Heya,

From what I understand the only way to redirect a user to an external authorisation service using a Mikrotik Hotspot is to put either a META refresh or Javascript redirect in login.html on the router.

The problem with this is that a large number of high revenue earning Smart Clients only follow HTTP 302 redirects, not META refresh. Now, the WISPr spec says they should follow both, but they don't. This includes Skype, iPass and Boingo (pretty much the three biggest).

Our dev team is currently working on embedding our WISPr XML in login.html to mitigate this for now, but we'd really appreciate it if there was a parametised way to set a 302 redirect to somewhere other than login.html.

Have I missed something? Does this already exist? Something Mikrotik can look at? Getting large vendors to change the way their Smart Client works takes a long time, they're doing it for us, they just have an install base of millions to drag up to speed

Thanks in advance.

A

Also meta refresh is strongly discouraged by the W3C and arguably deprecated...

http://www.w3.org/TR/WCAG10-HTML-TECHS/#meta-element

A 302 redirect can only be achieved by .htaccess or PHP, and neither of those is possible with RouterOS. It also completely bypasses the local pages, so I can't imagine how it could work with the current hotspot system.

This is how you make the redirections:
http://wiki.mikrotik.com/wiki/Manual:Cu ... t#Examples

meta refresh is not used.

Sorry but there are heaps of examples in the forum and wiki of people using META refreshes.

A 302 redirect can and should be able to be sent by any web server, including RouterOS'.

I know you can't use header() or .htaccess but I believe if there are no valid ways then it should be a (reasonably straight forward to implement) feature of RouterOS.

OK, will add to feature requests.

Sweet, if you'd like any further information please let me know.

It seems to me that /login redirects to login.html (or at least serves it directly, and that's a parameter right?) When that mechanic is followed through on the server, the ability to specify an external URL in the parameter would be awesome.

I just completed a wiki on the external login page.
http://wiki.mikrotik.com/wiki/HotSpot_e ... login_page
My question is: How do you plan on getting the variables from the router to your external login page? Would a redirect be able to do that? I can see you could do without some of them, but I cannot see how that page would be effective without the $(error) variable.

ADD: I prefer the POST method. With GET, I am uncomfortable putting a encoded url in a url. I smell overflow!

You could only pass on GET parameters, not POSTs.

METAs are technically deprecated, but particularly so for auto refreshes and not single redirects. Until a proper 302 method is included in RouterOS - want want want want want that, pretty please, because yes, that would be cleaner - in my opinion a META is better than JavaScript, which fails on quite a few devices. NoScript is getting increasingly popular breaking even 'normal' clients, and captive gateway pages aren't usually whitelisted and are seen as hostile by users (as many are overloaded with ads and want money from you).

That said, the Boingo and iPass smart clients both use WISPr and both appear to work fine with external login pages redirected to via METAs. Not 100% sure on that, I didn't handle integration with them - but we partner with both for roaming, and the RADIUS logs show many users from both domains.

Hey fewi! Do you see my concern with the GET method? If you use a client-entered url encoded, plus adding all the other variables that need to be sent, it could exceed the url size limit.

I have not checked how well this works yet, but if it is just a JavaScript challenge. I would rather have a form "submit" button with a "If you are not redirected in a few seconds, click here" on the login.html on the router.

Yes, you could overflow. Depends on the URL length. If you are submitting the $error variable you could redefine errors as just four byte hex values and re-interpret on the external servers. So far I have not seen overflows. It wouldn't be client encoded as such, though, unless I misunderstood the term. The whole thing world be hardcoded with just the variables dynamically interpolated. Edit: or are you talking about the originally requested URL in its variable? I never pass that on since I always show a "thanks you're now connected" page so I never considered that, but yes, good point - that would have good chances of overflowing a URL and JavaScript would work better.
I guess it's also a matter of taste. For me the META method works well, as much of a kludge as it is. If JavaScript works better for you, hey, there you go. Whatever gets the job done. We have fewer support calls with META methods.

