Hi we’re looking to centrally manage our hotspot page. (i.e. host on central server and pass details back to radio for logging in) we had done this once but the employee who set this up has since left and we don’t have a backup. Anyone have any advice / details on parsing variables so that they are displayed on the central hosted page from each individual radio?
Thanks in advance 
http://wiki.mikrotik.com/wiki/Manual:Customizing_Hotspot#Examples
Scroll that down a bit - the last bit of that section (before firewall customizations) is basically a complete manual to what you’re asking.
Howdy,
Thanks for that, we’ve followed instructions and get get operational using PAP. However, we’d like to use CHAP for added security, however, somehow the MD5 password being passed through is not right and we get invalid Username and password.
Should we use MD5.js from server or hotspot?
Any help appreciated, script below.
login.html (located on hotspot)
login.php (located on radius server)
Mac: <?php echo $mac; ?>
IP: <?php echo $ip; ?>
Username: <?php echo $username; ?>
Link-login: <?php echo $linklogin; ?>
Link-orig: <?php echo $linkorig; ?>
Error: <?php echo $error; ?>
Chap ID: <?php echo $chapid; ?>
Chap Challenge: <?php echo $chapchallenge; ?>
Link-Login-only: <?php echo $linkloginonly; ?>
Link Origin: <?php echo $linkorigesc; ?>
Mac Esc: <?php echo $macesc; ?>
Chap is required for authentication
A copy of md5.js is also located on radius server
Values are being sent through to login.php
When logging in get error invalid username or password
Appears that md5 does not match on hotspot
On your server, I see you have the login.php in a directory called “/login/login.php”. If the md5.js file is in that directory, you need this:
<script type="text/javascript" src="/login/md5.js"></script>
ADD: You might even be able to use this. I haven’t tried it. That is a period slash before the filename
<script type="text/javascript" src="./md5.js"></script>
Hi Tim,
We’ve tried a number of permeations for access to md5.js, Absolute, relative, local to hotspot, local to central page. With no luck.
MD5 Encryption is happening, but it feels as if it’s not encoding the password correctly. i.e. Adding an extra "" to the password, or embedding some extra characters so that the password is not correct. That, or maybe the CHAP ID is getting mixed up.
Should the md5.js be run from the hotspot or the central server?
We pass CHAPID and CHAP-Challenge across from the hotspot to central server as a variable, but then the password is entered on the central server. Here is a snap shot of what we send off to the server. If you’re a guru and have the solution to this or wanna have access to give it a stab, please PM me as I’m happy to have a conference and offer a bounty.
When you loaded the md5.js file to your server, you did set permissions to “read by all”, correct? You are using the md5.js file on your server. Once the md5 encryption is complete, it submits the form to your router.
Can you show me how there are two username/password/login buttons. There should only be a login button (submit) in the form named “login”. When that form is submitted, that performs the md5 (doLogin script) before submitting the form named “sendin”. That is the form that does the login if you use CHAP.
And you are sure the user “test12345” is in your hotspot database? Try logging in with the default user in “/ip hotpost user”.
Also enable hotspot logging. The try the login and check the log.
/system logging
add topics=hotspot action=memory
“login-by=http-chap” requires JavaScript enabled or login fails.
Hi Tim,
Two forms as the lower form generates the request, but holds it on the higher form before submitting, we added this to help with debugging.
User exists, can login with PAP enabled, so definitely a CHAP / MD5 thing.
Radius is definitely responding with an
…
hotspot: trying to log in by http-chap
hotspot: local user not found
hotspot: sending RADIUS athentication request
…
Radius Debug: CHAP-Challenge = 0x…
Radius Debug: CHAP-Password = 0x5b…
Radius Debug: received Access-Reject with id 143 from …
…
hotspot: Access-Reject from RADIUS
Something is funky with how the MD5 is being generated, either the CHAP ID is changing as it is passed onto the central login page or something is injecting some extra characters throwing it all out of whack. Logging in locally is no issue.
So it is the radius request, not the hotspot request, that is failing. What radius are you using?
Do you store your passwords encrypted? CHAP won’t accept if encrypted passwords in the database.