MikroTik

It appears that I have successfully installed ssl certificate and I can login as admin using https. I cannot, however login as another user. The user has prepaid time, and is enabled, but I get "invalid name or password" when trying to login as the user. Suggestions anyone?

You will have to show some of the hotspot config - without any further information I'd say it's "just" a config bug (or plain wrong username/password)...

Here is the process I used to get to this point:
1.Setup DHCP client on public side of MT box.
2.Setup DHCP server on private side of MT box.
3.Set date & time.
4.Enter command: ip hotspot setup

• Hotspot interface: ether1
  Local address of network: 192.168.88.1/24
  Masquerade network: yes
  Address pool of network: 192.168.88.10 – 192.168.88.100
  Select certificate: none
  IP address of smtp server: y.y.y.y
  dns servers: z.z.z.z, a.a.a.a
  dns name: www.mydomain.com
  Name of local hotspot user: admin
  Password for the user: hotspot

5.Setup router to run both User Manager (UM) and HotSpot service on same box.

• Enter command: ip hotspot profile set hsprof1 use-radius=yes
  Enter command: radius add service=hotspot address=127.0.0.1 secret=123456
  Enter command: tool user-manager router add subscriber=admin ip-address=127.0.0.1 shared-secret=123456

6.In UM, I edit the subscriber admin's properties as follows:

• Enter a value for Public ID: SWN
  Enter a value for Public Host: x.x.x.x (Public IP address of UserMan router)
  Enter a value for Email (under Private Information): myname@something.com

4.Enter a value for Currency: $
5.Enter a value for Time Zone:
7.In UM, create user credits Full Price and Extended Price.
8.In UM, create user “testuser”.

• Password: test
  Poolname: dhcp-pool-1
  Time: Full Price
  Save.
  Check box and click “Edit > Enable”

9.At this point, I can access Internet through hotspot login as both admin and testuser.
10.On a Linux box, I create the private key and a self-signed certificate.

• Enter Command: openssl genrsa -des3 -out privkey.pem 2048
  Enter Command: openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
  Country: US
  State: Texas
  Locality: Some City
  Organization Name: Bad Company, Inc
  Organizational Unit: .
  Common Name: www.mydomain.com
  Email Address: myname@something.com

11.Copy cacert.pem and privkey.pem to root of MT box via ftp.
12.On the MT box, I enter command: certificate import
13.Enter command: certificate print. It shows name=”cert1”
14.I rerun the command: ip hotspot setup. I keep all the values entered previously, except for “select certificate”. The value shown there is the Common Name on the certificate which is www.mydomain.com, which I accept.
15.Enter command: ip hotspot profile set hsprof1 login-by=https ssl-certificate=cert1
16.Enter command: ip service print. This command shows that the “www-ssl” service and the “api” service are disabled.
17.To enable the www-ssl and api service, enter the commands:

• ip service enable www-ssl
  ip service enable api

18.Enter command: ip service set www-ssl certificate=cert1
19.Enter command: ip hotspot profile set hsprof1 login-by=https ssl-certificate=cert1
20.I try to login as hotspot admin, the dialog box appears asking me if I want to accept the certificate. I click “Accept this certificate temporarily for this session”, and click OK. The little padlock also is displayed in the lower right corner of the browser.
21.The MT login screen appears, I login as admin with hotspot password. Internet comes up.
22.I go to my laptop and try to access internet. Accept certificate, and login as testuser, password “test”, and I get “invalid name or password”. I verified the name and password several times to no avail.

radius is a funny thing. I have a feeling the response you are getting is suppsed to be the radius response. I do not use the User Manager, but I think it manages only local users. I would set
/ip hotspot profile set X use-radius=no
Replace X with the line number after a print.
BTW, there is no RADIUS server in RouterOS (that I am aware of anyway).

radius is a funny thing. I have a feeling the response you are getting is suppsed to be the radius response. I do not use the User Manager, but I think it manages only local users. I would set
/ip hotspot profile set X use-radius=no
Replace X with the line number after a print.
BTW, there is no RADIUS server in RouterOS (that I am aware of anyway).

UserManager = RADIUS

Hi Normis!

Just for future reference, do you need to set up the radius settings for it? And 127.0.0.1? Can other MT boxes use this as a RADIUS server also?

yes yes yes

see http://wiki.mikrotik.com/wiki/User_Manager

Thanks, thanks, thanks!

BTW, the new boxes (RB433, RB433AH) are working great. V3.11 caused a little grief with the hotspot transparent proxy, but that was easily overcome. Thanks for all.

alphastate: Then my suspicions are correct. That is Radius responding. Insure your radius secrets match.

radius secret is correct. radius works because hotspot user "admin" CAN log in, but the hotspot user "testuser" can NOT. Why one user but not the other?

Are you sure "admin" is a radius user and not a user on the hotspot? My hotspot installs asks me for a user/password for a default user "admin" as the last step. That user doesn't require radius. That is how I test whether it is the hotspot or radius malfunction. If I can login with the "admin" user/password, but not a radius user, then something is incorrect in the radius setup on one or both ends.

ADD: Check the logs on both boxes after a user/password check on both local and a radius user. Maybe that will help track down the problem.
Also check
/ip hotspot user
and see if there is an "admin" user there. If so, that is why you can login with "admin", but not "testuser".

The docs on the SSL login says the login type changes from http-chap (md5 hash encrypted) to http-pap (clear text) on the radius side if you select login-by=https. I know how to change that in FreeRadius, but not User Manager.

I decided to re-install MT from scratch. After I setup dhcp and the clock, I ran the command:
/ip hotspot setup.

Next, I created hotspot users. This time, however, to avoid getting the hotspot users confused with the routerOS users, I gave them the names, hs-admin and hs-test1.

Then, I verified that both could login. The command /ip hotspot profile print shows 2 profiles; default and hsprof1.

Then, I upload and import the certificates, /certificate import. I run /ip hotspot setup again, this time entering the certificate that I uploaded.

Then, I ran the command /ip hotspot profile set hsprof1 login-by=https ssl-certificate=cert1 (cert1 = the name of the certificate).

To test it, I cleared the cookie cache of my web browser, and re-opened the browser as both hs-admin and hs-test1. Both asked for me to accept the new certificate and both were able to log in. I get the little padlock in the lower right corner of the browser showing that its using the HTTPS protocol.

So far, so good. I haven't enabled radius yet, but what's really weird is that if do /ip service print, it shows that the service www-ssl is disabled and has no certificate! Also, the command /ip hotspot profile print shows 4 profiles; default, hsprof1, hsprof2, hsprof3. Profile hsprof1 shows login-by=https. Profile hsprof2 & hsprof3 shows login-by=cookie, http-chap.

Why 4 profiles?
Why does it show that www-ssl services are disabled with no certificate when SSL is up and working?

Well, I finally got RADIUS to work with SSL certificates. I think I need to write a cookbook procedure for this, because there were a few things not mentioned in the docs on how to do this. Anybody interested? First I want to see if I can duplicate it.

Yes, I am interested to learn what you have found. I don't use this yet, but I may someday.