[SOLVED] Hotspot: How to re-authenticate....

dconnrt · Thu Apr 02, 2009 4:54 pm

Hi all,

Does anyone know how to call-back to the routeros hotspot page (/hotspot/redirect.html) in such a way as to ask it to re-check against the freeradius server?

I'm entering the user (their MAC address) into the radcheck table but I have to dis-associatiate and re-associate to the Mikrotik AP before it'll re-authenticate the user and let them on the Internet.

I know loads of you out there have this working and I'm sure its something silly that I haven't worked out yet

thanks very much!

Derek

dconnrt · Fri Apr 03, 2009 11:13 am

Is there good hotspot documentation anywhere?

I have not cracked this problem. The only way I can make the routeros Hotspot re-check the user against the freeradius server (after its checked and then the user's mac has been added to the radius sql) is by re-associating wirelessly to the hotspot AP.

Someone must know how I can force the routeros Hotspot to re-check against the radius server on demand? Can I pass a variable to a routeros Hotspot HTML page or something?

thanks,

Derek

dconnrt · Fri Apr 03, 2009 9:52 pm

hello

dconnrt · Sun Apr 05, 2009 1:31 am

Hi all,

I still havent' worked this out but I've spent ages trying lots of different settings in routeros hotspot and the HTML/servlet pages.

Does anyone know how to make routeros hotspot re-check the user against the radius server?

thanks very much,

Derek

dconnrt · Mon Apr 06, 2009 4:53 pm

Hi Normis,

I guess you are the authority on routeros.

I can't get hotspot to work 100% - I don't know how to get Mikrotik to re-authenticate against a freeradius server after I've inserted the user's mac address into the radcheck table.

Can you tell me how to make routeros hotspot attempt to re-check the user against the freeradius server? (re-associating the client computer shows that hotspot is working bar this issue).

thank you very much,

Derek

Tue Apr 07, 2009 8:34 am

you asked about documentation - it's here:
http://www.mikrotik.com/testdocs/ros/3. ... otspot.php

I don't understand why you need to reauthenticate the user? if authentication is done by RADIUS, RADIUS will be the one to force reauthentication, not RouterOS.

dconnrt · Tue Apr 07, 2009 1:05 pm

Hi Normis,

The problem seems to be that 1) routeros checks against radius to see if the user is allowed by MAC 2) radius says NO and routeros redirects to my web server which writes the user's mac into the radius mysql table then redirects back to routeros servlets then 3) routeros DOESN'T check against radius again, it seems to remember that the user isn't allowed through the hotspot and redirects back to the web server again.

But if I then un-associate and re-assoicate to the hotspot routeros does check against radius again, gets told that the mac is allowed and gives access.

So - is there some way for me to tell routeros to re-check against the radius server after the mac has been written to the database ?

To-date I've been redirecting to /login or /redirect servlets (from the public web site back to the routeros board) but I've got stuck with this problem.

I know I'm very close to working.

thanks for your help

Derek

dconnrt · Wed Apr 08, 2009 9:36 pm

Hi again,

I'm still having no luck with routeros / freeradius / mac authentication.

Are there know problems with this?

Is anyone else using routeros with mac authentication for a typical pay-for-Internet Hotspot?

I was on to Irish Mikrotik distributors today and they suggested using cookie, rather than Mac, authentication but I'm sure that the Mac router is the way to go. It's working fine for me with OpenWRT + Coova Chilli and I just can't get why I'm having these problems with routeros.

thanks,

Derek

dconnrt · Wed Apr 15, 2009 2:42 pm

Hi all,

I got my Mac / freeradius Hotspot working perfectly during the weekend: -

I replaced the Mikrotik / routeros board with a WRAP board and OpenWRT....

D

locu · Thu Apr 22, 2010 1:26 am

It seems this user's issue never got resolved and he ended up going to a different product.

We are having the same issue. Example, and real-life scenario:

1. User connects, MT attempts freeradius auth using MAC, it fails
2. User pays their bill, or signs up for service, now the MAC is available in freeradius
3. Need to have the MT re-attempt the MAC, because currently it's disallowed

Any thoughts?

fewi · Thu Apr 22, 2010 2:18 am

Redirect the user back to either the /login servlet on the router with the right GET parameters set, or just redirect him to some random site that isn't permitted in the walled garden, causing the router to bring up the login page again. At that point the RADIUS will ACCEPT the request.

laceytech · Tue May 18, 2010 6:33 am

I am stumped as the original poster on the proper form of the redirect from the external login page.
My set up is external radius, external login page.
servlet login.html

