This is my first post to the forum and I would like to say hi to everyone here.
I am going to be a descriptive as possible in order to get a clear answer if what I am looking to do is possible.
I am going to buy quite a lot of Mikrotik routerboards in order to launch a large network of Wireless hotspots.
Security will be open (open wifi, no encryption)
Authentication needs to be done with Radius with a central Freeradius server which is accessed from the internet, not lan.
Each Mikrotik will have an unknown public IP address, as the internet connection IP which feeds the mikrotik might change on each power up.
A welcome page will prompt the user to enter his cell phone in order to receive an sms with a password which will last for 1 hour only (username= cellphone, password= randomly generated)
The user will enter be shown the user/pass page after he enters his cell phone + newly generated password and will be allowed to use the public internet for 1 hour.
Upon 1 hour, the system needs to drop the connection all together and force him to repeat the same process from the beginning in order to get a new password (username remains the same)
I have a linux server setup which I will install freeradius, mysql and the welcome page for the user to enter his cell phone. When the cell phone is entered, the user will authenticate via the hotspot page of the mikrotik interface in order to get his access granted by the freeradius database.
Is this a possible case scenario?
Are there any similar setups/examples present anywhere?
Is there another way to do this (easier?)
Any feedback/help/scripts and information will be greatly appreciated.
It would probably be better if from your unencrypted landing page (which, BTW, you could set up without hotspot being involved IF your web server is within your network), after entering their phone, you send them a Wi-Fi password that is binded to their device’s MAC address (the one from which they entered their phone). RouterOS can be configured to require a different Wi-Fi password (and/or display a different SSID) based on MAC address, along with providing a default unencrypted connection for unknown MACs, with all of this data being supplied by a RADIUS server.
This way, you provide better security for your users, as well as eliminating the username field completely.
I’m curious… how do you plan on monetizing this? Do you have a contract with the mobile provider for getting money from SMS messages you send? If the contract is instead the other way around (getting money for SMS messages you receive), it might be a better idea to ask people to send an SMS to your number (which would of course be connected to your server), with a certain text, at which point you get your money, and send them back the generated password.
I replies from my iPhone but the post never showed up so I am writing it again.
The project has to be an open wifi, its a requirement.
Its 100% free for the users, there is no gain from it. Even the SMS will be paid by the network owner which will deliver the user credentials.
The way I see it is that the user should be able to follow the exact flow:
Find our open WiFi
See a landing page which will ask for a user/pass and also show the “don’t have an account? Enter your cell phone to get one FREE”
Wait for SMS and then login accordingly
Use the internet for 1 hour and then dtop the connection.
Thats it.
No monitoring is required as each session only lasts 1 hour and the user is always using the same cell phone to get another hour.
This is it, simple and free.
I dont see any example on how to put an “expiry” on the Radius server in order for the Mikrotik to disconnect the user.
I see that the User Manager has it but not in radius.
I need some guidance for this as its important for me to be able to kick off users in 1 hour.
If it’s all going to be free and without monitoring, why the landing page and registration to begin with? Why not skip the whole process?
If the point is “no gain, but people need to know who gave them what they’re using”, you could have a landing page with your logo and what not, and a “Start browsing” button, which would enable the user to browse for 1 hour (unencrypted and all) before landing on that same page again, to press the button again.
Behind the scenes, you’re having a simple hotspot login page (initially set up to all routers) which has a hidden form fields that automatically fills a predefined username/password combo that the router is set up to allow a maximum of 1h uptime. Oh, and use a profile that would specify “shared-users” to a high value (like 255 or whatever the length of your address pool is), so that everyone can use this account separately (i.e. 1h per device).
You can use free radius too. Just make free radius set the “Session-Timeout” attribute upon login.
Some ideas are just bad, and need to be called out as such. I’m trying to help you achieve your goal, which (as I’m trying to convince you) may be better implemented by a different - better - setup/idea.
But why? Why bother users with that? I can understand it if you (or the mobile provider?) need to make money through this procedure, or if you want to monitor traffic (for statistics’ sake), or if this procedure would somehow provide better security for users… but none of these is true, so what gives?
As you can see above, what you want can be done, and if you could get yourself just one MikroTik router for testing purposes, you’ll see it’s not very hard to set up. But it’s pointlessly complicated. It’s like you’re asking me to help you create a password for a folder that will always be empty - pointless I tell you.
To let you understand the SMS concept, its purely to be able to avoid non local Cell phone users (local citizens only) to use the service. E.g you wont be able to use this free service if you are not on a local network with a local prefix. I hope you understand it now.. and yes its a requirements not a complication.
Thank you again for your advice and I will come back with my results.
I said “pointlessly complicated”, but since there is a point (limiting access to local citizens is a point), then we’re no longer talking about a “pointless” complication (that happens to also be a requirement) .
The only thing I have left to say is to reiterate what I said in the last post - get just one MikroTik first, test it out, and then buy the rest, and configure them with copies from the first router’s configuration.
Everything setup and working except the session-timeout part.
I have the raduser and radreply setup like this:
raduser
id username attribute op value
1 testuser Cleartext-Password := testpass
radreply
id username attribute op value
1 testuser Mikrotik-Group := default
I am able to login using this setup.
I have been reading up on Session-Timeout but I do not see any implementation of it anywhere in SQL form. I am guessing some kind of SQL needs to be added to the sql.conf (which i used the default one from the mikrotik examples) and also another field in the radreply to send the session timeout string and value…
My requirement is to simply log the user off (from the hotspot) and force him to re-login using his user and pass again (simply to avoid idle connections)… its ok to re-login using the same credentials.
I don’t know about sending the session timeout from the RADIUS server, but you can assign a session timeout to the hotspot user profile (Mikrotik-Group). Since you are assigning Mikrotik-Group=default from the RADIUS server, then this should work:
/ip hotspot user profile
set default session-timeout=1h
You should be able to send it from the RADIUS server like this in the radreply table
id username attribute op value
1 testuser Session-Timeout := 1h
Enable radius debug logging to check the response from the RADIUS server in the router. Insure it is being sent correctly.
I tried what you suggested with the add that row in radreply but it conflicts with the login process "invalid username or pass"
Do i need to modify the sql.conf of the freeradius to handle such request? here is what I have now.
The default queries are case insensitive. (for compatibility with
older versions of FreeRADIUS)
authorize_check_query = "SELECT id, UserName, Attribute, Value, op
FROM ${authcheck_table}
WHERE Username = '%{SQL-User-Name}'
ORDER BY id"
authorize_reply_query = "SELECT id, UserName, Attribute, Value, op
FROM ${authreply_table}
WHERE Username = '%{SQL-User-Name}'
ORDER BY id"
.
.