I would love a proper 302 method, though. Maybe an "external server profile" that defines the URLs for the existing internal HTML pages the servlet loads, together with key/value pairs for important variables and their external name. Then tie that profile to Hotspot server profiles via a parameter. If set to none the internal pages are used and loaded and output by the servlet, if set to a profile the servlet throws a 302 with the URL constructed with the values from the profile. Shouldn't be TOO hard to build, and it would be a great, great feature.

I tried the submit button with JavaScript disabled, and it worked well. The challenge for me was not there, but the login.php page. I use http-chap to encrypt the password (requires JavaScript).

If you use pap (which I remember you do) this would be ok.

Yeah, I use SSL everywhere (so PAP within the SSL/TLS wrapped page).

Agree with the above

Hey fewi! Do you see my concern with the GET method? If you use a client-entered url encoded, plus adding all the other variables that need to be sent, it could exceed the url size limit.

Just on this, don't know if i'm making any sense but passing any client data or receiving $(error) is all handled on our side, we just pass a username and password back for RADIUS.

I would love a proper 302 method, though. Maybe an "external server profile" that defines the URLs for the existing internal HTML pages the servlet loads, together with key/value pairs for important variables and their external name. Then tie that profile to Hotspot server profiles via a parameter. If set to none the internal pages are used and loaded and output by the servlet, if set to a profile the servlet throws a 302 with the URL constructed with the values from the profile. Shouldn't be TOO hard to build, and it would be a great, great feature.

Exactly

All you need to make your pages wispr complient is to add the wispr xml in the login.html. We use this and it is working with clients from IPASS, WeRoam, Boingo, Skype and several others.

You can still make use of an external hotspot login page by adding some redirectiung using a post.

Example login.html:

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!--
<?xml version="1.0" encoding="UTF-8"?>
<WISPAccessGatewayParam xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://YOUR WEB SERVER DNS NAME GOES HERE/WISPAccessGatewayParam.xsd">
<Redirect>
<AccessProcedure>1.0</AccessProcedure>
<AccessLocation>isocc=za,cc=27,ac=12,network=AlwaysOn</AccessLocation>
<LocationName>AlwaysOn:ZA, Other, AlwaysOn Office</LocationName>
<LoginURL>$(link-login)</LoginURL>
<AbortLoginURL>$(link-logout)</AbortLoginURL>
<MessageType>100</MessageType>
<ResponseCode>0</ResponseCode>
</Redirect>
</WISPAccessGatewayParam>
-->
<title>...</title>
</head>
<body>
<form name="redirect" action="" method="post">
<input type="hidden" name="mac" value="$(mac)" />
<input type="hidden" name="hostname" value="$(hostname)" />
<input type="hidden" name="ip" value="$(ip)" />
<input type="hidden" name="user" value="$(user)" />
<input type="hidden" name="link-login" value="$(link-login)" />
<input type="hidden" name="link-orig" value="$(link-orig)" />
<input type="hidden" name="error" value="$(error)" />
</form>
<script language="JavaScript" type="text/javascript">
<!--
document.redirect.action = "YOUR EXTERNAL URL GOES HERE";
document.redirect.submit();
//-->
</script>
</body>
</html>


In Logout.html add the following in the head:

<!--
<?xml version="1.0" encoding="UTF-8"?>
<WISPAccessGatewayParam xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://YOUR WEB SERVER DNS NAME GOES HERE/WISPAccessGatewayParam.xsd">
<LogoffReply>
<MessageType>130</MessageType>
<ResponseCode>150</ResponseCode>
</LogoffReply>
</WISPAccessGatewayParam>
-->

Yeah that's the fix for now Jaco, we like everything server side for product lifecycle management though

Bump.

Hello,
Was an initial 302 response code for redirect rather than a 200 ever implemented. I am working on integrating a handheld gaming system w/ auto login capability. It will use WISPt <LoginURL> to authenticate, but only if it is included in the body of a 302. It assumes it is online if a 200 OK is returned.

Thanks.