Donny Ufoakses

  • View
    10

  • Download
    0

Embed Size (px)

Text of Donny Ufoakses

  • 5/27/2018 Donny Ufoakses

    1/27

    Hotspot CustomizationMikrotik User Meeting (MUM) Indonesia

    Bali, 13-14 June 2008

  • 5/27/2018 Donny Ufoakses

    2/27

    About Me Donny Fauzan

    Electrical Engineering Graduate

    Software Engineer (Mostly Web) since college

    Network Engineer (BSD, Linux & Mikrotik) since college

    Current jobs :

    PT.Pramindo Ikat (Telkom) Wireless Hotspot Network

    (Setting Mikrotik Hotspot with FreeRadius MySQL, developing

    HotspotManager for Radius) Ministry of Education Accounting (SAI) Network

    (Setting VPN+OSPF Network, developing client software.

    Training for UFOAKSES Indonesia

  • 5/27/2018 Donny Ufoakses

    3/27

    Agenda

    Introduction & basics

    Hotspot setup

    Hotspot Customization

    Q & A

  • 5/27/2018 Donny Ufoakses

    4/27

    Agenda

    Introduction & basics

    Hotspot setup

    Hotspot Customization

    Q & A

  • 5/27/2018 Donny Ufoakses

    5/27

    Introduction Hotspot : zero configuration User would not require any setup, everything is done

    automatically

    Hotspot components IP Address assignment (DHCP)

    DNS relay & cache

    NAT & Firewall

    Traffic shaping & QoSAAA (Authentication, Authorization, Accounting)

  • 5/27/2018 Donny Ufoakses

    6/27

    AAA AuthenticationCaptive portal User logs in via web interface (http cookie).

    Captive means jailed or prisoned. You can connect

    to the AP, but in very restrictive environment.

    Authorizationfirewall

    Walled garden

    NAT

    AccountingRADIUS

    Postpaid billing

    Voucher (prepaid)

  • 5/27/2018 Donny Ufoakses

    7/27

    Scenario User search for wireless network SSID User find the SSID, then connect without any wi-fi

    security (WEP, WPA, WPA2, etc)

    User starts browsing Captive portal will then be shown

    User enters his/her login information (user & password)

    Mikrotik will check the account supplied against local

    user table, and radius server supplied After the user is verified, the accounting process will be

    started. A pop up will be shown, contains connection

    status

  • 5/27/2018 Donny Ufoakses

    8/27

    Login Page or Captive Portal

  • 5/27/2018 Donny Ufoakses

    9/27

    Agenda

    Introduction & basics

    Hotspot setup

    Hotspot Customization

    Q & A

  • 5/27/2018 Donny Ufoakses

    10/27

    Step by Step (1) Prepare your wireless interface

    Mode : AP Bridge

    SSID : Any string (max. 32 chars)

    Band : 2.4 GHz (B/G or G-only)

    Frequency : better scan first Add wlan interface IP address

    Run hotspot wizard Interface : to run hotspot on

    Gateway address : the router hotspot interfaces IP address

    Address pool : for DHCP Certificate : for https login page

    SMTP server : for relaying mails to

    DNS server : for clients DNS resolves

    DNS name : DNS alias for your routers hotspot pages

    User : for testing purposes

  • 5/27/2018 Donny Ufoakses

    11/27

    Step by Step (2)

    Set your hotspot server

    Name : better rename it (ex : myhotspot)

    Set your server profile

    General > Name : better rename it (ex: myhotspot-profile) General > HTML Directory : may be different for multiple AP or

    VAP setups

    Login > Login By : set

    CHAP (encrypted password),

    Cookie (user sessions stored in browsers as cookies)

    HTTPS (in case using https login pagesrequires certificate)

    Radius : set

    Check Use Radius

    Check Accounting

  • 5/27/2018 Donny Ufoakses

    12/27

    Hotspot Setup Wizard

  • 5/27/2018 Donny Ufoakses

    13/27

    Server Profile

  • 5/27/2018 Donny Ufoakses

    14/27

    User Profile

  • 5/27/2018 Donny Ufoakses

    15/27

    Hotspot Servlet Pages

  • 5/27/2018 Donny Ufoakses

    16/27

    Agenda

    Introduction & basics

    Hotspot setup

    Hotspot Customization

    Q & A

  • 5/27/2018 Donny Ufoakses

    17/27

    Hotspot Customization Scenarios

    1. Hotspot with advertisements.

    2. Hotspot with walled garden.

    3. Limit user bandwidth (using local users table).

    4. Shared user5. Attach the hotspot to the UserManager

    6. Attach the hotspot to another Radius server

    7. Customize the captive portal, by adding simplechanges to login page and/or other servletpages.

    8. Centralize login page on a webserver

  • 5/27/2018 Donny Ufoakses

    18/27

    (1) Advertisements Advertisement feature could be enabled in user profiles(there is a default profile).