<html>
<title>...</title>
<body>
<form name="redirect" action="https://billing.mynetwork:12345/cgi-bin/portal.cgi" method="post">
<input type="hidden" name="cmd" value="login">
<input type="hidden" name="clientmac" value="$(mac)">
<input type="hidden" name="clientip" value="$(ip)">
<input type="hidden" name="user" value="$(username)">
<input type="hidden" name="link-login" value="$(link-login)">
<input type="hidden" name="clienturl" value="$(link-orig)">
<input type="hidden" name="error" value="$(error)">
<input type="hidden" name="nasip" value="$(hostname)">
<input type="hidden" name="nasid" value="$(server-name)">
<input type="hidden" name="nasifc" value="$(interface-name)">
</form>
<script language="JavaScript">
<!--
   document.redirect.submit();
//-->
</script>
</body>
</html

I get the splash page, select the service, service get populated into the radius database.
Send a redirect to a page that is not in the walled garden back to the subscriber.

<html><head>
<meta http-equiv="refresh" content="0; url=http://my.outsidewalledgarden.com">
<meta http-equiv="pragma" content="no-cache">
</head><body></body></html>

Subscriber gets cannot display page, no attempt to go back to the radius server
As soon as I delete the subscriber from the hosts list or the subscriber idle times out, which deletes the subscriber from the list, the subscriber will authenticate.

I am missing something very obvious. I have read and re-read the Hotspot documentation.
Any suggestions would be appreciated. I have used Willi-OS in the past very successfully. I now need to make Mikrotik work.
Thanks

fewi · Tue May 18, 2010 4:21 pm

Are you populating the database with a username/password or with a MAC address? Can you redirect straight back to /login?username=username&password=password for the router servlet? MAC logins use the MAC address for the username and password.

laceytech · Tue May 18, 2010 6:06 pm

Thank you for the quick response.
Authenticating by MAC, so populating by MAC.
radius server/splash page address is 192.168.20.47
router wan address 192.168.20.14
router lan address 10.10.10.1
redirect is is now

<html><head>
<meta http-equiv="refresh" content="0; url=http://10.10.10.1/login?username=00:02:3F:31:27:4B&password=00:02:3F:31:27:4B>
<meta http-equiv="pragma" content="no-cache">
</head><body></body></html>

I get redirected back to the splash page without trying to authenticate with the radius server
I think I am close but still not smoking cigars.

fewi · Tue May 18, 2010 9:33 pm

Is that the exact HTML? You're missing a closing quotation mark for the content parameter.

<meta http-equiv="refresh" content="0; url=http://10.10.10.1/login?username=00:02:3F:31:27:4B&password=00:02:3F:31:27:4B>

should be

<meta http-equiv="refresh" content="0; url=http://10.10.10.1/login?username=00:02:3F:31:27:4B&password=00:02:3F:31:27:4B">

or you're going to pass on a very long and wrong password.

For the record, what you're doing works for me. External login screen that allows people to buy access with a credit (authorize.net transaction), on successful transaction the server inserts a username and password into a SQL database. I forward back to the login servlet just like you are doing, the Hotspot then correctly authenticates the user against RADIUS.

laceytech · Wed May 19, 2010 1:34 am

Yes, I did have the ending quotation. Thanks for the confirmation.
I still do not see the router send an authentication message to the radius server.
I have only modified the login.html to forward to the external page.
When I set the timeout value to like 2 seconds, the host times out and authenticates.
Have I missed something else?
Thanks
Jim

fewi · Wed May 19, 2010 1:55 am

See http://forum.mikrotik.com/viewtopic.php?f=2&t=41856 for a working configuration with an automatic logon, but you're trying to basically do the same thing as you want some webpage to automatically log the user in (though in your case you first create the account, rather than use a static account for everybody) - note that for this to work you need HTTP-PAP enabled as an authentication method on the Hotspot. Does that help?

laceytech · Wed May 19, 2010 9:20 am

Fewi,
Thank you very much. It works as expected.
The biggest change was adding pap and changes to redirect.html, and alogin.html to match the example you cited.
I did not have to change login.html at all.
Thanks again,
Jim

Coins · Sun May 23, 2010 1:14 pm

Hello Fewi,
I wish to salute for your obvious expertise on most of the issues here on the forum. I wish you can help me trash out a serious issue. Am using RB450G as a network Server coupled with WBS-240 AP to provide wireless internet services to clients making use of CPEs configured on Static IP so as to know who's doing what. The AP is presently on MAC filtering with disabled DHCP server. I want to setup the clients to be authenticated through Aradial Radius.I have keyed in all the user information necessary in the Radius but am stuck on how to get Mikrotik to relate effectively with the Radius Server. We wish to stick with the MAC filtering the AP is working on presently. I can work with you online if you need me to.

thanks