Mikrotik User Meeting (MUM) Indonesia Bali, 13-14 June 2008.
-
Upload
felicity-stair -
Category
Documents
-
view
224 -
download
2
Transcript of Mikrotik User Meeting (MUM) Indonesia Bali, 13-14 June 2008.
![Page 1: Mikrotik User Meeting (MUM) Indonesia Bali, 13-14 June 2008.](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649c885503460f949416a4/html5/thumbnails/1.jpg)
Hotspot CustomizationHotspot CustomizationMikrotik User Meeting (MUM) IndonesiaMikrotik User Meeting (MUM) Indonesia
Bali, 13-14 June 2008Bali, 13-14 June 2008
![Page 2: Mikrotik User Meeting (MUM) Indonesia Bali, 13-14 June 2008.](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649c885503460f949416a4/html5/thumbnails/2.jpg)
About MeAbout Me• DonnyDonny Fauzan Fauzan• Electrical Engineering Graduate• Software Engineer (Mostly Web) since college• Network Engineer (BSD, Linux & Mikrotik) since
college• Current jobs :
– PT.Pramindo Ikat (Telkom) Wireless Hotspot Network (Setting Mikrotik Hotspot with FreeRadius MySQL, developing HotspotManager for Radius)
– Ministry of Education Accounting (SAI) Network (Setting VPN+OSPF Network, developing client software.
– Training for UFOAKSES Indonesia
![Page 3: Mikrotik User Meeting (MUM) Indonesia Bali, 13-14 June 2008.](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649c885503460f949416a4/html5/thumbnails/3.jpg)
AgendaAgenda
• Introduction & basics
• Hotspot setup
• Hotspot Customization
• Q & A
![Page 4: Mikrotik User Meeting (MUM) Indonesia Bali, 13-14 June 2008.](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649c885503460f949416a4/html5/thumbnails/4.jpg)
AgendaAgenda
• Introduction & basics
• Hotspot setup
• Hotspot Customization
• Q & A
![Page 5: Mikrotik User Meeting (MUM) Indonesia Bali, 13-14 June 2008.](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649c885503460f949416a4/html5/thumbnails/5.jpg)
IntroductionIntroduction• Hotspot : “zero configuration”
– User would not require any setup, everything is done automatically
• Hotspot components– IP Address assignment (DHCP)– DNS relay & cache– NAT & Firewall– Traffic shaping & QoS– AAA (Authentication, Authorization,
Accounting)
![Page 6: Mikrotik User Meeting (MUM) Indonesia Bali, 13-14 June 2008.](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649c885503460f949416a4/html5/thumbnails/6.jpg)
AAAAAA• Authentication Captive portal
– User logs in via web interface (http cookie).– Captive means “jailed” or “prisoned”. You can connect
to the AP, but in very restrictive environment.
• Authorization firewall– Walled garden– NAT
• Accounting RADIUS– Postpaid billing– Voucher (prepaid)
![Page 7: Mikrotik User Meeting (MUM) Indonesia Bali, 13-14 June 2008.](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649c885503460f949416a4/html5/thumbnails/7.jpg)
ScenarioScenario• User search for wireless network SSID• User find the SSID, then connect without any wi-fi
security (WEP, WPA, WPA2, etc)• User starts browsing• Captive portal will then be shown• User enters his/her login information (user & password)• Mikrotik will check the account supplied against local
user table, and radius server supplied• After the user is verified, the accounting process will be
started. A pop up will be shown, contains connection status
![Page 8: Mikrotik User Meeting (MUM) Indonesia Bali, 13-14 June 2008.](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649c885503460f949416a4/html5/thumbnails/8.jpg)
Login Page or “Captive Portal”Login Page or “Captive Portal”
![Page 9: Mikrotik User Meeting (MUM) Indonesia Bali, 13-14 June 2008.](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649c885503460f949416a4/html5/thumbnails/9.jpg)
AgendaAgenda
• Introduction & basics
• Hotspot setup
• Hotspot Customization
• Q & A
![Page 10: Mikrotik User Meeting (MUM) Indonesia Bali, 13-14 June 2008.](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649c885503460f949416a4/html5/thumbnails/10.jpg)
Step by Step (1)Step by Step (1)• Prepare your wireless interface
– Mode : AP Bridge– SSID : Any string (max. 32 chars)– Band : 2.4 GHz (B/G or G-only)– Frequency : better scan first
• Add wlan interface IP address• Run hotspot wizard
– Interface : to run hotspot on– Gateway address : the router hotspot interface’s IP address– Address pool : for DHCP– Certificate : for https login page– SMTP server : for relaying mails to– DNS server : for clients DNS resolves– DNS name : DNS alias for your router’s hotspot pages– User : for testing purposes
