Hotspot Customization Mikrotik User Meeting (MUM) Indonesia Bali, 13-14 June 2008

About Me Donny Fauzan Electrical Engineering Graduate Software Engineer (Mostly Web) since college Network Engineer (BSD, Linux & Mikrotik) since college Current jobs : PT.Pramindo Ikat (Telkom) Wireless Hotspot Network (Setting Mikrotik Hotspot with FreeRadius MySQL, developing HotspotManager for Radius) Ministry of Education Accounting (SAI) Network (Setting VPN+OSPF Network, developing client software. Training for UFOAKSES Indonesia

Agenda Introduction & basics Hotspot setup Hotspot Customization Q & A

Agenda Introduction & basics Hotspot setup Hotspot Customization Q & A

Introduction Hotspot : “zero configuration” Hotspot components User would not require any setup, everything is done automatically Hotspot components IP Address assignment (DHCP) DNS relay & cache NAT & Firewall Traffic shaping & QoS AAA (Authentication, Authorization, Accounting)

AAA Authentication  Captive portal Authorization  firewall User logs in via web interface (http cookie). Captive means “jailed” or “prisoned”. You can connect to the AP, but in very restrictive environment. Authorization  firewall Walled garden NAT Accounting  RADIUS Postpaid billing Voucher (prepaid)

Scenario User search for wireless network SSID User find the SSID, then connect without any wi-fi security (WEP, WPA, WPA2, etc) User starts browsing Captive portal will then be shown User enters his/her login information (user & password) Mikrotik will check the account supplied against local user table, and radius server supplied After the user is verified, the accounting process will be started. A pop up will be shown, contains connection status

Login Page or “Captive Portal”

Agenda Introduction & basics Hotspot setup Hotspot Customization Q & A

Step by Step (1) Prepare your wireless interface Mode : AP Bridge SSID : Any string (max. 32 chars) Band : 2.4 GHz (B/G or G-only) Frequency : better scan first Add wlan interface IP address Run hotspot wizard Interface : to run hotspot on Gateway address : the router hotspot interface’s IP address Address pool : for DHCP Certificate : for https login page SMTP server : for relaying mails to DNS server : for clients DNS resolves DNS name : DNS alias for your router’s hotspot pages User : for testing purposes

Step by Step (2) Set your hotspot server Set your server profile Name : better rename it (ex : myhotspot) Set your server profile General > Name : better rename it (ex: myhotspot-profile) General > HTML Directory : may be different for multiple AP or VAP setups Login > Login By : set CHAP (encrypted password), Cookie (user sessions stored in browser’s as cookies) HTTPS (in case using https login pages – requires certificate) Radius : set Check “Use Radius” Check “Accounting”

Hotspot Setup “Wizard”

Server Profile

User Profile

Hotspot Servlet Pages

Agenda Introduction & basics Hotspot setup Hotspot Customization Q & A

Hotspot Customization Scenarios Hotspot with advertisements. Hotspot with “walled garden”. Limit user bandwidth (using local users table). Shared user Attach the hotspot to the UserManager Attach the hotspot to another Radius server Customize the captive portal, by adding simple changes to login page and/or other servlet pages. Centralize login page on a webserver

(1) Advertisements Advertisement feature could be enabled in user profiles (there is a “default” profile). Add another user profile or change the default one. Go to “advertisement” tab, and check “Advertise” Insert advertisement pages (for more, click down arrow) Set advertisement interval Example implementation : Ad-Supported Free Hotspot

(2) Walled Garden Walled garden : sites that are allowed to be accessed from the network without being authenticated. Can be set from Hotspot > Walled Garden tab Configuration : Set action (usually allow) Set the particular hotspot server (useful for VAP) Set src address to prohibit certain clients Set dst address to specify allowed/blocked sites by IP Set dst host to specify allowed/blocked sites by DNS Set the port Example implementation : Paid Hotspot with external webserver displaying subscription info

(3) Limit User Bandwidth (local) Limit user bandwidth, using mikrotik hotspot local user profile. Can be set from Hotspot > Profile Configuration : General > Rate Limit (rx/tx) Example implementation : Free hotspot

(4) Shared Users One user name can be used more then once, for a limited number. Set the limit number of users from Hotspot > Profile When the shared-users limit for the user's profile is reached, one will have wait until someone with this username logs out, use different login name or extend the shared-users limit Configuration : General > Shared users (set the maximum limit) Example implementation : Limited guest user name for a hotspot

(5) Use UserManager Download the usermanager package from mikrotik.com/download.html The User Manager package is included in the all package file named "Separate packages for Netinstall“ Upload the package to “files”, then reboot Enable the radius settings in the corresponding Server Profiles > Radius tab > Use Radius Add the userman as a radius server in Radius > New Radius Server Configuration (refer to refman2.9.pdf page 395) For “Radius client” for information about the “Services settings” refer to refman Example setup for wireless hotspot authentication based on username (not MAC address which is unsecure) : check hotspot & login Set 127.0.0.1 for address if the userman resides in the AP Set Radius > incoming to enable the AP receiving and executing radius attributes & commands Go to http://routeraddress/userman Example implementation : Paid hotspot with prepaid or postpaid users

(6) Use other Radius Server Install Radius server if it hasn’t been installed yet. Alternatives : FreeRADIUS, XTRadius, Steel-Belted Radius. Install the database (oracle, mysql, postgres, etc) Configure the radius Set the “secret” word Set the Mikrotik’s dictionary in its “dictionary” directory. Set the database & prepaid script realms Install the “dictionary” for mikrotik. Look for it in : http://www.mikrotik.com/documentation/manual_2.9/dictionary.mikrotik Save in the corresponding directory. In freeradius-Fedora it will be: /usr/share/freeradius/dictionary.mikrotik Install the radius management software (or develop one ;))

(6) Use other Radius Server (cont’d) Add the radius server in Radius > New Radius Server Refer to refman2.9.pdf page 395 about “Radius client” for information about the “Services settings” Configuration (refer to refman2.9.pdf page 395) For “Radius client” for information about the “Services settings” refer to refman Example setup for wireless hotspot authentication based on username (not MAC address which is unsecure) : check hotspot & login Set the radius server’s address & secret (equal to the server) Set Radius > incoming to enable the AP receiving and executing radius attributes & commands

(7) Simple Changes Look for them in Files  hotspot Download using copy-paste Change on your computer Re-upload to the router

(8) Centralize the Captive Portal Follow (7) steps Redirect the login page to your server, using simple javascript. Don’t forget to include the servlet variables in the URI Show your own login page, with action=“POST” & url replaced by the corresponding servlet variable. You can also post to your server to be able to fetch some data, and then forward the POST to your AP router.

Agenda Introduction & basics Hotspot setup Hotspot Customization Q & A