MikroTik

Hi there,

This is my first post to the forum and I would like to say hi to everyone here.

I am going to be a descriptive as possible in order to get a clear answer if what I am looking to do is possible.

I am going to buy quite a lot of Mikrotik routerboards in order to launch a large network of Wireless hotspots.

- Security will be open (open wifi, no encryption)
- Authentication needs to be done with Radius with a central Freeradius server which is accessed from the internet, not lan.
- Each Mikrotik will have an unknown public IP address, as the internet connection IP which feeds the mikrotik might change on each power up.
- A welcome page will prompt the user to enter his cell phone in order to receive an sms with a password which will last for 1 hour only (username= cellphone, password= randomly generated)
- The user will enter be shown the user/pass page after he enters his cell phone + newly generated password and will be allowed to use the public internet for 1 hour.
- Upon 1 hour, the system needs to drop the connection all together and force him to repeat the same process from the beginning in order to get a new password (username remains the same)

I have a linux server setup which I will install freeradius, mysql and the welcome page for the user to enter his cell phone. When the cell phone is entered, the user will authenticate via the hotspot page of the mikrotik interface in order to get his access granted by the freeradius database.

Is this a possible case scenario?
Are there any similar setups/examples present anywhere?
Is there another way to do this (easier?)

Any feedback/help/scripts and information will be greatly appreciated.

Regards

dinopio

It would probably be better if from your unencrypted landing page (which, BTW, you could set up without hotspot being involved IF your web server is within your network), after entering their phone, you send them a Wi-Fi password that is binded to their device's MAC address (the one from which they entered their phone). RouterOS can be configured to require a different Wi-Fi password (and/or display a different SSID) based on MAC address, along with providing a default unencrypted connection for unknown MACs, with all of this data being supplied by a RADIUS server.

This way, you provide better security for your users, as well as eliminating the username field completely.

I'm curious... how do you plan on monetizing this? Do you have a contract with the mobile provider for getting money from SMS messages you send? If the contract is instead the other way around (getting money for SMS messages you receive), it might be a better idea to ask people to send an SMS to your number (which would of course be connected to your server), with a certain text, at which point you get your money, and send them back the generated password.

I replies from my iPhone but the post never showed up so I am writing it again.

The project has to be an open wifi, its a requirement.
Its 100% free for the users, there is no gain from it. Even the SMS will be paid by the network owner which will deliver the user credentials.

The way I see it is that the user should be able to follow the exact flow:
1. Find our open WiFi
2. See a landing page which will ask for a user/pass and also show the "don't have an account? Enter your cell phone to get one FREE"
3. Wait for SMS and then login accordingly
4. Use the internet for 1 hour and then dtop the connection.

Thats it.

No monitoring is required as each session only lasts 1 hour and the user is always using the same cell phone to get another hour.
This is it, simple and free.

I dont see any example on how to put an "expiry" on the Radius server in order for the Mikrotik to disconnect the user.
I see that the User Manager has it but not in radius.

I need some guidance for this as its important for me to be able to kick off users in 1 hour.

If it's all going to be free and without monitoring, why the landing page and registration to begin with? Why not skip the whole process?

If the point is "no gain, but people need to know who gave them what they're using", you could have a landing page with your logo and what not, and a "Start browsing" button, which would enable the user to browse for 1 hour (unencrypted and all) before landing on that same page again, to press the button again.

Behind the scenes, you're having a simple hotspot login page (initially set up to all routers) which has a hidden form fields that automatically fills a predefined username/password combo that the router is set up to allow a maximum of 1h uptime. Oh, and use a profile that would specify "shared-users" to a high value (like 255 or whatever the length of your address pool is), so that everyone can use this account separately (i.e. 1h per device).

As in my previous posts, I have requirements.

The cell phone + SMS is one of them.

Try not to change the idea, but to help me implement what I am looking for.

Is it possible to have expiry on hotspot users when using free radius? or must i use the built in radius for this to work?

Is it possible to have expiry on hotspot users when using free radius? or must i use the built in radius for this to work?

You can use free radius too. Just make free radius set the "Session-Timeout" attribute upon login.

Try not to change the idea, but to help me implement what I am looking for.

Some ideas are just bad, and need to be called out as such. I'm trying to help you achieve your goal, which (as I'm trying to convince you) may be better implemented by a different - better - setup/idea.

As in my previous posts, I have requirements.

The cell phone + SMS is one of them.?

But why? Why bother users with that? I can understand it if you (or the mobile provider?) need to make money through this procedure, or if you want to monitor traffic (for statistics' sake), or if this procedure would somehow provide better security for users... but none of these is true, so what gives?

As you can see above, what you want can be done, and if you could get yourself just one MikroTik router for testing purposes, you'll see it's not very hard to set up. But it's pointlessly complicated. It's like you're asking me to help you create a password for a folder that will always be empty - pointless I tell you.

Is it possible to have expiry on hotspot users when using free radius? or must i use the built in radius for this to work?

You can use free radius too. Just make free radius set the "Session-Timeout" attribute upon login.

Try not to change the idea, but to help me implement what I am looking for.

Some ideas are just bad, and need to be called out as such. I'm trying to help you achieve your goal, which (as I'm trying to convince you) may be better implemented by a different - better - setup/idea.

As in my previous posts, I have requirements.

The cell phone + SMS is one of them.?

