Hotspot redirect to external page, english page doesn't work

RouterOS General
1

Hi All,

I need to redirect the welcome page of Hotspot to my external server, so i’ ve follow Mikrotik’s guide and i’ve modified login.html on my hotspot board in to :

<html>
<head><title>...</title></head>
<body>
$(if chap-id)
<noscript>
<center><b>JavaScript required. Enable JavaScript to continue.</b></center>
</noscript>
$(endif)
<center>If you are not redirected in a few seconds, click 'continue' below<br>
<form name="redirect" action="http://mysite.login.php" method="post">
<input type="hidden" name="mac" value="$(mac)">
<input type="hidden" name="ip" value="$(ip)">
<input type="hidden" name="username" value="$(username)">
<input type="hidden" name="link-login" value="$(link-login)">
<input type="hidden" name="link-orig" value="$(link-orig)">
<input type="hidden" name="error" value="$(error)">
<input type="hidden" name="chap-id" value="$(chap-id)">
<input type="hidden" name="chap-challenge" value="$(chap-challenge)">
<input type="hidden" name="link-login-only" value="$(link-login-only)">
<input type="hidden" name="link-orig-esc" value="$(link-orig-esc)">
<input type="hidden" name="mac-esc" value="$(mac-esc)">
<input type="submit" value="continue">
</form>
<script language="JavaScript">
<!--
   document.redirect.submit();
-->
</script></center>
</body>
</html>

On the root directory of web server i’ve copied hotspot files from routerboard and created login.php with :

<?php
   $mac=$_POST['mac'];
   $ip=$_POST['ip'];
   $username=$_POST['username'];
   $linklogin=$_POST['link-login'];
   $linkorig=$_POST['link-orig'];
   $error=$_POST['error'];
   $chapid=$_POST['chap-id'];
   $chapchallenge=$_POST['chap-challenge'];
   $linkloginonly=$_POST['link-login-only'];
   $linkorigesc=$_POST['link-orig-esc'];
   $macesc=$_POST['mac-esc'];
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>mikrotik hotspot > login</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta http-equiv="pragma" content="no-cache" />
<meta http-equiv="expires" content="-1" />
<style type="text/css">
body {color: #737373; font-size: 10px; font-family: verdana;}

textarea,input,select {
background-color: #FDFBFB;
border: 1px solid #BBBBBB;
padding: 2px;
margin: 1px;
font-size: 14px;
color: #808080;
}

a, a:link, a:visited, a:active { color: #AAAAAA; text-decoration: none; font-size: 10px; }
a:hover { border-bottom: 1px dotted #c1c1c1; color: #AAAAAA; }
img {border: none;}
td { font-size: 14px; color: #7A7A7A; }
</style>

</head>

<body>
<!-- $(if chap-id) -->

	<form name="sendin" action="<?php echo $linkloginonly; ?>" method="post">
		<input type="hidden" name="username" />
		<input type="hidden" name="password" />
		<input type="hidden" name="dst" value="<?php echo $linkorig; ?>" />
		<input type="hidden" name="popup" value="true" />
	</form>
	
	<script type="text/javascript" src="/md5.js"></script>
	<script type="text/javascript">
	<!--
	    function doLogin() {
		document.sendin.username.value = document.login.username.value;
		document.sendin.password.value = hexMD5('<?php echo $chapid; ?>' + document.login.password.value + '<?php echo $chapchallenge; ?>');
		document.sendin.submit();
		return false;
	    }
	//-->
	</script>
<!-- $(endif) -->

<div align="center">
<a href="<?php echo $linkloginonly; ?>?target=lv&dst=<?php echo $linkorigesc; ?>">Latviski</a>
</div>

<table width="100%" style="margin-top: 10%;">
	<tr>
	<td align="center" valign="middle">
		<div class="notice" style="color: #c1c1c1; font-size: 9px">Please log on to use the mikrotik hotspot service<br />

<!-- $(if trial == 'yes') -->
Free trial available, <a style="color: #FF8080"href="<?php echo $linkloginonly; ?>?dst=<?php echo $linkorigesc; ?>&username=T-<?php echo $macesc; ?>">click here</a>.
<!-- $(endif) -->

