Advanced Mac Cookie question - Multiple hotspots on the same mikrotik

RouterOS Wireless Networking
1

Hey guys,

We have a couple of mikrotiks. We run multiple hotspots on the same mikrotik.

We work with an external Radius server (FreeRadius).
Now, every hotspot network has a different ‘login flow’ starting from an external login page. For example, one network requires login with Facebook (network A), another requires a bought access code (Network B). Once our external login backend has successfully validated the login attempt (for example via Facebook) it creates a random username and password an saves this in the Radius server mysql table (this is the same for different login flows). After this, we let the client’s browser send a POST request to the mikrotik with generated username and password. Upon receiving this the mikrotik sends and authentication request to the radius server and the radius server responds with Access-Accept and the client is successfully authenticated and can start using the internet. Now a mac-cookie is set. This is a mac-address + username + password combo set on the mikrotik.

Now let’s say the client disconnects from network A and connects to network B (for simplicity let’s say these networks are not adjacent). On network B authentication should be done with an access code entered on our external login page. What happens is, upon connecting of the client the mikrotik checks its Mac-Cookie table and finds a record. The mikrotik tries to authenticate the client with the radius server, with the information found in the Mac Cookie record.
This works (Radius sends back access-accept) since we haven’t made the randomly generated login and password “hotspot specific” in the radcheck table. The client being logged in isn’t the desired behaviour ofcourse. The user should be redirected to the external login page.

Question:

  • Is it possible to have Hotspot-specific Mac-cookies on the mikrotik? For example, a Mac-cookie only applicable for network A and a Mac-cookie only applicable for network B.

Am I missing something? Has anyone encountered a similar situation? What’s the most elegant solution?

Thanks in advance,

MackDoms

2

Any thoughts please?

3

I’ve done an experiment:

I added another radius server besides the already existing with domain ‘gerard’. Second radius server domain is named ‘testdomain’. It’s the exact same server (ip etc the only difference is the domain).
In hotspot 1 and hotspot 2 profiles I have checked ‘split user domain’. In hotspot 1 I’ve added default domain ‘gerard’. In hotspot 2 I’ve added default domain ‘testdomain’.
When I login on hotspot1 with test@gerard a mac cookie gets made and in the column with title domain it says ‘gerard’.

Afterwards I connect to hotspot 2. The mikrotik reads the information from the mac-cookie and logs in with user and password to radius server in domain ‘gerard’.
So the mikrotik only looks at mac-address and not to mac-address + domain combo.

Is there a way to specify what domains the mikrotik can use for a specific hotspot server profile?