But why? Why bother users with that? I can understand it if you (or the mobile provider?) need to make money through this procedure, or if you want to monitor traffic (for statistics' sake), or if this procedure would somehow provide better security for users... but none of these is true, so what gives?

As you can see above, what you want can be done, and if you could get yourself just one MikroTik router for testing purposes, you'll see it's not very hard to set up. But it's pointlessly complicated.

Thanks for the answer for the session time out.

To let you understand the SMS concept, its purely to be able to avoid non local Cell phone users (local citizens only) to use the service. E.g you wont be able to use this free service if you are not on a local network with a local prefix. I hope you understand it now.. and yes its a requirements not a complication.

Thank you again for your advice and I will come back with my results.

Dino

Yes, I do now. Thank you for making sense .

and yes its a requirements not a complication.

I said "pointlessly complicated", but since there is a point (limiting access to local citizens is a point), then we're no longer talking about a "pointless" complication (that happens to also be a requirement) .

The only thing I have left to say is to reiterate what I said in the last post - get just one MikroTik first, test it out, and then buy the rest, and configure them with copies from the first router's configuration.

I have a test unit
Im loving it more every day!

Everything setup and working except the session-timeout part.

I have the raduser and radreply setup like this:


raduser

id username attribute op value
1 testuser Cleartext-Password := testpass

radreply

id username attribute op value
1 testuser Mikrotik-Group := default

I am able to login using this setup.

I have been reading up on Session-Timeout but I do not see any implementation of it anywhere in SQL form. I am guessing some kind of SQL needs to be added to the sql.conf (which i used the default one from the mikrotik examples) and also another field in the radreply to send the session timeout string and value...

My requirement is to simply log the user off (from the hotspot) and force him to re-login using his user and pass again (simply to avoid idle connections)... its ok to re-login using the same credentials.

Any help would be greatly appreciated.

I don't know about sending the session timeout from the RADIUS server, but you can assign a session timeout to the hotspot user profile (Mikrotik-Group). Since you are assigning Mikrotik-Group=default from the RADIUS server, then this should work: You should be able to send it from the RADIUS server like this in the radreply table
id username attribute op value
1 testuser Session-Timeout := 1h

Enable radius debug logging to check the response from the RADIUS server in the router. Insure it is being sent correctly.

I tried what you suggested with the add that row in radreply but it conflicts with the login process "invalid username or pass"

Do i need to modify the sql.conf of the freeradius to handle such request? here is what I have now.

# The default queries are case insensitive. (for compatibility with
# older versions of FreeRADIUS)
authorize_check_query = "SELECT id, UserName, Attribute, Value, op \
FROM ${authcheck_table} \
WHERE Username = '%{SQL-User-Name}' \
ORDER BY id"
authorize_reply_query = "SELECT id, UserName, Attribute, Value, op \
FROM ${authreply_table} \
WHERE Username = '%{SQL-User-Name}' \
ORDER BY id"

I tried this and it worked for me. The login response from the RADIUS server returns "Access-Accept" and "Session-Timeout = 3600" to the router.

That worked!
my error was that i put 1h instead of 3600
(got confused with the first example)

My bad. I tried the "1h" also, and the RADIUS server returned "Access-Accept" and "Session-Timeout = 1". One second will not let you log in.

What are you using for :
1) generating random password
2) sending sms on mobile with id and password

Also are you storing the mobile nos in database ? if so, how ?

Thanks

What are you using for :
1) generating random password
2) sending sms on mobile with id and password

Also are you storing the mobile nos in database ? if so, how ?

Thanks

1) just a php script using 8 random digits from 0-9 A-F
2) an sms gateway plugin using a standard SMS provider that has an API to interact with it programatically.
3) i use the username field as the mobile phone number. users should find it easier to remember it this way

This forum certainly is an interesting read as I have just fired up my 1st RB751.

I can see that it is infinitely more complex than what I am used to, but love the idea of tinkering.

I am hoping to set up a similar network to dinopio, but I was hoping to keep the locals off the network. lol

I will explain in a new thread.

Looking to set up a similar network to dinopio, but I am looking to keep the locals off the network.

More about that in a different thread.

Is there a setup guide for the RB751 ?

I know this is a bit old but thought I would reply anyway.

The session timeout is exactly that, a session timeout, it will not limit uptime which is what I think you want to do.

What you need to do is keep track of how long the user has been online using the radius accounting by updating accounting records every 5 mins or so, then determine a maximum time for the user to get in total, say 1 hour, then when they login you need to check the login time used from the radacct table for the user, and if it's over 1 hour don't let them login, you can also use this to set the session timeout to kick them off.
Let's say they have used 45 mins already and they have a total of 1 hour, so when they login next time you need to check the total time they have logged in which is 45 mins, subtract that from your 1 hour (60 mins) and you get 15 mins, so you then pass that back to Mikrotik as the session-timeout attribute which will set the session time for the login. Once it hits 15 minutes then the hotspot kicks them off, and when they try and login next time the radius server will check the raddacct table and calculate that they have used their 1 hour and deny login.

Easy...right

Regards
Paul

hi
we have implemented many custom freeradius modifications to suite customer needs
and we can easily make this for you

if you want to know details about this and pricing please pm me

Thanks

@Dinopio - I am trying to set up free wi fi hotspot with authentication tagged to a local database with sms on the RB3011 uA IS -rm. How can you help?