Captive Portal - Enforce Local Group Bug

[ghost]

Hey guys,

my report is based on my german thread:
https://forum.opnsense.org/index.php?topic=4857.0

I had a few troubles building my Captive Portal until i realized the issue.
I created a group called "Captive Portal Internet" and put a few users into that group.
After that i configured it to be used by the "Enforce Local Group" option.
After troubleshooting for a while trying to find an answer why voucher codes were no longer accepted i decided to just disable the option completely so that my voucher codes could be used as valid tool again.
So in short:
Enable -> Enforce Local Group -> vouchers can no longer be used by my Captive Portal template while the voucher server is still configured as "authenticate using".
Disable -> Enforce Local Group -> voucher codes can be used again without any problems.

Since Voucher Codes can not be added as an user or used for any group they can't be added to the "Captive Portal Internet" Group which i created in the first place.

Could anyone check if thats the case for everyone?

Best regards,
Oxy

[AdSchellevis]

@PitchBendStretch @fichtner it's not a bug, there's no way of knowing that a user (a voucher is also a user), can't have a local presentation. By default this setting should be "none" as in no enforcement (which at my end it seems to be the case).

[fichtner]

shouldn't we at least make sure the local group can't be selected when vouchers are enabled?

[AdSchellevis]

vouchers are authentication providers, just like the other providers, and you can have more zones.

[fichtner]

while this is all true, this has potential for misconfiguration. the usual options are:

• make a note somewhere
• only evaluate the group restriction on local database users as it was likely designed for that purpose, not locking other authentication mechanism out

Option 2 has the benefit of not having to deal with more support cases in the future :)

[AdSchellevis]

option 1, ldap users can also be synced.

[fichtner]

do you mean synced into the local database?

[AdSchellevis]

yes, conceptual you should be able to sync other sources as well.

[ghost]

Hey @AdSchellevis and @fichtner ,
i now understand why i had so many problems but still..
Atleast for me it was odd behaviour since i wanted and still want to use both as in "every active voucher is automatically part of the local enforcement group + the local database users i created in the first place" are all valid users for authorization.
I can fully understand that this is may not wanted from your point of view and thats perfectly fine but as @fichtner already said it would may be a good idea to just give a little hint that by activating the local enforcement group the voucher database can no longer be used for authorization purposes.
I don't think i would be the only or last one walking into that little trap. :)

[AdSchellevis]

I agree a note would certainly help here, will do so asap and close the issue.

The problem is that there is no solution which won't let someone expect other behaviour at some point in tome. For example, if someone uses ldap, synchronises particular users, he/she probably expects the rest of the ldap users in the same group not to be allowed.