Hotspot with external login page - re-authenticate user

dancms · December 13, 2011, 7:55pm

I have setup an external hotspot login page and everything works nicely until I send login information back to mikrotik.

After the login information is sent back I keep getting redirected back to the login page. Only way to ‘re-authenticate’ agianst radius - is to release and renew IP address on client.

I have tried two methods of sending login username and password back to the mikrotik after the account has been added via the external login page.

Method 1: post
(I hard coded the mac for testing)

Hotspot login page

Method 2: url redirect
After account is added redirect back to mikrotik specifying username and password.
http://host/login?user=xx:xx:xx:xx:xx:xx&password=

When looking at radius debug logs on mikrotik, I dont see any request generated when using either method.

Any help and direction is appreciated.

Thanks,
-dan

SurferTim · December 13, 2011, 9:53pm

This will not work with most browsers. They will need an ip or valid domain name.

<form name="login" action="http://host/login" method="post">

“host” is not a fully qualified domain name.

Here is a wiki on the external login procedure. Maybe this will help.
http://wiki.mikrotik.com/wiki/HotSpot_external_login_page

dancms · December 13, 2011, 9:55pm

I removed the ip, host is just intended as a place holder for the real ip or fqdn for example purposes.

SurferTim · December 13, 2011, 10:01pm

That is probably not the only problem, just the first one I noticed. Read the wiki. That should help.

If you are not going to encrypt the password, then set the login type to pap.

/ip hotspot profile
set X login-by=http-pap

Also, set a more verbose logging mode for radius

/system logging
add topics=radius,debug

Try the login again and check the log.

dancms · December 13, 2011, 10:10pm

Thanks for the reply! My issue was the login-type ( i had only specified mac)

After specifing the type as mac,http-pap it worked.

Which method is a better way of performing the login, url redirect or post method?

My next step is to add encryption. I have not been able to locate information on doing this, can any direction be given here?

Thanks again!

-dan

SurferTim · December 13, 2011, 10:17pm

Both the internal and external login page is designed for a post form method. The MD5 encryption is set for that.

The router will send a chap-challenge with the login page that the MD5 routine will use to encrypt the password. That is why you need to forward several of those variables to external login.php page.

Besides, the error message is always good to have. That way you know why you didn’t log in.

dancms · December 14, 2011, 1:32am

Im not using the php page, my external app uses ASP/VB. I wasnt sure what needed done at the router level to enable https. I will take a look at the php example and try to implement the same into my app. Any other suggestions are welcome.

Thanks again for the direction!