</div><br />
	<table width="240" height="240" style="border: 1px solid #cccccc; padding: 0px;" cellpadding="0" cellspacing="0">
	<tr>
	<td align="center" valign="bottom" height="175" colspan="2">
<!-- removed $(if chap-id) $(endif)  around OnSubmit -->
		<form name="login" action="<?php echo $linkloginonly; ?>" method="post" onSubmit="return doLogin()" >
			<input type="hidden" name="dst" value="<?php echo $linkorig; ?>" />
			<input type="hidden" name="popup" value="true" />
						
			<table width="100" style="background-color: #ffffff">
				<tr><td align="right">login</td>
				<td><input style="width: 80px" name="username" type="text" value="<?php echo $username; ?>"/></td>
				</tr>
				<tr><td align="right">password</td>
				<td><input style="width: 80px" name="password" type="password"/></td>
				</tr>
				<tr><td> </td>
				<td><input type="submit" value="OK" /></td>
				</tr>
			</table>
		</form>
	</td>
	</tr>
	</table>
	
<!-- $(if error) -->
<br /><div style="color: #FF8080; font-size: 9px"><?php echo $error; ?></div>
<!-- $(endif) -->

	</td>
	</tr>
</table>

<script type="text/javascript">
<!--
  document.login.username.focus();
//-->
</script>
</body>

When people try to login redirect works, but if try to login in english page they receive as error “invalid username or password”, instead if they use Latviski page with the same user / password it works and they can surf!
Latviski page is standard page embedded in mikrotik hotspot folder.
I’ use http-chap and md5.js is readable by all.

Does anyone known what is my error ? I’m using version 4.16
Could you help me ?

Thanks
Tornado

2

Did you enable the hotspot logging?

/system logging
add topics=hotspot action=memory

Are you using the local user database or RADIUS? If RADIUS, enable logging for that also

/system logging
add topics=radius action=memory

Try the login again and check the log. The thing I look for in this case is the encrypted password. If the password is not encrypted, that will cause the login failure.

If you don’t see the problem, you might want to post your log.

ADD: Is the login.php file in the root directory of the server?
http://www.mysite.com/login.php
If not, insure to change the location of the md5.js file in the login.php code here:

<script type="text/javascript" src="/md5.js"></script>
<script type="text/javascript">

If you used something like
http://www.mysite.com/login/login.php
then change the src to
src=“/login/md5.js”

I am going to change the code in the wiki to
src=“./md5.js”
Note the period preceding the slash. That way it will use the current working directory.

3

Thaks for reply.

I’m using internal mikrotik radius, i’ve configured users from usermanager.
I’ve logged all.

This is from start to my attempt to login with english page.
(with invalid username or password error)

