Customer has an 'application' that is web enabled but has no user access control or authentication. They'd like it t be accessible from the Internet via multiple IP's and Operating systems (iPhone, Android, Widows and Mac). SSH, PPTP or any other type of VPN for authentication is probably not practical.
I'm thinking that it should be possible to authenticate them in the web browser with HotSpot authentication ? So essentially no matter where they are they can hit a port on the outside interface of one of our firewalls, enter authentication information in their WebBrowser and then have access to the 'application' behind our firewall. Obviously not the best way to go but the vendor of the application has no intention of securing it in any form....
Has anyone done something like this before ?
Thanks.
Re: Authenticating users before access to apllication
I am looking for exactly that. I would like to "misuse" hotspot for controlling access to a couple of systems behind a MikroTik. Authentication via web browser with the router passing the credentials to a RADIUS server.
Did you make any progress on this?
Update: Scouting the Wiki I found on this page
http://wiki.mikrotik.com/wiki/Manual:Ho ... troduction
the following statement:
The HotSpot system is targeted to provide authentication within a local network (for the local network users to access the Internet), but may as well be used to authorize access from outer networks to access local resources (like an authentication gateway for the outside world to access your network).
The statement implies that what is asked for in this thread is actually a valid use case of the hotspot feature. Unfortunately, there seem to be no examples to be found in the forum or on the wiki.
Did you make any progress on this?
Update: Scouting the Wiki I found on this page
http://wiki.mikrotik.com/wiki/Manual:Ho ... troduction
the following statement:
The HotSpot system is targeted to provide authentication within a local network (for the local network users to access the Internet), but may as well be used to authorize access from outer networks to access local resources (like an authentication gateway for the outside world to access your network).
The statement implies that what is asked for in this thread is actually a valid use case of the hotspot feature. Unfortunately, there seem to be no examples to be found in the forum or on the wiki.
Re: Authenticating users before access to apllication
you can try some form of address list where if an address is part of the address list it forwards you to the internal server, but even that is a long shot, i would rather consider pptp works well from most phones ive tested, so i would investigatory that.
Re: Authenticating users before access to apllication
If anyone needs to do this in the future I did it as follows:
Using Hotspot on the Wireless interface of the radio without IP Pool. Change the IP Service for the CPE port 80 to something else (like 8888).
The customer connects to a specific port on my Internet facing firewall which is port NATted to the Wireless CPE IP on port 80. There they are challenged by the Hotspot and once authenticated they are forwarded to the "status" page. I imbedded an iframe on the Status page that shows the content required. Also created a custom pageon the CPE that is linked from the modified status page with an iframe .
So yes the answer was in the hotspot docs but the trick was what to do after the HotSpot auth - iframe works.
Z
Using Hotspot on the Wireless interface of the radio without IP Pool. Change the IP Service for the CPE port 80 to something else (like 8888).
The customer connects to a specific port on my Internet facing firewall which is port NATted to the Wireless CPE IP on port 80. There they are challenged by the Hotspot and once authenticated they are forwarded to the "status" page. I imbedded an iframe on the Status page that shows the content required. Also created a custom pageon the CPE that is linked from the modified status page with an iframe .
So yes the answer was in the hotspot docs but the trick was what to do after the HotSpot auth - iframe works.
Z