Help for - Hotspot Trial user daily quota

sda · May 23, 2011, 4:23pm

Hi,
Is this possible?
It will be free access, no subscriber H.S. with just a splash page with the TAC.
What I have done so far is change the trial user time to 23H and 59M. (Ive seen some modified login html in these forums bypassing authentication for free access but why I don’t know as changing the trial user time does this without going into that detail)
What I don’t want is people logging in and downloading their DVD’s or watching their TV series online all day long.
A daily quota for say 100mb with a reset every day for example is what I would like to be done.
That option is available for authenticated users.

What about adding it for trial users?

Thanks in advance.

BTW I have tried some scripts found in these forums but none really work without retouching them, and even then are very tricky to get running.

SurferTim · May 23, 2011, 4:35pm

According to the hotspot wiki
http://wiki.mikrotik.com/wiki/Manual:IP/Hotspot/Profile
you can change those settings in

/ip hotspot profile
set X trial-uptime=30m/1d
set X trial-user-profile=trial

gives trial users 30 minutes every day and assigns user profile “trial”.
Replace ‘X’ with the line number of your profile (normally 1).

sda · May 23, 2011, 4:53pm

Thanks for the input.
There is no quota reference anywhere.
Only “rate limit” is available but not required in my case.

Cheers

SurferTim · May 23, 2011, 4:59pm

The quota is both those settings combined.

/ip hotspot profile
set 1 trial-uptime=30m/1d

/ip hotspot user profile
add name=trial rate-limit="384k/1M"

The trial user gets 30 minutes at 1M. I will let you do the math.
http://www.youtube.com/watch?v=gENVB6tjq_M

fewi · May 23, 2011, 5:15pm

If you need a hard quota over 24 hours without combining uptime and rate limit to get there you have to use external authentication.

This sounds somewhat complicated, but isn’t when broken down into parts:

configure Hotspot to use RADIUS
make a login.html that submits ($mac) for the username and password to /login
router now submits the MAC address as a username and password to the RADIUS server
RADIUS server uses some sort of backend (probably a SQL database) to check those credentials
the database checks a table to see if that MAC address has already logged in on that day
— if not:
------- record the MAC address in the table that was just checked so that future checks return true
------- return the MAC address that was queried as the password so authentication works OK
------- return the Mikrotik-Recv-Limit and Mikrotik-Xmit-Limit RADIUS attributes with your quota
— if yes:
------- return any other string as the password so that authentication fails when the RADIUS server checks the submitted password against it.

You can extend that arbitrarily and also use RADIUS accounting stored into the SQL database, and allow clients to log in a second time if they haven’t hit their quota yet and send different quota attribute values based on how much data the RADIUS accounting STOP packet reported the user used in previous sessions.

See http://wiki.mikrotik.com/wiki/Manual:RADIUS_Client#Access-Accept for attribute details.

sda · May 23, 2011, 6:06pm

@SurferTim
Maths wise you are correct.
But whats the use of having 10~12mb of bandwidth of which I have available , and taking someone approx.7 minutes to download a 50mb file at 1mb.
My way of thinking is:
You have a 100mb quota.
Now you can spend it surfing all day long, or you can spend it watching 3~4 youtube clips in 10 minutes.

@fewi
Yes, does seem complicated, especially when you’re new to RO.
The bit I don’t understand is how authentication will occur.
My understanding is:
A user logs in.
His MAC is recorded in a database.
The Radius server then authenticates this using the same database.
The sql database will be external to the router?

Thank you.

BTW
I have been using a modified version of openwrt (Gargoyle) which does do quotas, and have added an open captive portal (Nocatsplash).
I use a modified again TP-WR1043 with 64mb of ram, and only as a router.
The problem it isn’t that stable and requires frequent resets.
I have acquired a RB450G to replace the above setup, only to find out that it isn’t that easy to setup for my case.

fewi · May 23, 2011, 6:22pm

The SQL database would probably be external to the RADIUS server. That whole part depends on what RADIUS server and SQL database you use. Doesn’t have to be SQL, either - any backend that can do these steps and works with whatever RADIUS server you choose could be used.

When a RADIUS server uses a database backend it usually just runs some query that has the database return the password for the username queried. Then the RADIUS server compares the password sent by the user to the password returned by the database query. If it matches, authentication is granted.
In this case I would just send the MAC address as both username and password. The password lookup in the DB uses a stored function or something similar and does all the “is this MAC address authorized to get online right now” magic, and then - if yes - returns the MAC address queried, or - if no - returns something else. If the MAC address is returned the RADIUS server can match the two pieces and they are the same, so it returns an OK. If something else is returned that string doesn’t match the MAC address and the RADIUS server won’t OK the request.

Hope that makes more sense.

There indeed is no easy way to do what you’re looking to do.

sda · May 23, 2011, 6:35pm

Being a practical person.
Is it possible to create an account at login (some script) and then using those credentials to authenticate on the spot ?
If not, I think that I’ll have to leave it at that, and find a way to make my present system more stable.

Thank you for your time and effort.
Cheers

fewi · May 23, 2011, 6:45pm

Not all contained within one system, no. You’d at least need an external server to make an API call and then redirect back to the login servlet.