![Page 11: Mikrotik User Meeting (MUM) Indonesia Bali, 13-14 June 2008.](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649c885503460f949416a4/html5/thumbnails/11.jpg)
Step by Step (2)Step by Step (2)• Set your hotspot server
– Name : better rename it (ex : myhotspot)
• Set your server profile– General > Name : better rename it (ex: myhotspot-profile)– General > HTML Directory : may be different for multiple AP or
VAP setups– Login > Login By : set
• CHAP (encrypted password), • Cookie (user sessions stored in browser’s as cookies)• HTTPS (in case using https login pages – requires certificate)
– Radius : set • Check “Use Radius”• Check “Accounting”
![Page 12: Mikrotik User Meeting (MUM) Indonesia Bali, 13-14 June 2008.](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649c885503460f949416a4/html5/thumbnails/12.jpg)
Hotspot Setup “Wizard”Hotspot Setup “Wizard”
![Page 13: Mikrotik User Meeting (MUM) Indonesia Bali, 13-14 June 2008.](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649c885503460f949416a4/html5/thumbnails/13.jpg)
Server ProfileServer Profile
![Page 14: Mikrotik User Meeting (MUM) Indonesia Bali, 13-14 June 2008.](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649c885503460f949416a4/html5/thumbnails/14.jpg)
User ProfileUser Profile
![Page 15: Mikrotik User Meeting (MUM) Indonesia Bali, 13-14 June 2008.](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649c885503460f949416a4/html5/thumbnails/15.jpg)
Hotspot Servlet PagesHotspot Servlet Pages
![Page 16: Mikrotik User Meeting (MUM) Indonesia Bali, 13-14 June 2008.](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649c885503460f949416a4/html5/thumbnails/16.jpg)
AgendaAgenda
• Introduction & basics
• Hotspot setup
• Hotspot Customization
• Q & A
![Page 17: Mikrotik User Meeting (MUM) Indonesia Bali, 13-14 June 2008.](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649c885503460f949416a4/html5/thumbnails/17.jpg)
Hotspot Customization ScenariosHotspot Customization Scenarios1. Hotspot with advertisements.2. Hotspot with “walled garden”.3. Limit user bandwidth (using local users table).4. Shared user5. Attach the hotspot to the UserManager6. Attach the hotspot to another Radius server7. Customize the captive portal, by adding simple
changes to login page and/or other servlet pages.
8. Centralize login page on a webserver
![Page 18: Mikrotik User Meeting (MUM) Indonesia Bali, 13-14 June 2008.](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649c885503460f949416a4/html5/thumbnails/18.jpg)
(1) Advertisements(1) Advertisements• Advertisement feature could be enabled in user profiles
(there is a “default” profile). • Add another user profile or change the default one.• Go to “advertisement” tab, and check “Advertise”• Insert advertisement pages (for more, click down
arrow)• Set advertisement interval• Example implementation : Ad-Supported Free
Hotspot
![Page 19: Mikrotik User Meeting (MUM) Indonesia Bali, 13-14 June 2008.](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649c885503460f949416a4/html5/thumbnails/19.jpg)
(2) Walled Garden(2) Walled Garden• Walled garden : sites that are allowed to be accessed
from the network without being authenticated.• Can be set from Hotspot > Walled Garden tab• Configuration :
– Set action (usually allow)– Set the particular hotspot server (useful for VAP)– Set src address to prohibit certain clients– Set dst address to specify allowed/blocked sites by IP– Set dst host to specify allowed/blocked sites by DNS– Set the port
• Example implementation : Paid Hotspot with external webserver displaying subscription info
![Page 20: Mikrotik User Meeting (MUM) Indonesia Bali, 13-14 June 2008.](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649c885503460f949416a4/html5/thumbnails/20.jpg)
(3) Limit User Bandwidth (local)(3) Limit User Bandwidth (local)• Limit user bandwidth, using mikrotik hotspot local user
profile.• Can be set from Hotspot > Profile• Configuration :
– General > Rate Limit (rx/tx)
• Example implementation : Free hotspot
![Page 21: Mikrotik User Meeting (MUM) Indonesia Bali, 13-14 June 2008.](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649c885503460f949416a4/html5/thumbnails/21.jpg)
(4) Shared Users(4) Shared Users• One user name can be used more then once, for a
