Hotspot Customization

Mikrotik User Meeting (MUM) Indonesia

Bali, 13-14 June 2008

About Me

Donny Fauzan
Electrical Engineering Graduate
Software Engineer (Mostly Web) since college
Network Engineer (BSD, Linux & Mikrotik) since
college
Current jobs :
PT.Pramindo Ikat (Telkom) Wireless Hotspot Network
(Setting Mikrotik Hotspot with FreeRadius MySQL,
developing HotspotManager for Radius)
Ministry of Education Accounting (SAI) Network
(Setting VPN+OSPF Network, developing client software.
Training for UFOAKSES Indonesia

Agenda
Introduction & basics
Hotspot setup
Hotspot Customization
Q&A

Agenda
Introduction & basics
Hotspot setup
Hotspot Customization
Q&A

Introduction
Hotspot : zero configuration
User would not require any setup, everything is
done automatically

Hotspot components

IP Address assignment (DHCP)

DNS relay & cache
NAT & Firewall
Traffic shaping & QoS
AAA (Authentication, Authorization,
Accounting)

AAA
Authentication Captive portal
User logs in via web interface (http cookie).
Captive means jailed or prisoned. You can connect
to the AP, but in very restrictive environment.

Authorization firewall
Walled garden
NAT

Accounting RADIUS
Postpaid billing
Voucher (prepaid)

Scenario
User search for wireless network SSID
User find the SSID, then connect without any wi-fi
security (WEP, WPA, WPA2, etc)
User starts browsing
Captive portal will then be shown
User enters his/her login information (user & password)
Mikrotik will check the account supplied against local
user table, and radius server supplied
After the user is verified, the accounting process will be
started. A pop up will be shown, contains connection
status

Login Page or Captive Portal

Agenda
Introduction & basics
Hotspot setup
Hotspot Customization
Q&A

Step by Step (1)

Prepare your wireless interface

Mode : AP Bridge
SSID : Any string (max. 32 chars)
Band : 2.4 GHz (B/G or G-only)
Frequency : better scan first

Add wlan interface IP address

Run hotspot wizard

Interface : to run hotspot on

Gateway address : the router hotspot interfaces IP address
Address pool : for DHCP
Certificate : for https login page
SMTP server : for relaying mails to
DNS server : for clients DNS resolves
DNS name : DNS alias for your routers hotspot pages
User : for testing purposes

Step by Step (2)

Set your hotspot server
Name : better rename it (ex : myhotspot)

Set your server profile

General > Name : better rename it (ex: myhotspot-profile)
General > HTML Directory : may be different for multiple AP or
VAP setups
Login > Login By : set
CHAP (encrypted password),
Cookie (user sessions stored in browsers as cookies)
HTTPS (in case using https login pages requires certificate)
Radius : set
Check Use Radius
Check Accounting

Hotspot Setup Wizard

Server Profile

User Profile

Hotspot Servlet Pages

Agenda
Introduction & basics
Hotspot setup
Hotspot Customization
Q&A

Hotspot Customization Scenarios

1.
2.
3.
4.
5.
6.
7.

Hotspot with advertisements.

Hotspot with walled garden.
Limit user bandwidth (using local users table).
Shared user
Attach the hotspot to the UserManager
Attach the hotspot to another Radius server
Customize the captive portal, by adding simple
changes to login page and/or other servlet
pages.
8. Centralize login page on a webserver

(1) Advertisements

Advertisement feature could be enabled in user profiles

(there is a default profile).
Add another user profile or change the default one.
Go to advertisement tab, and check Advertise
Insert advertisement pages (for more, click down
arrow)
Set advertisement interval
Example implementation : Ad-Supported Free
Hotspot

(2) Walled Garden

Walled garden : sites that are allowed to be accessed

from the network without being authenticated.
Can be set from Hotspot > Walled Garden tab
Configuration :

Set action (usually allow)

Set the particular hotspot server (useful for VAP)
Set src address to prohibit certain clients
Set dst address to specify allowed/blocked sites by IP
Set dst host to specify allowed/blocked sites by DNS
Set the port

Example implementation : Paid Hotspot with external

webserver displaying subscription info

(3) Limit User Bandwidth (local)

Limit user bandwidth, using mikrotik hotspot local user

profile.
Can be set from Hotspot > Profile
Configuration :

General > Rate Limit (rx/tx)

Example implementation : Free hotspot

(4) Shared Users

One user name can be used more then once, for a

limited number.
Set the limit number of users from Hotspot > Profile
When the shared-users limit for the user's profile is
reached, one will have wait until someone with this
username logs out, use different login name or extend
the shared-users limit
Configuration :

General > Shared users (set the maximum limit)

Example implementation : Limited guest user name for

a hotspot

(5) Use UserManager

Download the usermanager package from mikrotik.com/download.html

The User Manager package is included in the all package file named
"Separate packages for Netinstall
Upload the package to files, then reboot
Enable the radius settings in the corresponding Server Profiles > Radius
tab > Use Radius
Add the userman as a radius server in Radius > New Radius Server
Configuration (refer to refman2.9.pdf page 395)

For Radius client for information about the Services settings refer to refman
Example setup for wireless hotspot authentication based on username (not
MAC address which is unsecure) : check hotspot & login
Set 127.0.0.1 for address if the userman resides in the AP
Set Radius > incoming to enable the AP receiving and executing radius
attributes & commands

Go to http://routeraddress/userman
Example implementation : Paid hotspot with prepaid or postpaid users

(6) Use other Radius Server

Install Radius server if it hasnt been installed yet. Alternatives :

FreeRADIUS, XTRadius, Steel-Belted Radius.
Install the database (oracle, mysql, postgres, etc)
Configure the radius

Set the secret word

Set the Mikrotiks dictionary in its dictionary directory.
Set the database & prepaid script realms

Install the dictionary for mikrotik. Look for it in :

http://www.mikrotik.com/documentation/manual_2.9/dictionary.mikr
otik
Save in the corresponding directory. In freeradius-Fedora it will be:
/usr/share/freeradius/dictionary.mikrotik
Install the radius management software (or develop one ;))

(6) Use other Radius Server

Add the radius server in Radius > New Radius
Server
(contd)
Refer to refman2.9.pdf page 395 about Radius client
for information about the Services settings
Configuration (refer to refman2.9.pdf page 395)

For Radius client for information about the Services settings

refer to refman
Example setup for wireless hotspot authentication based on
username (not MAC address which is unsecure) : check
hotspot & login
Set the radius servers address & secret (equal to the server)
Set Radius > incoming to enable the AP receiving and
executing radius attributes & commands

(7) Simple Changes

Look for them in Files hotspot

Download using copy-paste
Change on your computer
Re-upload to the router

(8) Centralize the Captive Portal

Follow (7) steps

Redirect the login page to your server, using simple
javascript. Dont forget to include the servlet variables
in the URI
Show your own login page, with action=POST & url
replaced by the corresponding servlet variable.
You can also post to your server to be able to fetch
some data, and then forward the POST to your AP
router.

Agenda
Introduction & basics
Hotspot setup
Hotspot Customization
Q&A