12:36:37 dhcp,info dhcp1 assigned 172.16.10.150 to 08:00:27:D6:34:FC 
12:36:40 hotspot,debug fhs: new host detected 08:00:27:D6:34:FC/172.16.10.150 by UDP :1025 -> 172.16.10.1:53 
12:36:40 hotspot,debug fhs: dhcp host 08:00:27:D6:34:FC/172.16.10.150 added, ip 172.16.10.150 
12:36:54 hotspot,info,debug test03 (172.16.10.150): trying to log in by http-chap 
12:36:54 hotspot,debug test03 (172.16.10.150): local user not found 
12:36:54 hotspot,debug test03 (172.16.10.150): sending RADIUS authentication request 
12:36:54 radius,debug new request 3f:4e code=Access-Request service=hotspot called-id=fhs 
12:36:54 radius,debug sending 3f:4e to 127.0.0.1:1812 
12:36:54 radius,debug,packet sending Access-Request with id 34 to 127.0.0.1:1812 
12:36:54 radius,debug,packet     Signature = 0x9edbc60b8b798b0f9bf6af84e82b6325 
12:36:54 radius,debug,packet     NAS-Port-Type = 19 
12:36:54 radius,debug,packet     Calling-Station-Id = "08:00:27:D6:34:FC" 
12:36:54 radius,debug,packet     Called-Station-Id = "fhs" 
12:36:54 radius,debug,packet     NAS-Port-Id = "Local Lan" 
12:36:54 radius,debug,packet     User-Name = "test03" 
12:36:54 radius,debug,packet     NAS-Port = 2151677968 
12:36:54 radius,debug,packet     Acct-Session-Id = "80400010" 
12:36:54 radius,debug,packet     Framed-IP-Address = 172.16.10.150 
12:36:54 radius,debug,packet     MT-Host-IP = 172.16.10.150 
12:36:54 radius,debug,packet     CHAP-Challenge = 0x7e2533d5d9db0b7ec92ac5233f513c65 
12:36:54 radius,debug,packet     CHAP-Password = 0x87903132cf89881cf7b4775174e0944d 
12:36:54 radius,debug,packet       fc 
12:36:54 radius,debug,packet     Service-Type = 1 
12:36:54 radius,debug,packet     WISPr-Logoff-URL = "http://172.16.10.1/logout" 
12:36:54 radius,debug,packet     NAS-Identifier = "fhs" 
12:36:54 radius,debug,packet     NAS-IP-Address = 127.0.0.1 
12:36:54 hotspot,debug test03 (172.16.10.150): Access-Reject from RADIUS 
12:36:54 radius,debug,packet received Access-Reject with id 34 from 127.0.0.1:1812 
12:36:54 radius,debug,packet     Signature = 0xd424f1d5fd68eed7d5082ade225e416f 
12:36:54 radius,debug received reply for 3f:4e 
12:36:56 hotspot,info,debug test03 (172.16.10.150): login failed: invalid username or password

This one instead is log of login with the same username and password with latvisky page, that works :

