I’m new to this forum, I hope I’ll be able to comply with the rules.
I have a rather complex issue with a hotspot service I’m supposed to create. I use a RB 411 UAHR, it has the hotspot option set up correctly, it’s also set up to use an external radius server for authentication and accounting. I also have an external captive portal set up on a apache/php/mysql server. The hotspot users get IP addresses from a private pool, masquerade is enabled.
The users are supposed to log into the hotspot through a form in the captive portal page. Each user has his unique id and password. Unfortunately I can’t have separate user accounts on the radius server for every user of the hotspot because of the server’s license limitations. So there is only one user account on the radius server.
I have a function which checks if the data provided in the login form (userid and password) are correct. If yes, a request is being sent to the RB to send an authentication request to the radius server.
I would like to store the userid provided in the login form (which is not the radius account userid) and the private IP address given to the user’s terminal in a mysql database.
The first idea was to set up a http proxy on the RB and use the http_x_forwarded_for header field to obtain the private IP address in the php script of the login form. This way I could easily insert the userid and the IP address into a table in a db. Unfortunately somehow the http_x_forwarded_for field comes empty. Furthermore, the http_x_forwarded_for field is easily spoofable and this kind of solution is not reliable enough.
Now I’ve come up with the idea to send the userid as an additional radius attribute, so it can be stored in the radius server database. Is there a way to inject an additional parameter to the radius attributes (eg. a http parameter from the login request)?
Or is there any other way to store the values I need to store?
login.html - login page shown to a user to ask for username and password. This page may take the following parameters:
username - username
password - either plain-text password (in case of PAP authentication) or MD5 hash of chap-id variable, password and CHAP challenge (in case of CHAP authentication). This value is used as e-mail address for trial users
dst - original URL requested before the redirect. This will be opened on successfull login
popup - whether to pop-up a status window on successfull login
radius - send the attribute identified with in text string form to the RADIUS server (in case RADIUS authentication is used; lost otherwise)
radiusu - send the attribute identified with in unsigned integer form to the RADIUS server (in case RADIUS authentication is used; lost otherwise)
radius- - send the attribute identified with and vendor ID in text string form to the RADIUS server (in case RADIUS authentication is used; lost otherwise)
radius-u - send the attribute identified with and vendor ID in unsigned integer form to the RADIUS server (in case RADIUS authentication is used; lost otherwise)
Since your external login page will redirect to “/login?username=whatever&password=whatever” already to trigger a log in with the hard coded RADIUS credentials just add more POST variables as per above to send to RADIUS.
However, as I’m sure you’re aware, the BY FAR cleanest solution would be to either buy a better license for your RADIUS server, or to use something like FreeRADIUS which is free in any sense of the word without any limitations, and can easily tie into a SQL backend.
Either way, if you’re going to be doing any advanced Hotspot work you want to bookmark that wiki page together with the packet flow one (http://wiki.mikrotik.com/wiki/Manual:Packet_Flow) and the RADIUS client one (http://wiki.mikrotik.com/wiki/Manual:RADIUS_Client)- between those three you can pretty much figure out absolutely anything you can possibly do with a RouterOS Hotspot. All three are very well written, and extremely concise and informative. Mikrotik sometimes gets flack for its documentation but the Hotspot is covered very, very, very well.