limited number. • Set the limit number of users from Hotspot > Profile• When the shared-users limit for the user's profile is
reached, one will have wait until someone with this username logs out, use different login name or extend the shared-users limit
• Configuration : – General > Shared users (set the maximum limit)
• Example implementation : Limited guest user name for a hotspot
![Page 22: Mikrotik User Meeting (MUM) Indonesia Bali, 13-14 June 2008.](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649c885503460f949416a4/html5/thumbnails/22.jpg)
(5) Use UserManager(5) Use UserManager• Download the usermanager package from mikrotik.com/download.html• The User Manager package is included in the all package file named
"Separate packages for Netinstall“• Upload the package to “files”, then reboot• Enable the radius settings in the corresponding Server Profiles > Radius
tab > Use Radius• Add the userman as a radius server in Radius > New Radius Server• Configuration (refer to refman2.9.pdf page 395)
– For “Radius client” for information about the “Services settings” refer to refman– Example setup for wireless hotspot authentication based on username (not
MAC address which is unsecure) : check hotspot & login– Set 127.0.0.1 for address if the userman resides in the AP– Set Radius > incoming to enable the AP receiving and executing radius
attributes & commands
• Go to http://routeraddress/userman• Example implementation : Paid hotspot with prepaid or postpaid users
![Page 23: Mikrotik User Meeting (MUM) Indonesia Bali, 13-14 June 2008.](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649c885503460f949416a4/html5/thumbnails/23.jpg)
(6) Use other Radius Server(6) Use other Radius Server• Install Radius server if it hasn’t been installed yet. Alternatives :
FreeRADIUS, XTRadius, Steel-Belted Radius.• Install the database (oracle, mysql, postgres, etc)• Configure the radius
– Set the “secret” word
– Set the Mikrotik’s dictionary in its “dictionary” directory.
– Set the database & prepaid script realms
• Install the “dictionary” for mikrotik. Look for it in :
http://www.mikrotik.com/documentation/manual_2.9/dictionary.mikrotik
• Save in the corresponding directory. In freeradius-Fedora it will be: /usr/share/freeradius/dictionary.mikrotik
• Install the radius management software (or develop one ;))
![Page 24: Mikrotik User Meeting (MUM) Indonesia Bali, 13-14 June 2008.](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649c885503460f949416a4/html5/thumbnails/24.jpg)
(6) Use other Radius Server (6) Use other Radius Server (cont’d)(cont’d)
• Add the radius server in Radius > New Radius Server• Refer to refman2.9.pdf page 395 about “Radius client”
for information about the “Services settings”• Configuration (refer to refman2.9.pdf page 395)
– For “Radius client” for information about the “Services settings” refer to refman
– Example setup for wireless hotspot authentication based on username (not MAC address which is unsecure) : check hotspot & login
– Set the radius server’s address & secret (equal to the server)– Set Radius > incoming to enable the AP receiving and
executing radius attributes & commands
![Page 25: Mikrotik User Meeting (MUM) Indonesia Bali, 13-14 June 2008.](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649c885503460f949416a4/html5/thumbnails/25.jpg)
(7) Simple Changes(7) Simple Changes• Look for them in Files hotspot• Download using copy-paste• Change on your computer• Re-upload to the router
![Page 26: Mikrotik User Meeting (MUM) Indonesia Bali, 13-14 June 2008.](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649c885503460f949416a4/html5/thumbnails/26.jpg)
(8) Centralize the Captive Portal(8) Centralize the Captive Portal• Follow (7) steps• Redirect the login page to your server, using simple
javascript. Don’t forget to include the servlet variables in the URI
• Show your own login page, with action=“POST” & url replaced by the corresponding servlet variable.
• You can also post to your server to be able to fetch some data, and then forward the POST to your AP router.
![Page 27: Mikrotik User Meeting (MUM) Indonesia Bali, 13-14 June 2008.](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649c885503460f949416a4/html5/thumbnails/27.jpg)
AgendaAgenda
• Introduction & basics
• Hotspot setup
• Hotspot Customization
• Q & A