Click here to load reader

Donny Ufoakses

  • View
    223

  • Download
    1

Embed Size (px)

DESCRIPTION

origami

Text of Donny Ufoakses

  • Hotspot CustomizationMikrotik User Meeting (MUM) IndonesiaBali, 13-14 June 2008

  • About MeDonny FauzanElectrical Engineering GraduateSoftware Engineer (Mostly Web) since collegeNetwork Engineer (BSD, Linux & Mikrotik) since collegeCurrent jobs : PT.Pramindo Ikat (Telkom) Wireless Hotspot Network (Setting Mikrotik Hotspot with FreeRadius MySQL, developing HotspotManager for Radius)Ministry of Education Accounting (SAI) Network (Setting VPN+OSPF Network, developing client software.Training for UFOAKSES Indonesia

  • Agenda

    Introduction & basics

    Hotspot setup

    Hotspot Customization

    Q & A

  • Agenda

    Introduction & basics

    Hotspot setup

    Hotspot Customization

    Q & A

  • IntroductionHotspot : zero configurationUser would not require any setup, everything is done automaticallyHotspot componentsIP Address assignment (DHCP)DNS relay & cacheNAT & FirewallTraffic shaping & QoSAAA (Authentication, Authorization, Accounting)

  • AAAAuthentication Captive portalUser logs in via web interface (http cookie).Captive means jailed or prisoned. You can connect to the AP, but in very restrictive environment.Authorization firewallWalled gardenNATAccounting RADIUSPostpaid billingVoucher (prepaid)

  • ScenarioUser search for wireless network SSIDUser find the SSID, then connect without any wi-fi security (WEP, WPA, WPA2, etc)User starts browsingCaptive portal will then be shownUser enters his/her login information (user & password)Mikrotik will check the account supplied against local user table, and radius server suppliedAfter the user is verified, the accounting process will be started. A pop up will be shown, contains connection status

  • Login Page or Captive Portal

  • Agenda

    Introduction & basics

    Hotspot setup

    Hotspot Customization

    Q & A

  • Step by Step (1)Prepare your wireless interfaceMode : AP BridgeSSID : Any string (max. 32 chars)Band : 2.4 GHz (B/G or G-only)Frequency : better scan firstAdd wlan interface IP addressRun hotspot wizardInterface : to run hotspot onGateway address : the router hotspot interfaces IP addressAddress pool : for DHCPCertificate : for https login pageSMTP server : for relaying mails toDNS server : for clients DNS resolvesDNS name : DNS alias for your routers hotspot pagesUser : for testing purposes

  • Step by Step (2)Set your hotspot serverName : better rename it (ex : myhotspot)Set your server profileGeneral > Name : better rename it (ex: myhotspot-profile)General > HTML Directory : may be different for multiple AP or VAP setupsLogin > Login By : set CHAP (encrypted password), Cookie (user sessions stored in browsers as cookies)HTTPS (in case using https login pages requires certificate)Radius : set Check Use RadiusCheck Accounting

  • Hotspot Setup Wizard

  • Server Profile

  • User Profile

  • Hotspot Servlet Pages

  • Agenda

    Introduction & basics

    Hotspot setup

    Hotspot Customization

    Q & A

  • Hotspot Customization ScenariosHotspot with advertisements.Hotspot with walled garden.Limit user bandwidth (using local users table).Shared userAttach the hotspot to the UserManagerAttach the hotspot to another Radius serverCustomize the captive portal, by adding simple changes to login page and/or other servlet pages.Centralize login page on a webserver

  • (1) AdvertisementsAdvertisement feature could be enabled in user profiles (there is a default profile). Add another user profile or change the default one.Go to advertisement tab, and check AdvertiseInsert advertisement pages (for more, click down arrow)Set advertisement intervalExample implementation : Ad-Supported Free Hotspot

  • (2) Walled GardenWalled garden : sites that are allowed to be accessed from the network without being authenticated.Can be set from Hotspot > Walled Garden tabConfiguration : Set action (usually allow)Set the particular hotspot server (useful for VAP)Set src address to prohibit certain clientsSet dst address to specify allowed/blocked sites by IPSet dst host to specify allowed/blocked sites by DNSSet the portExample implementation : Paid Hotspot with external webserver displaying subscription info

  • (3) Limit User Bandwidth (local)Limit user bandwidth, using mikrotik hotspot local user profile.Can be set from Hotspot > ProfileConfiguration : General > Rate Limit (rx/tx)Example implementation : Free hotspot

  • (4) Shared UsersOne user name can be used more then once, for a limited number. Set the limit number of users from Hotspot > ProfileWhen the shared-users limit for the user's profile is reached, one will have wait until someone with this username logs out, use different login name or extend the shared-users limitConfiguration : General > Shared users (set the maximum limit)Example implementation : Limited guest user name for a hotspot

  • (5) Use UserManagerDownload the usermanager package from mikrotik.com/download.htmlThe User Manager package is included in the all package file named "Separate packages for NetinstallUpload the package to files, then rebootEnable the radius settings in the corresponding Server Profiles > Radius tab > Use RadiusAdd the userman as a radius server in Radius > New Radius ServerConfiguration (refer to refman2.9.pdf page 395)For Radius client for information about the Services settings refer to refmanExample setup for wireless hotspot authentication based on username (not MAC address which is unsecure) : check hotspot & loginSet 127.0.0.1 for address if the userman resides in the APSet Radius > incoming to enable the AP receiving and executing radius attributes & commandsGo to http://routeraddress/usermanExample implementation : Paid hotspot with prepaid or postpaid users

  • (6) Use other Radius ServerInstall Radius server if it hasnt been installed yet. Alternatives : FreeRADIUS, XTRadius, Steel-Belted Radius.Install the database (oracle, mysql, postgres, etc)Configure the radius Set the secret wordSet the Mikrotiks dictionary in its dictionary directory.Set the database & prepaid script realmsInstall the dictionary for mikrotik. Look for it in : http://www.mikrotik.com/documentation/manual_2.9/dictionary.mikrotikSave in the corresponding directory. In freeradius-Fedora it will be: /usr/share/freeradius/dictionary.mikrotikInstall the radius management software (or develop one ;))

  • (6) Use other Radius Server (contd)Add the radius server in Radius > New Radius ServerRefer to refman2.9.pdf page 395 about Radius client for information about the Services settingsConfiguration (refer to refman2.9.pdf page 395)For Radius client for information about the Services settings refer to refmanExample setup for wireless hotspot authentication based on username (not MAC address which is unsecure) : check hotspot & loginSet the radius servers address & secret (equal to the server)Set Radius > incoming to enable the AP receiving and executing radius attributes & commands

  • (7) Simple ChangesLook for them in Files hotspotDownload using copy-pasteChange on your computerRe-upload to the router

  • (8) Centralize the Captive PortalFollow (7) stepsRedirect the login page to your server, using simple javascript. Dont forget to include the servlet variables in the URIShow your own login page, with action=POST & url replaced by the corresponding servlet variable.You can also post to your server to be able to fetch some data, and then forward the POST to your AP router.

  • Agenda

    Introduction & basics

    Hotspot setup

    Hotspot Customization

    Q & A