12:41:31 hotspot,info,debug test03 (172.16.10.150): trying to log in by http-chap 
12:41:31 hotspot,debug test03 (172.16.10.150): local user not found 
12:41:31 hotspot,debug test03 (172.16.10.150): sending RADIUS authentication request 
12:41:31 radius,debug new request 3f:4f code=Access-Request service=hotspot called-id=fhs 
12:41:31 radius,debug sending 3f:4f to 127.0.0.1:1812 
12:41:31 radius,debug,packet sending Access-Request with id 35 to 127.0.0.1:1812 
12:41:31 radius,debug,packet     Signature = 0x02dc9bd86029fc0dc523217fa1cf5923 
12:41:31 radius,debug,packet     NAS-Port-Type = 19 
12:41:31 radius,debug,packet     Calling-Station-Id = "08:00:27:D6:34:FC" 
12:41:31 radius,debug,packet     Called-Station-Id = "fhs" 
12:41:31 radius,debug,packet     NAS-Port-Id = "Local Lan" 
12:41:31 radius,debug,packet     User-Name = "test03" 
12:41:31 radius,debug,packet     NAS-Port = 2151677969 
12:41:31 radius,debug,packet     Acct-Session-Id = "80400011" 
12:41:31 radius,debug,packet     Framed-IP-Address = 172.16.10.150 
12:41:31 radius,debug,packet     MT-Host-IP = 172.16.10.150 
12:41:31 radius,debug,packet     CHAP-Challenge = 0xa3c2ac566536c9194436f7630f170cc9 
12:41:31 radius,debug,packet     CHAP-Password = 0xc847d54e049107f1fa2253f3316ea327 
12:41:31 radius,debug,packet       2b 
12:41:31 radius,debug,packet     Service-Type = 1 
12:41:31 radius,debug,packet     WISPr-Logoff-URL = "http://172.16.10.1/lv/logout" 
12:41:31 radius,debug,packet     NAS-Identifier = "fhs" 
12:41:31 radius,debug,packet     NAS-IP-Address = 127.0.0.1 
12:41:31 hotspot,debug test03 (172.16.10.150): Access-Accept from RADIUS 
12:41:31 hotspot,debug test03 (172.16.10.150): using profile <default> 
12:41:31 hotspot,debug test03 (172.16.10.150): interim-update <600> from RADIUS 
12:41:31 hotspot,debug test03 (172.16.10.150): session timeout <600> from RADIUS 
12:41:31 hotspot,debug test03 (172.16.10.150): adding ip->user binding 
12:41:31 radius,debug,packet received Access-Accept with id 35 from 127.0.0.1:1812 
12:41:31 radius,debug,packet     Signature = 0x88519d80977189aa3d03324716df372e 
12:41:31 radius,debug,packet     Acct-Interim-Interval = 600 
12:41:31 radius,debug,packet     Session-Timeout = 600 
12:41:31 radius,debug received reply for 3f:4f 
12:41:32 hotspot,account,info,debug test03 (172.16.10.150): logged in 
12:41:32 hotspot,debug test03 (172.16.10.150): sending RADIUS accounting Start request 
12:41:32 radius,debug new request 3f:51 code=Accounting-Request service=hotspot called-id=fhs 
12:41:32 radius,debug sending 3f:51 to 127.0.0.1:1813 
12:41:32 radius,debug,packet sending Accounting-Request with id 36 to 127.0.0.1:1813 
12:41:32 radius,debug,packet     Signature = 0x4819873edb3eb712b82ca098f4f54dcb 
12:41:32 radius,debug,packet     Acct-Status-Type = 1 
12:41:32 radius,debug,packet     NAS-Port-Type = 19 
12:41:32 radius,debug,packet     Calling-Station-Id = "08:00:27:D6:34:FC" 
12:41:32 radius,debug,packet     Called-Station-Id = "fhs" 
12:41:32 radius,debug,packet     NAS-Port-Id = "Local Lan" 
12:41:32 radius,debug,packet     User-Name = "test03" 
12:41:32 radius,debug,packet     NAS-Port = 2151677969 
12:41:32 radius,debug,packet     Acct-Session-Id = "80400011" 
12:41:32 radius,debug,packet     Framed-IP-Address = 172.16.10.150 
12:41:32 radius,debug,packet     MT-Host-IP = 172.16.10.150 
12:41:32 radius,debug,packet     Event-Timestamp = 1293709291 
12:41:32 radius,debug,packet     NAS-Identifier = "fhs" 
12:41:32 radius,debug,packet     NAS-IP-Address = 127.0.0.1 
12:41:32 radius,debug,packet     Acct-Delay-Time = 0 
12:41:32 radius,debug,packet received Accounting-Response with id 36 from 127.0.0.1:1813 
12:41:32 radius,debug,packet     Signature = 0x781ddb5b7f98efd8076162a2b3dd94e2 
12:41:32 radius,debug received reply for 3f:51 
12:41:32 radius,debug request 3f:51 processed 
12:41:32 hotspot,debug test03 (172.16.10.150): RADIUS accounting request sent



Is the login.php file in the root directory of the server?

Yes, login.php and md5.js are on web server root directory.

I can’t understand what is my error..

What do you think ?

4

The requests appear to almost identical, except for the things that should be different.

Are you certain that you are sending the correct password? Do you have the web browser (IE8?) set to remember the password? Enter the password in that login.php page again and use the TAB key to select the login button. Windows has a bad habit of replacing the correct password with the password it has stored if you don’t use the tab key.

Otherwise, according to the log, the page seems to be working ok. It is the radius server (User Manager) that is rejecting the user/password.

5

Thanks for your time :slight_smile:

I’ve tried with 2 different pc xp,using Mozilla Firefox 3.6 and IE 6.0, always the same result also using tab key, with no stored password.

Can i control manually from chap id and challenge if password is sent correctly ? like an inverse operation. Maybe is the login.php incorrect ? (do you think i need to personalize something on its code ?

6

The chap challenge and response cannot be manually changed for a test. The chap challenge is time sensitive for that reason. That is why I wanted to see the logs. It would have replied with a chap challenge timeout if that was the problem.

The only thing I can think to try is changing login-by to pap. That should transmit the user and password clear text (just for a test).

/ip hotspot profile
set X login-by=http-pap

Try the login again and check the log.

You will need to change the code slightly. Remove the onSubmit=“return doLogin()”.

