Wireless Hot Spot

Download Report

Transcript Wireless Hot Spot 

Hotspot Customization
Mikrotik User Meeting (MUM) Indonesia
Bali, 13-14 June 2008
About Me
•
•
•
•
•
Donny Fauzan
Electrical Engineering Graduate
Software Engineer (Mostly Web) since college
Network Engineer (BSD, Linux & Mikrotik) since college
Current jobs :
– PT.Pramindo Ikat (Telkom) Wireless Hotspot Network
(Setting Mikrotik Hotspot with FreeRadius MySQL, developing
HotspotManager for Radius)
– Ministry of Education Accounting (SAI) Network
(Setting VPN+OSPF Network, developing client software.
– Training for UFOAKSES Indonesia
Agenda
• Introduction & basics
• Hotspot setup
• Hotspot Customization
• Q&A
Agenda
• Introduction & basics
• Hotspot setup
• Hotspot Customization
• Q&A
Introduction
• Hotspot : “zero configuration”
– User would not require any setup, everything is done
automatically
• Hotspot components
–
–
–
–
–
IP Address assignment (DHCP)
DNS relay & cache
NAT & Firewall
Traffic shaping & QoS
AAA (Authentication, Authorization, Accounting)
AAA
• Authentication  Captive portal
– User logs in via web interface (http cookie).
– Captive means “jailed” or “prisoned”. You can connect
to the AP, but in very restrictive environment.
• Authorization  firewall
– Walled garden
– NAT
• Accounting  RADIUS
– Postpaid billing
– Voucher (prepaid)
Scenario
• User search for wireless network SSID
• User find the SSID, then connect without any wi-fi
security (WEP, WPA, WPA2, etc)
• User starts browsing
• Captive portal will then be shown
• User enters his/her login information (user & password)
• Mikrotik will check the account supplied against local
user table, and radius server supplied
• After the user is verified, the accounting process will be
started. A pop up will be shown, contains connection
status
Login Page or “Captive Portal”
Agenda
• Introduction & basics
• Hotspot setup
• Hotspot Customization
• Q&A
Step by Step (1)
• Prepare your wireless interface
–
–
–
–
Mode : AP Bridge
SSID : Any string (max. 32 chars)
Band : 2.4 GHz (B/G or G-only)
Frequency : better scan first
• Add wlan interface IP address
• Run hotspot wizard
–
–
–
–
–
–
–
–
Interface : to run hotspot on
Gateway address : the router hotspot interface’s IP address
Address pool : for DHCP
Certificate : for https login page
SMTP server : for relaying mails to
DNS server : for clients DNS resolves
DNS name : DNS alias for your router’s hotspot pages
User : for testing purposes
Step by Step (2)
• Set your hotspot server
– Name : better rename it (ex : myhotspot)
• Set your server profile
– General > Name : better rename it (ex: myhotspot-profile)
– General > HTML Directory : may be different for multiple AP or
VAP setups
– Login > Login By : set
• CHAP (encrypted password),
• Cookie (user sessions stored in browser’s as cookies)
• HTTPS (in case using https login pages – requires certificate)
– Radius : set
• Check “Use Radius”
• Check “Accounting”
Hotspot Setup “Wizard”
Server Profile
User Profile
Hotspot Servlet Pages
Agenda
• Introduction & basics
• Hotspot setup
• Hotspot Customization
• Q&A
Hotspot Customization Scenarios
1.
2.
3.
4.
5.
6.
7.
Hotspot with advertisements.
Hotspot with “walled garden”.
Limit user bandwidth (using local users table).
Shared user
Attach the hotspot to the UserManager
Attach the hotspot to another Radius server
Customize the captive portal, by adding simple
changes to login page and/or other servlet
pages.
8. Centralize login page on a webserver
(1) Advertisements
•
•
•
•
•
•
Advertisement feature could be enabled in user profiles
(there is a “default” profile).
Add another user profile or change the default one.
Go to “advertisement” tab, and check “Advertise”
Insert advertisement pages (for more, click down
arrow)
Set advertisement interval
Example implementation : Ad-Supported Free
Hotspot
(2) Walled Garden
•
•
•
Walled garden : sites that are allowed to be accessed
