHCP server. Captive Portal tracks authentication by checking IPs when in actual fact the Captive portal authorization is associated with the MAC address, not the IP. This is an issue with Kea as the IP of authenticated users can change "over a lunch break" and when the device returns, it's IP may have been reassigned. Thus, RFC8910 DHCP option 114 support ("v4-captive-portal") must check the MAC address against the Captive Portal database and index.php in Captive Portal must re-associate the current IP with the already authorized MAC to avoid confusion when the IP address is checked by the Captive Portal code within pfSense.

To demonstrate one possible approach, I have attached a copy of a bench test file for both RFC8910.php and index.php that demonstrates how this might be achieved. These files are intended for use on pfSense 24.11 Plus (Stable) with Kea enabled and utilizing the patch from Redmine #15321 (https://redmine.pfsense.org/issues/15321) to support Smart devices through RFC8910, DHCP 114.

Actions #3

Updated by Dale Harron 10 days ago

I see in the index-Dec10.php file that there is a stupid commenting error, you have to remove the /*... */ from lines 153 and line 180 or it will give a crash report. I must have broken a “mixed comment symbols” rule.

Actions #4

Updated by Dale Harron 9 days ago

In order to fully support the assumption that it is the MAC address that authorizes the device through the captive portal, it was necessary to call index.php through the DHCP 114 JSON if the IPs didn't match, even if the MACs do match. This will result in the device being redirected to the logout screen in the temp browser on an iPhone for example if the IP has changed since their last connection.

A revised RFC8910.php file is attached that implements this as well.

Actions #5

Updated by Dale Harron 4 days ago

Improved comments and removed test code from index.php Dec 17, 2024

Actions

Also available in: Atom PDF