Captive portal for "LAN" users

I purchased couples of gl.inet MV1000 routers for my company and branch offices.
now I want to setup a captive portal , when users want to open websites , they must input their own user account and password.
I tried nodogsplash with binauth , and modify the script as below




case "$METHOD" in
               if [ "$USERNAME" = "user1" -a "$PASSWORD" = "password1" ]; then
                       # Allow Staff to access the Internet for the global sessiontimeout interval
                       # Further values are reserved for upload and download limits in bytes. 0 for no limit.
                       echo 0 0 0
                       exit 0
               elif [ "$USERNAME" = "user2" -a "$PASSWORD" = "password2" ]; then
                       echo 0 0 0
                       exit 0
			   elif [ "$USERNAME" = "user3" -a "$PASSWORD" = "password3" ]; then
                       exit 1
                       # Deny client access to the Internet.
                       exit 1

               # client_auth: Client authenticated via this script.
               # client_deauth: Client deauthenticated by the client via splash page.
               # idle_deauth: Client was deauthenticated because of inactivity.
               # timeout_deauth: Client was deauthenticated because the session timed out.
               # ndsctl_auth: Client was authenticated by the ndsctl tool.
               # ndsctl_deauth: Client was deauthenticated by the ndsctl tool.
               # shutdown_deauth: Client was deauthenticated by Nodogsplash terminating.

and /etc/config/nodogsplash

> config nodogsplash
>   option enabled 1
>   option fwhook_enabled '1'
>   option gatewayinterface 'br-lan'
>   option gatewayname 'OpenWrt Nodogsplash'
>   option maxclients '250'
>   option preauthidletimeout '30'
>   option authidletimeout '120'
>   option sessiontimeout '1200'
>   option checkinterval '600'
>   option preauth '/etc/nodogsplash/'
>   # Or for happy customers allow all
>   list authenticated_users 'allow all'
>   # Allow ports for SSH/Telnet/DNS/DHCP/HTTP/HTTPS
>   list users_to_router 'allow tcp port 22'
>   list users_to_router 'allow tcp port 23'
>   list users_to_router 'allow tcp port 53'
>   list users_to_router 'allow udp port 53'
>   list users_to_router 'allow udp port 67'
>   list users_to_router 'allow tcp port 80'

> <!DOCTYPE html>
> <html>
> <head>
> <meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate">
> <meta http-equiv="Pragma" content="no-cache">
> <meta http-equiv="Expires" content="0">
> <meta charset="utf-8">
> <meta name="viewport" content="width=device-width, initial-scale=1.0">
> <link rel="shortcut icon" href="/images/splash.jpg" type="image/x-icon">
> <link rel="stylesheet" type="text/css" href="/splash.css">
> <title>$gatewayname Hotspot Gateway.</title>
> </head>
> <body>
> <div class="offset">
> <med-blue>$gatewayname Hotspot Gateway.</med-blue>
> <div class="insert">
> <br>
> <img src="/images/splash.jpg" alt="Splash Page: For access to the Internet, please click Continue.">
> <hr>
> <big-red>Welcome!</big-red>
> <hr>
> <br>
> <italic-black>For access to the Internet, please tap or click Continue.</italic-black>
> <br><br>
> <hr>
> <form method="get" action="$authaction">
> <input type="hidden" name="tok" value="$tok">
> <input type="hidden" name="redir" value="$redir">
> <input type="submit" value="Continue">
> </form>
> <hr>
> <copy-right>Copyright &copy; The Nodogsplash Contributors 2004-2019.<br>This software is released under the GNU GPL license.</copy-right>
> </div></div>
> </body>
> </html>

after restart nodogsplash service , when users open any pages , will redirect to splash.html and ask to input username and password , that's great . BUT....

users can input anything and pass the authencation and go to internet , the script loks like does not work.
Did I misconfig something ?? any sugestion ?

Ain't you looking for a Radius server credential service?

maybe , but I'd like to try some more "lightweight" service.
I think freeradius is just too powerful for what I want.

not familiar with nodogsplash, but if a script is used for authentication,
then anything could be for verifying the access.

from a flat file, via a light DB like sqlite, to a "proper" SQL db like mysql/mariaDB :wink:

Well we at this forum talk about the few people in the world that actually is changing the firmware in the routers.

“If it’s worth doing it is worth overdoing”

It must be

option binauth '/etc/nodogsplash/'

And you should see in the log

daemon.notice nodogsplash[]: Binauth is Enabled.
daemon.notice nodogsplash[]: Binauth Script is /etc/nodogsplash/

I'm pretty sure NoDogSplash BinAuth no longer works correctly as from v5 onwards it is a stripped down package or at least that was the intention but since the split to OpenNDS, very little work has been done on NoDogSplash.
I would suggest you uninstall and then install OpenNDS instead.
The default is a click to continue page very similar to NoDog but a single config option changes it to a username email login.
It uses PreAuth instead of BinAuth and is a script that can be modified easily for any kind of login you like.
Go to OpenNDS on Github and ask for help if you need it.