MikroTik

We are developing a payment/customer portal to facilitate online signup and payment of hotspot services. To this end we are developing a web portal to operate on a centralised web server. This server will also be the RADIUS server for the Hotspot service on the Mikrotik routers.

We would like to use HTTP-CHAP as client authentication as HTTP-PAP is too insecure without running SSL certificates on the hotspot HTTP server which we do not want to do.

To achieve seemless integration with the hotspot "login" servlet, we shall use a META Refresh tag in the "hotspot/login.html" file to redirect the client browser to our external central server login page (which will be in the walled garden, and also a HTTPS site). After purchasing time on the hotspot we need our central (external) web server to redirect the clients browser to "http://hotspot/login?...." providing the correct "username" and CHAP encoded "password".

I see from the Miktorik router servlet documentation (http://www.mikrotik.com/testdocs/ros/2.9/ip/hotspot.php), that we may use the variables "chap-id" and "chap-challenge". My question is, may I pass these variables as part of the initial META Refresh redirect from the hotspot servlet page (login.html) to our central portal, for use by the subsiquent redirect from the central portal back to the hotspot's login servlet? Are there any timeouts or caveats regarding the CHAP challenge I should know about?

Regards, Dan...
[/url]

Interesting

I touched upon methods of passing the MD5 encrypted password from the backend to the MT for authen. I couldn't work it out when I tried but I might revisit it again now that I have a few more ideas on how to do it.

I'm currently using https login.

I too am having trouble getting the HTTP CHAP login method to work. My payment portal is using the following PHP to redirect the customer's browser to the hotspot login servlet...

$username = $_SESSION['username'];
$password = urlencode(strtolower(md5(sprintf($_SESSION['chap-id']) . $_SESSION['password'] . sprintf($_SESSION['chap-challenge']))));
header("Location: " . $_SESSION['login-link'] . "?username=" . urlencode($username) . "&password=" . $password);

I'm using sprintf to decode the "\032" style chap-id and chap-challenge strings into their binary equivalent. Inserting the plain text password from a session variable and MD5 hashing the entire string, then URL encoding it just in case.

I've tried lots of different permutations of the above, but the RADIUS server always denies the login because of CHAP authentication failure.

Can someone from MikroTik please give a detailed description of the exact method we need to use the construct the "password" field passed to the login servlet using HTTP CHAP authentication?

Dan...

Ok, looks like I'm getting somewhere. PHP's sprintf function does not seem to decode the '\020\044\233' etc... octal characters.

Am I right in thinking that the chap-id and chap-challenge have to be decoded from their '\OOO' octal character represenatation to real strings before being MD5 hexed with the password?

E.g. given chap-id '\142' and chap-challenge '\141\152', do I want:

password = md5("\142password\141\152")

OR

password = md5("bpasswordaj")

????

Oh, and does anyone know why PHP's sprintf function is broken in this respect? What's the alternative?

Dan...

Ok, solved, the problem is indeed that PHP does not decode for example '\040' to mean chr(32). So, before MD5ing the chap ID and Chap challenge, make sure you convert the escaped octal characters into the real characters.