I work for a small ISP doing mainly hotspot access in residential buildings, students residences, etc. We use mainly Unifi for the wireless part and mikrotik RB1100XX for gateway/hotspot.
Usually our sites have either slow WAN lines or few users, so it works smoothly, but this time there is 150 students in the residence, allowed for 5 devices each, and there will be 2x Gigabit optical fiber WAN lines, so I want to maximise the perfs and availability. For this purpose there will be 2x RB1100AHx4, redundants switches, and a lot of wireless AP.
On my usual site config, Hotspot authenticates users against our external freeRadius server (usrname/pass CHAP Auth, with 30days MAC cookie). The captive portal is embedded in the RB1100 but we keeped it very simple. Rate limiting is done via hotspot’s users profile (simple queues). Firewall rules for filtering are almost the default ones, mangle is doing mainly mark packet/routing to isolate the HTTP/HTTPS traffic and load balancing using src IP (1/2), NAT is used only for masquerading output traffic on WAN interfaces, and FastPath is enabled. For these sites DNS server/cache is the mikrotik, but I’ve got a lot of linux servers available in the cloud, so I could do DNS offloading if necessary.
What would be the best configuration (queues, hotspot config, DNS offloading, etc) and architecture (1 hotspot on each RB1100 with splitted networks, or failover) to adopt, in order to maximize perfs and HA? Because I remember doing bandwidth tests behind hostpot and a 200Mbps WAN, and struggling to get more than 100Mbps on a RB1100AHx2, but maybe my config was bad..
I thought about 802.1x but I there is two reasons I didn’t go with it (yet):
I have some doubts about device compatibility: more and more users want to connect with game consoles, or connected devices/objects, and I’m not sure if most of them are 802.1x compliant (I read somewhere that ps4 for example is not 802.1x compatible, but maybe I’m wrong?). I didn’t have the time yet to make some research about it. Did you (or anybody) implement 802.1x successfully with a wide variety of devices other than smartphones, tablets and mac/pc?
the registering process for our users is the following:
they are given a WPA2 key by their landlord/residence’s owner (we also have some wired users on some sites)
they are redirected on the captive portal, with login form for existing users and a link “first time user” for others, pointing to our registering (external) server
to register the first time they have to validate some information (filled in a database by the site/building manager) and choose a password.
a RADIUS entry is then created and the user can surf through hotspot
so with 802.1x, we would have to rethink the process: either by giving users the link to our registration portal and let them register using another network, or either by creating 2 wireless networks: one for registation using hotspot, the other for registered users with 802.1x. This is possible, but takes a little bit time to redefine process, experiment it, inform our customers etc. And this site has to be up and running in the coming weeks, so the timing would be really tight..
Do you think running hotspot at at least a few hundred of Mbps is feasible? I know I certainly won’t achieve gig speed, and this is not the goal here, but as this is residential access most bandwidth usage is done at peak hours (evening, mostly), so the higher the better!
To be honest, I avoid hotspot and captive portals like the plague. I’ve seen more issues particularly with captive portal detection than any other method produces by volume of support calls.
You’d need a method to manage either the certificates or users. You likely are doing this already. This would be the same as adding the user or device to the RADIUS service. With this a good item is a way to honor devices by MAC address to bypass the normal method. This typically is pared with a time frame to automatically remove it with the expectation the customer would reset it up again. This time frame can vary, in a college dorm it might match the length of a school year or term. It just helps keep the database clean. Again this would be a back-end interface that your support team and anyone else with permission to delegate access would be allowed to hop in and pop a MAC into. This could also be linked to a record for a particular user to help in tracking or logging if necessary.
This combination of 802.1x with MAC bypass is becoming more common in my area of the world particularly for college campuses.
Yes I’m not so worried about the backend side of the 802.1x solution, I already tested it successfully, adding users to the RADIUS would be more or less the same process than with hotspot.
I’m more concern timing here, I’ve till the end of the week to test the new solution, write new procedures/user documentation,etc. This is why I was asking about hotspot customization in the first place, in case I can’t find another solution in time! Do you (or anyone) had a working config of high speed captive hotspot on routeros?
Regarding 802.1x, you are talking about MAC authentication as a fallback, but I don’t know how to implement it in wireless environment… In Unifi I can enable WPA2 enterprise, so wireless clients authenticate against my RADIUS server with their username/password (could be certs), but for a PS4 for example, which seems not compatible with radius based WPA2, it just can’t connect to the wireless network, so I don’t see how it would fall to a MAC auth/bypass…? I would need another wireless network to use as a fallback, wouldn’t I? How is your wireless 802.1X + MAC bypass implented on your network?