Upload
alejandrotopa
View
20
Download
0
Embed Size (px)
Citation preview
5/27/2018 Donny Ufoakses
1/27
Hotspot CustomizationMikrotik User Meeting (MUM) Indonesia
Bali, 13-14 June 2008
5/27/2018 Donny Ufoakses
2/27
About Me Donny Fauzan
Electrical Engineering Graduate
Software Engineer (Mostly Web) since college
Network Engineer (BSD, Linux & Mikrotik) since college
Current jobs :
PT.Pramindo Ikat (Telkom) Wireless Hotspot Network
(Setting Mikrotik Hotspot with FreeRadius MySQL, developing
HotspotManager for Radius) Ministry of Education Accounting (SAI) Network
(Setting VPN+OSPF Network, developing client software.
Training for UFOAKSES Indonesia
5/27/2018 Donny Ufoakses
3/27
Agenda
Introduction & basics
Hotspot setup
Hotspot Customization
Q & A
5/27/2018 Donny Ufoakses
4/27
Agenda
Introduction & basics
Hotspot setup
Hotspot Customization
Q & A
5/27/2018 Donny Ufoakses
5/27
Introduction Hotspot : zero configuration User would not require any setup, everything is done
automatically
Hotspot components IP Address assignment (DHCP)
DNS relay & cache
NAT & Firewall
Traffic shaping & QoSAAA (Authentication, Authorization, Accounting)
5/27/2018 Donny Ufoakses
6/27
AAA AuthenticationCaptive portal User logs in via web interface (http cookie).
Captive means jailed or prisoned. You can connect
to the AP, but in very restrictive environment.
Authorizationfirewall
Walled garden
NAT
AccountingRADIUS
Postpaid billing
Voucher (prepaid)
5/27/2018 Donny Ufoakses
7/27
Scenario User search for wireless network SSID User find the SSID, then connect without any wi-fi
security (WEP, WPA, WPA2, etc)
User starts browsing Captive portal will then be shown
User enters his/her login information (user & password)
Mikrotik will check the account supplied against local
user table, and radius server supplied After the user is verified, the accounting process will be
started. A pop up will be shown, contains connection
status
5/27/2018 Donny Ufoakses
8/27
Login Page or Captive Portal
5/27/2018 Donny Ufoakses
9/27
Agenda
Introduction & basics
Hotspot setup
Hotspot Customization
Q & A
5/27/2018 Donny Ufoakses
10/27
Step by Step (1) Prepare your wireless interface
Mode : AP Bridge
SSID : Any string (max. 32 chars)
Band : 2.4 GHz (B/G or G-only)
Frequency : better scan first Add wlan interface IP address
Run hotspot wizard Interface : to run hotspot on
Gateway address : the router hotspot interfaces IP address
Address pool : for DHCP Certificate : for https login page
SMTP server : for relaying mails to
DNS server : for clients DNS resolves
DNS name : DNS alias for your routers hotspot pages
User : for testing purposes
5/27/2018 Donny Ufoakses
11/27
Step by Step (2)
Set your hotspot server
Name : better rename it (ex : myhotspot)
Set your server profile
General > Name : better rename it (ex: myhotspot-profile) General > HTML Directory : may be different for multiple AP or
VAP setups
Login > Login By : set
CHAP (encrypted password),
Cookie (user sessions stored in browsers as cookies)
HTTPS (in case using https login pagesrequires certificate)
Radius : set
Check Use Radius
Check Accounting
5/27/2018 Donny Ufoakses
12/27
Hotspot Setup Wizard
5/27/2018 Donny Ufoakses
13/27
Server Profile
5/27/2018 Donny Ufoakses
14/27
User Profile
5/27/2018 Donny Ufoakses
15/27
Hotspot Servlet Pages
5/27/2018 Donny Ufoakses
16/27
Agenda
Introduction & basics
Hotspot setup
Hotspot Customization
Q & A
5/27/2018 Donny Ufoakses
17/27
Hotspot Customization Scenarios
1. Hotspot with advertisements.
2. Hotspot with walled garden.
3. Limit user bandwidth (using local users table).
4. Shared user5. Attach the hotspot to the UserManager
6. Attach the hotspot to another Radius server
7. Customize the captive portal, by adding simplechanges to login page and/or other servletpages.
8. Centralize login page on a webserver
5/27/2018 Donny Ufoakses
18/27
(1) Advertisements Advertisement feature could be enabled in user profiles(there is a default profile).