<!-- removed $(if chap-id) $(endif)  around OnSubmit -->
      <form name="login" action="<?php echo $linkloginonly; ?>" method="post" onSubmit="return doLogin()" >
7

I’ve done as you sayd and it works! With pap i can login using login.php (english) and /lv/login.html (latvisky).

I don’t known if need, but here is the log :

14:41:17 dhcp,info dhcp1 assigned 172.16.10.149 to 00:22:15:3A:C1:ED 
14:41:17 hotspot,debug fhs: new host detected 00:22:15:3A:C1:ED/172.16.10.149 by UDP :54022 -> 172.16.10.1:53 
14:41:17 hotspot,debug fhs: dhcp host 00:22:15:3A:C1:ED/172.16.10.149 added, ip 172.16.10.149 
14:41:37 hotspot,info,debug test03 (172.16.10.149): trying to log in by http-pap 
14:41:37 hotspot,debug test03 (172.16.10.149): local user not found 
14:41:37 hotspot,debug test03 (172.16.10.149): sending RADIUS authentication request 
14:41:37 radius,debug new request 3f:86 code=Access-Request service=hotspot called-id=fhs 
14:41:37 radius,debug sending 3f:86 to 127.0.0.1:1812 
14:41:37 radius,debug,packet sending Access-Request with id 45 to 127.0.0.1:1812 
14:41:37 radius,debug,packet     Signature = 0x74b0dc5119495cff2ae8944a625558ec 
14:41:37 radius,debug,packet     NAS-Port-Type = 19 
14:41:37 radius,debug,packet     Calling-Station-Id = "00:22:15:3A:C1:ED" 
14:41:37 radius,debug,packet     Called-Station-Id = "fhs" 
14:41:37 radius,debug,packet     NAS-Port-Id = "Local Lan" 
14:41:37 radius,debug,packet     User-Name = "test03" 
14:41:37 radius,debug,packet     NAS-Port = 2151677977 
14:41:37 radius,debug,packet     Acct-Session-Id = "80400019" 
14:41:37 radius,debug,packet     Framed-IP-Address = 172.16.10.149 
14:41:37 radius,debug,packet     MT-Host-IP = 172.16.10.149 
14:41:37 radius,debug,packet     User-Password = 0x746573743033 
14:41:37 radius,debug,packet     Service-Type = 1 
14:41:37 radius,debug,packet     WISPr-Logoff-URL = "http://172.16.10.1/logout" 
14:41:37 radius,debug,packet     NAS-Identifier = "fhs" 
14:41:37 radius,debug,packet     NAS-IP-Address = 127.0.0.1 
14:41:37 radius,debug,packet received Access-Accept with id 45 from 127.0.0.1:1812 
14:41:37 radius,debug,packet     Signature = 0xcc4635ebe868fe154dabe2841e4e1f88 
14:41:37 hotspot,debug test03 (172.16.10.149): Access-Accept from RADIUS 
14:41:37 hotspot,debug test03 (172.16.10.149): using profile <default> 
14:41:37 hotspot,debug test03 (172.16.10.149): interim-update <600> from RADIUS 
14:41:37 hotspot,debug test03 (172.16.10.149): session timeout <2400> from RADIUS 
14:41:37 hotspot,debug test03 (172.16.10.149): adding ip->user binding 
14:41:37 radius,debug,packet     Acct-Interim-Interval = 600 
14:41:37 radius,debug,packet     Session-Timeout = 2400 
14:41:37 radius,debug received reply for 3f:86 
14:41:37 hotspot,account,info,debug test03 (172.16.10.149): logged in 
14:41:37 hotspot,debug test03 (172.16.10.149): sending RADIUS accounting Start request 
14:41:37 radius,debug new request 3f:88 code=Accounting-Request service=hotspot called-id=fhs 
14:41:37 radius,debug sending 3f:88 to 127.0.0.1:1813 
14:41:37 radius,debug,packet sending Accounting-Request with id 46 to 127.0.0.1:1813 
14:41:37 radius,debug,packet     Signature = 0xbde8f764078d7d53296a587fe9aa5a28 
14:41:37 radius,debug,packet     Acct-Status-Type = 1 
14:41:37 radius,debug,packet     NAS-Port-Type = 19 
14:41:37 radius,debug,packet     Calling-Station-Id = "00:22:15:3A:C1:ED" 
14:41:37 radius,debug,packet     Called-Station-Id = "fhs" 
14:41:37 radius,debug,packet     NAS-Port-Id = "Local Lan" 
14:41:37 radius,debug,packet     User-Name = "test03" 
14:41:37 radius,debug,packet     NAS-Port = 2151677977 
14:41:37 radius,debug,packet     Acct-Session-Id = "80400019" 
14:41:37 radius,debug,packet     Framed-IP-Address = 172.16.10.149 
14:41:37 radius,debug,packet     MT-Host-IP = 172.16.10.149 
14:41:37 radius,debug,packet     Event-Timestamp = 1293716497 
14:41:37 radius,debug,packet     NAS-Identifier = "fhs" 
14:41:37 radius,debug,packet     NAS-IP-Address = 127.0.0.1 
14:41:37 radius,debug,packet     Acct-Delay-Time = 0 
14:41:37 hotspot,debug test03 (172.16.10.149): RADIUS accounting request sent 
14:41:37 radius,debug,packet received Accounting-Response with id 46 from 127.0.0.1:1813 
14:41:37 radius,debug,packet     Signature = 0xf654fd849d6ab92eecd91ce0d231a5a1 
14:41:37 radius,debug received reply for 3f:88 
14:41:37 radius,debug request 3f:88 processed

