Donny Ufoakses

5/27/2018 Donny Ufoakses

1/27

Hotspot CustomizationMikrotik User Meeting (MUM) Indonesia

Bali, 13-14 June 2008


2/27

About Me Donny Fauzan

Electrical Engineering Graduate

Software Engineer (Mostly Web) since college

Network Engineer (BSD, Linux & Mikrotik) since college

Current jobs :

PT.Pramindo Ikat (Telkom) Wireless Hotspot Network

(Setting Mikrotik Hotspot with FreeRadius MySQL, developing

HotspotManager for Radius) Ministry of Education Accounting (SAI) Network

(Setting VPN+OSPF Network, developing client software.

Training for UFOAKSES Indonesia


3/27

Agenda

Introduction & basics

Hotspot setup

Hotspot Customization

Q & A


4/27

Agenda


Hotspot setup


Q & A


5/27

Introduction Hotspot : zero configuration User would not require any setup, everything is done

automatically

Hotspot components IP Address assignment (DHCP)

DNS relay & cache

NAT & Firewall

Traffic shaping & QoSAAA (Authentication, Authorization, Accounting)


6/27

AAA AuthenticationCaptive portal User logs in via web interface (http cookie).

Captive means jailed or prisoned. You can connect

to the AP, but in very restrictive environment.

Authorizationfirewall

Walled garden

NAT

AccountingRADIUS

Postpaid billing

Voucher (prepaid)


7/27

Scenario User search for wireless network SSID User find the SSID, then connect without any wi-fi

security (WEP, WPA, WPA2, etc)

User starts browsing Captive portal will then be shown

User enters his/her login information (user & password)

Mikrotik will check the account supplied against local

user table, and radius server supplied After the user is verified, the accounting process will be

started. A pop up will be shown, contains connection

status


8/27

Login Page or Captive Portal


9/27

Agenda


Hotspot setup


Q & A


10/27

Step by Step (1) Prepare your wireless interface

Mode : AP Bridge

SSID : Any string (max. 32 chars)

Band : 2.4 GHz (B/G or G-only)

Frequency : better scan first Add wlan interface IP address

Run hotspot wizard Interface : to run hotspot on

Gateway address : the router hotspot interfaces IP address

Address pool : for DHCP Certificate : for https login page

SMTP server : for relaying mails to

DNS server : for clients DNS resolves

DNS name : DNS alias for your routers hotspot pages

User : for testing purposes


11/27

Step by Step (2)

Set your hotspot server

Name : better rename it (ex : myhotspot)

Set your server profile

General > Name : better rename it (ex: myhotspot-profile) General > HTML Directory : may be different for multiple AP or

VAP setups

Login > Login By : set

CHAP (encrypted password),

Cookie (user sessions stored in browsers as cookies)

HTTPS (in case using https login pagesrequires certificate)

Radius : set

Check Use Radius

Check Accounting


12/27

Hotspot Setup Wizard


13/27

Server Profile


14/27

User Profile


15/27

Hotspot Servlet Pages


16/27

Agenda


Hotspot setup


Q & A


17/27

Hotspot Customization Scenarios

1. Hotspot with advertisements.

2. Hotspot with walled garden.

3. Limit user bandwidth (using local users table).

4. Shared user5. Attach the hotspot to the UserManager

6. Attach the hotspot to another Radius server

7. Customize the captive portal, by adding simplechanges to login page and/or other servletpages.

8. Centralize login page on a webserver


18/27

(1) Advertisements Advertisement feature could be enabled in user profiles(there is a default profile).

Add another user profile or change the default one.

Go to advertisement tab, and check Advertise Insert advertisement pages (for more, click down

arrow)

Set advertisement interval

Example implementation : Ad-Supported FreeHotspot


19/27

(2) Walled Garden Walled garden : sites that are allowed to be accessedfrom the network without being authenticated.

Can be set from Hotspot > Walled Garden tab

Configuration : Set action (usually allow)

Set the particular hotspot server (useful for VAP)

Set src address to prohibit certain clients

Set dst address to specify allowed/blocked sites by IP

Set dst host to specify allowed/blocked sites by DNS

Set the port

Example implementation : Paid Hotspot with external

webserver displaying subscription info


20/27

(3) Limit User Bandwidth (local) Limit user bandwidth, using mikrotik hotspot local userprofile.

Can be set from Hotspot > Profile

Configuration : General > Rate Limit (rx/tx)

Example implementation : Free hotspot


21/27

(4) Shared Users One user name can be used more then once, for alimited number.

Set the limit number of users from Hotspot > Profile

When the shared-users limit for the user's profile isreached, one will have wait until someone with this

username logs out, use different login name or extend

the shared-users limit

Configuration : General > Shared users (set the maximum limit)

Example implementation : Limited guestuser name for

a hotspot


22/27

(5) Use UserManager Download the usermanager package from mikrotik.com/download.html The User Manager package is included in the all package file named

"Separate packages for Netinstall

Upload the package to files, then reboot

Enable the radius settings in the corresponding Server Profiles > Radius

tab > Use Radius Add the userman as a radius server in Radius > New Radius Server

Configuration (refer to refman2.9.pdfpage 395)

For Radius client for information about the Services settings refer to refman

Example setup for wireless hotspot authentication based on username (notMAC address which is unsecure) : check hotspot & login

Set 127.0.0.1 for address if the userman resides in the AP Set Radius > incoming to enable the AP receiving and executing radius

attributes & commands

Go to http://routeraddress/userman

Example implementation : Paid hotspot with prepaid or postpaid users


23/27

(6) Use other Radius Server Install Radius server if it hasnt been installed yet. Alternatives :

FreeRADIUS, XTRadius, Steel-Belted Radius.

Install the database (oracle, mysql, postgres, etc)

Configure the radius

Set the secret word Set the Mikrotiks dictionary in its dictionary directory.

Set the database & prepaid script realms

Install the dictionary for mikrotik. Look for it in :

http://www.mikrotik.com/documentation/manual_2.9/dictionary.mik

rotik

Save in the corresponding directory. In freeradius-Fedora it will be:

/usr/share/freeradius/dictionary.mikrotik

Install the radius management software (or develop one ;))


24/27

(6) Use other Radius Server (contd) Add the radius server in Radius > New Radius Server

Refer to refman2.9.pdfpage 395 about Radius client

for information about the Services settings

Configuration (refer to refman2.9.pdfpage 395) For Radius client for information about the Services settings

refer to refman

Example setup for wireless hotspot authentication based on

username (not MAC address which is unsecure) : check

hotspot & login Set the radius servers address & secret (equal to the server)

Set Radius > incoming to enable the AP receiving and

executing radius attributes & commands


25/27

(7) Simple Changes Look for them in Fileshotspot

Download using copy-paste

Change on your computer

Re-upload to the router


26/27

(8) Centralize the Captive Portal Follow (7) steps

Redirect the login page to your server, using simple

javascript. Dont forget to include the servlet variables

in the URI

Show your own login page, with action=POST & url

replaced by the corresponding servlet variable.

You can also post to your server to be able to fetch

some data, and then forward the POST to your AP

router.


27/27

Agenda


Hotspot setup


Q & A

Documents

Donny Ufoakses