Add another user profile or change the default one.
Go to advertisement tab, and check Advertise Insert advertisement pages (for more, click down
arrow)
Set advertisement interval
Example implementation : Ad-Supported FreeHotspot
5/27/2018 Donny Ufoakses
19/27
(2) Walled Garden Walled garden : sites that are allowed to be accessedfrom the network without being authenticated.
Can be set from Hotspot > Walled Garden tab
Configuration : Set action (usually allow)
Set the particular hotspot server (useful for VAP)
Set src address to prohibit certain clients
Set dst address to specify allowed/blocked sites by IP
Set dst host to specify allowed/blocked sites by DNS
Set the port
Example implementation : Paid Hotspot with external
webserver displaying subscription info
5/27/2018 Donny Ufoakses
20/27
(3) Limit User Bandwidth (local) Limit user bandwidth, using mikrotik hotspot local userprofile.
Can be set from Hotspot > Profile
Configuration : General > Rate Limit (rx/tx)
Example implementation : Free hotspot
5/27/2018 Donny Ufoakses
21/27
(4) Shared Users One user name can be used more then once, for alimited number.
Set the limit number of users from Hotspot > Profile
When the shared-users limit for the user's profile isreached, one will have wait until someone with this
username logs out, use different login name or extend
the shared-users limit
Configuration : General > Shared users (set the maximum limit)
Example implementation : Limited guestuser name for
a hotspot
5/27/2018 Donny Ufoakses
22/27
(5) Use UserManager Download the usermanager package from mikrotik.com/download.html The User Manager package is included in the all package file named
"Separate packages for Netinstall
Upload the package to files, then reboot
Enable the radius settings in the corresponding Server Profiles > Radius
tab > Use Radius Add the userman as a radius server in Radius > New Radius Server
Configuration (refer to refman2.9.pdfpage 395)
For Radius client for information about the Services settings refer to refman
Example setup for wireless hotspot authentication based on username (notMAC address which is unsecure) : check hotspot & login
Set 127.0.0.1 for address if the userman resides in the AP Set Radius > incoming to enable the AP receiving and executing radius
attributes & commands
Go to http://routeraddress/userman
Example implementation : Paid hotspot with prepaid or postpaid users
5/27/2018 Donny Ufoakses
23/27
(6) Use other Radius Server Install Radius server if it hasnt been installed yet. Alternatives :
FreeRADIUS, XTRadius, Steel-Belted Radius.
Install the database (oracle, mysql, postgres, etc)
Configure the radius
Set the secret word Set the Mikrotiks dictionary in its dictionary directory.
Set the database & prepaid script realms
Install the dictionary for mikrotik. Look for it in :
http://www.mikrotik.com/documentation/manual_2.9/dictionary.mik
rotik
Save in the corresponding directory. In freeradius-Fedora it will be:
/usr/share/freeradius/dictionary.mikrotik
Install the radius management software (or develop one ;))
5/27/2018 Donny Ufoakses
24/27
(6) Use other Radius Server (contd) Add the radius server in Radius > New Radius Server
Refer to refman2.9.pdfpage 395 about Radius client
for information about the Services settings
Configuration (refer to refman2.9.pdfpage 395) For Radius client for information about the Services settings
refer to refman
Example setup for wireless hotspot authentication based on
username (not MAC address which is unsecure) : check
hotspot & login Set the radius servers address & secret (equal to the server)
Set Radius > incoming to enable the AP receiving and
executing radius attributes & commands
5/27/2018 Donny Ufoakses
25/27
(7) Simple Changes Look for them in Fileshotspot
Download using copy-paste
Change on your computer
Re-upload to the router
5/27/2018 Donny Ufoakses
26/27
(8) Centralize the Captive Portal Follow (7) steps
Redirect the login page to your server, using simple
javascript. Dont forget to include the servlet variables
in the URI
Show your own login page, with action=POST & url
replaced by the corresponding servlet variable.
You can also post to your server to be able to fetch
some data, and then forward the POST to your AP
router.
5/27/2018 Donny Ufoakses
27/27
Agenda
Introduction & basics
Hotspot setup
Hotspot Customization
Q & A