from the network without being authenticated.
Can be set from Hotspot > Walled Garden tab
Configuration :
–
–
–
–
–
–
•
Set action (usually allow)
Set the particular hotspot server (useful for VAP)
Set src address to prohibit certain clients
Set dst address to specify allowed/blocked sites by IP
Set dst host to specify allowed/blocked sites by DNS
Set the port
Example implementation : Paid Hotspot with external
webserver displaying subscription info
(3) Limit User Bandwidth (local)
•
•
•
Limit user bandwidth, using mikrotik hotspot local user
profile.
Can be set from Hotspot > Profile
Configuration :
–
•
General > Rate Limit (rx/tx)
Example implementation : Free hotspot
(4) Shared Users
•
•
•
•
One user name can be used more then once, for a
limited number.
Set the limit number of users from Hotspot > Profile
When the shared-users limit for the user's profile is
reached, one will have wait until someone with this
username logs out, use different login name or extend
the shared-users limit
Configuration :
–
•
General > Shared users (set the maximum limit)
Example implementation : Limited guest user name for
a hotspot
(5) Use UserManager
•
•
•
•
•
•
Download the usermanager package from mikrotik.com/download.html
The User Manager package is included in the all package file named
"Separate packages for Netinstall“
Upload the package to “files”, then reboot
Enable the radius settings in the corresponding Server Profiles > Radius
tab > Use Radius
Add the userman as a radius server in Radius > New Radius Server
Configuration (refer to refman2.9.pdf page 395)
–
–
–
–
•
•
For “Radius client” for information about the “Services settings” refer to refman
Example setup for wireless hotspot authentication based on username (not
MAC address which is unsecure) : check hotspot & login
Set 127.0.0.1 for address if the userman resides in the AP
Set Radius > incoming to enable the AP receiving and executing radius
attributes & commands
Go to http://routeraddress/userman
Example implementation : Paid hotspot with prepaid or postpaid users
(6) Use other Radius Server
•
•
•
Install Radius server if it hasn’t been installed yet. Alternatives :
FreeRADIUS, XTRadius, Steel-Belted Radius.
Install the database (oracle, mysql, postgres, etc)
Configure the radius
–
–
–
•
•
•
Set the “secret” word
Set the Mikrotik’s dictionary in its “dictionary” directory.
Set the database & prepaid script realms
Install the “dictionary” for mikrotik. Look for it in :
http://www.mikrotik.com/documentation/manual_2.9/dictionary.mikr
otik
Save in the corresponding directory. In freeradius-Fedora it will be:
/usr/share/freeradius/dictionary.mikrotik
Install the radius management software (or develop one ;))
(6) Use other Radius Server (cont’d)
•
•
•
Add the radius server in Radius > New Radius Server
Refer to refman2.9.pdf page 395 about “Radius client”
for information about the “Services settings”
Configuration (refer to refman2.9.pdf page 395)
–
–
–
–
For “Radius client” for information about the “Services settings”
refer to refman
Example setup for wireless hotspot authentication based on
username (not MAC address which is unsecure) : check
hotspot & login
Set the radius server’s address & secret (equal to the server)
Set Radius > incoming to enable the AP receiving and
executing radius attributes & commands
(7) Simple Changes
•
•
•
•
Look for them in Files  hotspot
Download using copy-paste
Change on your computer
Re-upload to the router
(8) Centralize the Captive Portal
•
•
•
•
Follow (7) steps
Redirect the login page to your server, using simple
javascript. Don’t forget to include the servlet variables
in the URI
Show your own login page, with action=“POST” & url
replaced by the corresponding servlet variable.
You can also post to your server to be able to fetch
some data, and then forward the POST to your AP
router.
Agenda
• Introduction & basics
• Hotspot setup
• Hotspot Customization
• Q&A