Scenario - using hotspot + userman + prepaid vouchers + paypal - making "plug in" hot spot solutions to lease to people with internet cafes. The accounts are download/time limited so security is not too critical for logins as they will stop working once time expires anyway, forcing purchase of new account.
For the test unit - Use a remotly hosted perl script paypal passes control back to after customer pays, which generates a login form with user and password (from prepay voucher list) after they pay for a 1 hour hotspot account, which allows user to actually log in with a mouse click.
Notes:
I am aware userman has a paypal module, but SSL is not an option as IE will reject non certified certificates and your average dumb@$$ will use IE and not understand the warning messages to actually use their account. That plus the old and new version of userman does not allow new accounts to be created with download limits. (the new version didnt appear to allow accounts to be created at all actually but it is beta so meh) leaving prepaid vouchers my only way forward for a test unit. SSL is also a pain for casual IT proffessionals who didnt do a 5 year diploma of network computer science to setup without any knowledge. (I use CACERT.org myself but meh)
Troubles I had and answers:
Question - When trying to log in on hotspot login page + radius (userman) "radius server not responding". for some reason I had this problem when using 127.0.0.1 for the radius (hosted on same router as hotspot) not everyone has this issue but i did.
Solution: my (Internet) interface (where userman was accessable) was DHCP, so i couldnt just put in that IP, and DHCP was needed to make it "plug and forget" so i added another fixed IP (doesnt matter what IP tho mine matched my DHCP network IP range) on that network interface. Then configured all related settings to point to that IP, (IP's found in /radius print and /tool user-manager router print) I also added this IP to walled garden. For the winbox level users this can be set in "radius" i also enabled "accept" under radius "incoming" since the internet port is behind another firewall cant hurt. IP at other end can be set under http://YOUR_INTERNAL_IP/userman/ - "routers" list for non console users.
Question - when my remote hotspot login script gives the customer the login option - pressing login redirects them back to the internal login.html page with a java script error.
My Remote, highly unsecure perl Script passes this:
Solution:print 'Debug - here is what we need to login if we have an auto login button. <br>
<p> Your 1 hour access is ready, click login below to proceed.</p>
<form name="login" action="http://10.5.50.1/login" method="post">
<input type="hidden" name="dst" value="http://www.google.com.au" />
<input type="hidden" name="popup" value="true" />
<table width="100" style="background-color: #ffffff">
<tr><td align="right">login</td>
<td><input style="width: 80px" name="username" type="text" value=' . $username . '></td>
</tr>
<tr><td align="right">password</td>
<td><input style="width: 80px" name="password" type="password" value=' . $password . '></td>
</tr>
<tr><td> </td>
<td><input type="submit" value="OK" /></td>
</tr>
</table>
</form>
';
There is no great secrets or mystery here - just pull open your server profiles in hotspot and enable HTTP Pap - then it will just work. Highly insecure but meh it's a test unit.
Question - How can I use Paypal to sell hotspot time without using SSL, or having my router port 80 open on the internet, or port forwarding (I cant beleive mikrotik requires this for the paypal plugin to work this is evil guys! Average user wont know how to stop people getting into that login page and hitting factory reset or a similarly nefarious thing to the router)
Answer:
First your hotspot manager needs to create vouchers for prepaid accounts.
Next -
A few ways to do this - safest is have all your vouchers stored on a normal ecommerce website, in your walled garden. Link to that off login.html. They buy them off there, and get told the login details. Maybe link back to the login page on the router.
Other way i am playing with on my test unit - purely for portability-
Several steps need to be done:
Firstly, your login.html file needs to have a link to paypal to buy hotspot time.
In paypal under merchant tools you need to setup a "button" for the hotspot time. This is the code that goes in login.html in this instance.
You should also setup the button to "track stock" and key in the number of vouchers you have created to prevent accidental payments when there are no more vouchers available.
Fourthly - like the normal paypal module you need to add various paypal servers to your walled garden (refer to wiki on that)
Fifth - in the paypal button you need to use the redirect to XX page options so if they cancel, or you are out of vouchers, or they actually pay for the time, paypal redirects to the appropriate page on your webserver (not your hotspot) this server should also be in your walled garden.
Sixth - you need to have a script running on the page it redirects to which can pull out one of the pre-paid voucher logins created earlier and issues to the customer - it should also not issue any further vouchers until paypal redirects to it again (this is the hard part)
Notes: you could entirely replace the login.html page and just frame or iframe load your remote script from there. This would remove the need to "track stock" in your paypal button. (http://search.cpan.org/dist/Business-PayPal-IPN/IPN.pm)
At the end your script would have to generate a login form and submit it to 10.5.50.1/login but it would also know how many vouchers were left simplyfying things. This is my long term solution until the in-built paypal module allows new accounts to be created (at all in the beta version) with download restrictions - and has a more elegant way to confirm payment than opening your router up to the world for the return connection. Tho my final solution will be more like my shopping cart suggestion earlier. As this is the more secure way forward.
Anyway, there you go, hopefully this helps someone save some time blundering through by themself.