    Add another user profile or change the default one.

    Go to advertisement tab, and check Advertise Insert advertisement pages (for more, click down

    arrow)

    Set advertisement interval

    Example implementation : Ad-Supported FreeHotspot

  • 5/27/2018 Donny Ufoakses

    19/27

    (2) Walled Garden Walled garden : sites that are allowed to be accessedfrom the network without being authenticated.

    Can be set from Hotspot > Walled Garden tab

    Configuration : Set action (usually allow)

    Set the particular hotspot server (useful for VAP)

    Set src address to prohibit certain clients

    Set dst address to specify allowed/blocked sites by IP

    Set dst host to specify allowed/blocked sites by DNS

    Set the port

    Example implementation : Paid Hotspot with external

    webserver displaying subscription info

  • 5/27/2018 Donny Ufoakses

    20/27

    (3) Limit User Bandwidth (local) Limit user bandwidth, using mikrotik hotspot local userprofile.

    Can be set from Hotspot > Profile

    Configuration : General > Rate Limit (rx/tx)

    Example implementation : Free hotspot

  • 5/27/2018 Donny Ufoakses

    21/27

    (4) Shared Users One user name can be used more then once, for alimited number.

    Set the limit number of users from Hotspot > Profile

    When the shared-users limit for the user's profile isreached, one will have wait until someone with this

    username logs out, use different login name or extend

    the shared-users limit

    Configuration : General > Shared users (set the maximum limit)

    Example implementation : Limited guestuser name for

    a hotspot

  • 5/27/2018 Donny Ufoakses

    22/27

    (5) Use UserManager Download the usermanager package from mikrotik.com/download.html The User Manager package is included in the all package file named

    "Separate packages for Netinstall

    Upload the package to files, then reboot

    Enable the radius settings in the corresponding Server Profiles > Radius

    tab > Use Radius Add the userman as a radius server in Radius > New Radius Server

    Configuration (refer to refman2.9.pdfpage 395)

    For Radius client for information about the Services settings refer to refman

    Example setup for wireless hotspot authentication based on username (notMAC address which is unsecure) : check hotspot & login

    Set 127.0.0.1 for address if the userman resides in the AP Set Radius > incoming to enable the AP receiving and executing radius

    attributes & commands

    Go to http://routeraddress/userman

    Example implementation : Paid hotspot with prepaid or postpaid users

  • 5/27/2018 Donny Ufoakses

    23/27

    (6) Use other Radius Server Install Radius server if it hasnt been installed yet. Alternatives :

    FreeRADIUS, XTRadius, Steel-Belted Radius.

    Install the database (oracle, mysql, postgres, etc)

    Configure the radius

    Set the secret word Set the Mikrotiks dictionary in its dictionary directory.

    Set the database & prepaid script realms

    Install the dictionary for mikrotik. Look for it in :

    http://www.mikrotik.com/documentation/manual_2.9/dictionary.mik

    rotik

    Save in the corresponding directory. In freeradius-Fedora it will be:

    /usr/share/freeradius/dictionary.mikrotik

    Install the radius management software (or develop one ;))

  • 5/27/2018 Donny Ufoakses

    24/27

    (6) Use other Radius Server (contd) Add the radius server in Radius > New Radius Server

    Refer to refman2.9.pdfpage 395 about Radius client

    for information about the Services settings

    Configuration (refer to refman2.9.pdfpage 395) For Radius client for information about the Services settings

    refer to refman

    Example setup for wireless hotspot authentication based on

    username (not MAC address which is unsecure) : check

    hotspot & login Set the radius servers address & secret (equal to the server)

    Set Radius > incoming to enable the AP receiving and

    executing radius attributes & commands

  • 5/27/2018 Donny Ufoakses

    25/27

    (7) Simple Changes Look for them in Fileshotspot

    Download using copy-paste

    Change on your computer

    Re-upload to the router

  • 5/27/2018 Donny Ufoakses

    26/27

    (8) Centralize the Captive Portal Follow (7) steps

    Redirect the login page to your server, using simple

    javascript. Dont forget to include the servlet variables

    in the URI

    Show your own login page, with action=POST & url

    replaced by the corresponding servlet variable.

    You can also post to your server to be able to fetch

    some data, and then forward the POST to your AP

    router.

  • 5/27/2018 Donny Ufoakses

    27/27

    Agenda

    Introduction & basics

    Hotspot setup

    Hotspot Customization

    Q & A