Hotspot with WPA-Enterprise login

rumenbalev · December 30, 2013, 6:47pm

The idea is to secure my hotspot and not asking the customers to enter severel passwords to get to the internet. Is there anybody with expirience in doing this (I know that it is possible with RADIUS server).

I want just to print voucher like in the standart hotspot, and the users to authenticate with the password in the WPA secured wifi network.

Thanks in advance

tashes · February 26, 2014, 2:14pm

Any news about this issue?
+1 for hotspot using wpa enterprise authentication.

tashes · February 26, 2014, 2:16pm

Any news about this issue?

ommk · August 1, 2015, 12:28pm

I’m interested in this topic as well in case anyone has gotten it working anyhow.

How I would like it to work is pretty much same manner as hotspot - just don’t need login html page. I got to a point WPA2 Enterprise works nicely. Only cannot set attributes e.g. Mikrotik-Rate-Limit. I think the problem is in NAS-Port for which freeradius is giving a warning it being missing.

alim1369 · April 28, 2019, 9:26pm

Interesting idea,
Do you have any success story of that?

Prometeo · September 22, 2020, 3:54pm

Interested.
But no one answer back to this

bpwl · September 22, 2020, 9:59pm

Linking the wifi WPA2-EAP logon to the hotspot or other internet filters (webproxy, rates, firewall filters, URL access rights …) that use to the user specific quota, requires the user identification, that now is lost when one passes the WPA2-EAP access control.

I only worked with one solution before , and that is RSSO (Radius single sign on). I had it with Fortinet and that worked very well. Maybe there are other RSSO solutions that could be used. Would be very nice , as the WPA2-EAP logon credentials are stored in the client device. No need for ‘persistent’ connections, to avoid re-login.

bpwl · October 25, 2021, 3:10pm

Is Hotspot 2.0 useful for a multi-AP private network ??? Roaming? Single sign-on for a hotspot (MT or other private hotspot) ?
Seems not the case, is a totally different setup, for announcing public wifi access.

Still trying to implement this WPA-Enterprise single signon (without using Fortigate or Watchguard), as many Radius parameters apply to a portal only, there is a need to identify the user for the Hotspot portal. Exactly what they do here: : https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/authentication/rsso_about.html

Just found another one that automatically maps the WPA/Enterprise EAP/PEAP/MSCHAPv2 login to the portal login. If you study how they do it, maybe there is some ROS script that does the same and creates either the needed MAC user, or the MAC Cookie in the portal.
https://www.websense.com/content/support/library/web/v80/radius_agent/radius_agent.pdf