I’m sure that i write always the correct password.
I don’t known what think..

8

That would almost prove it is the md5.js file that is malfunctioning. Try downloading the md5.js file from the router and upload it again to the server.

Are you using a current version? Like V3.30 or better?

9

I’m using 4.16 version.

I’ve tried to upload md5 from router (from its default hotspot directory) but always the same problem.

I don’t think cause is md5 because the /lv/login.html (latvisky page, that works) use /md5.js, the same md5.js that use the english page.

from /lv/login.html

<script type="text/javascript" src="/md5.js"></script>
<script type="text/javascript">

from /login.php

<script type="text/javascript" src="/md5.js"></script>
<script type="text/javascript">
10

If you have already replaced the md5.js file, then I can’t explain the failure. The code should be exactly the same. All the md5 encryption computation is done in your computer using the md5.js file code, not in the server or router. :confused:

11

I did think of one more thing you might try. When you get the login.php page, take a look at the source code (View Source). See if all the php variables were inserted into the code ok.

ADD: Insure you add and remove the “onSubmit=return doLogin()” call in the login.php code as you change from login-by=http-chap and login-by=http-pap. I took the lazy way out when I wrote that wiki article. Someday I will replace that with the php code that does it automatically like the internal page.

12

It look to has all variables, i will try to restart from zero .

Thanks again for your support

13

I changed the code in the wiki so it will switch between http-chap and http-pap login types automatically. No more removing the onSubmit call.

I tried it copy-and-paste straight from the wiki, and it worked with both login types. Let me know if you still have trouble.

ADD: Try entering a simple user/password in “/ip hotspot user” like user=test and password=test. See if that works.

BTW, I just connected and logged in with my Blackberry.

14

Hi,

I’ve restarded from zero.. but… nothing.. certainly i’m missing something…

I’ve on local folder and on webserver folder the default files of hotspot folder personalized as you say in wiki.
So i’ve md5 on local and on remote, lv on local and on remote.. login.htm on local and not on remote, login.php on remote and not on local and so on..

what files i need to have on hotspot local folder and on webserver root folder ? maybe is that my error ?

ADD:
I understand..
auth with latvisky page works beacause system use the lv folder on mikrotik board and not the lv on webserver.
If i delete lv folder on webserver i can continue to use latvisky page for login until i delete this folder on mikrotik.

What do you think ?

15

The remote web/php server doesn’t do anything but “fill in the blanks” on the login.php doc. None of the encryption is done there. The remote server only provides the files for the client computer. Nothing is modified in the md5.js file. Just the login.php file. The client computer does the md5 encryption on the password with the function in md5.js. The md5.js file must be on the remote server and readable. That is all.