Community discussions

 
User avatar
SunnyNL
just joined
Topic Author
Posts: 9
Joined: Sat Feb 25, 2012 4:26 pm
Location: Netherlands

HotSpot as a EAP-TLS alternative

Mon Mar 05, 2012 1:49 am

Dear All,

I need some help in deciding between an external RADIUS server and using the HotSpot function in RouterOS.

CURRENT SITUATION
Situation: Student house
Active users: 20+
Active devices: 50+ (ranging from PC's to smartphones to XBOX)
Active connections: 500 ~ 2000 (some are using torrent)
Router: RB1100AHx2 (it's overkill, I know)
Access Points: 3 x RB751U-2HnD
Internet connection: Consumer 120 mbit UP / 12mbit DOWN (theoretically)

TOPOLOGY
INTERNET <-> RB1100AHx2 <-> RB751U-2HnD <-> USER

CURRENT TECHNIQUES USED
- PoE (RBGPOE) for the AP's
- CAT5e SFTP High Quality cables
- NAT
- WPA2 AES
- All AP's share the same SSID

GOALS
- Simple user authentication for PC's / Smartphones / Xbox / Tablets

PROBLEMS
- No unique user authentication

DESCRIPTION
In this student house, one person has the internet contract on his name (the 'Internet Master'). The costs of this internet connection are evenly shared among the residents who like to have internet.
The problem in this is that not everybody wants to pay for the internet, or that they only pay 2 months later when you asked them 20 times....
So if one of the residents decides not to pay for the internet, we need to change the WPA2 passwords every time and hope that he will not find out about the new password. Another issue that it suggested is that one user pays his share for the internet, but that password is used by others who didn't pay.

My first thought was to implement a EAP-TLS solution.
Reason for choosing a EAP-TLS solution is that in this way, every user has to configure their devices (laptops, smartphones, etc.) only once and that the 'Internet Master' can switch on and off his or her connection, if he didn't pay (in time). Unfortunately, RouterOS does not support RADIUS / EAP-TLS services unless it is an external solution outside of RouterOS.

Perhaps the HotSpot solution in RouterOS can be of help. I read the forum and manuals for a few days now and on a couple of pages, where they where talking about EAP-TLS, one is referred to the HotSpot solution using User Manager. I understand that it is possible to implement a solution where every user has to actively login before they have internet access.
The management needs to be done by the person who has the internet contract (Internet Master), who isn't a real network expert...

I hoped to find a solution on my own using the manual's and the User Manager online demo.
The demo does not work, and I can't find the User Manager package on the RouterBoard website...

The real question here is, is it possible to make such an solution where a user has to login only once in their lifetime / long period, to have continuous internet access. Especially because it will not be a good working solution if a smart phone user has to actively login every time to have their smartphones synced with their e-mail accounts / Facebook / etc.. As I understand it, a user has to manually login every time they need internet access.

If someone could help me with this challenge, I would be most grateful!
Also, thank you for reading my story ;-)


Off course, I'm not asking to chew everything for me, I am very eager to learn and to read but I just did not know where to start basically.
Last edited by SunnyNL on Wed Mar 21, 2012 11:18 pm, edited 2 times in total.
If you like my ideas or reactions, give me karma :-)
 
User avatar
SunnyNL
just joined
Topic Author
Posts: 9
Joined: Sat Feb 25, 2012 4:26 pm
Location: Netherlands

Re: HotSpot as a PEAP alternative

Wed Mar 07, 2012 9:10 pm

*BUMP*
If you like my ideas or reactions, give me karma :-)
 
Feklar
Forum Guru
Forum Guru
Posts: 1726
Joined: Tue Dec 01, 2009 11:46 pm

Re: HotSpot as a PEAP alternative

Wed Mar 07, 2012 10:01 pm

The user-manager package is downloaded along with the rest of the firmware and installed the same way. As for how to configure it, we use our own RADIUS server and not User Manager, but there is a wiki page for that.

One thing to know about and keep in mind about with the hotspot is that in order to log in, you need to have a fully functioning web browser, this means that an XBox will not be able to sign in by itself, it will need to be manually bypassed to make it past the login page to gain internet access. The same goes for a Wii, or a PS3. That may or may not be a problem for you.

Yes you can control how often a guest needs to sign into the network within the profile itself, session timeout, idle timeout, and interm update.
http://wiki.mikrotik.com/wiki/RADIUS_Client
I believe the interm update attribute will make the router check every so often to see if the account is still valid or not. If it is not, it should then kick the user off. How you update that on your back end is up to you. Idle timeout defines how long the guest does not pass traffic for until they are required to sign back in. Session timeout will define when the guest is automatically kicked off and needs to sign in again. There are a lot more controls available as well with the Radius settings. The options are also not just tied to Hotspot, but can be used for many services within the mikrotik.

If you want more of a turnkey solution that will allow you to bill the customer on a reoccurring basis and take credit cards as payment, you can look into this solution. It would also allow you to manage the login pages, as well as several other features you may find useful.
http://www.myinnsite.com/
 
User avatar
SunnyNL
just joined
Topic Author
Posts: 9
Joined: Sat Feb 25, 2012 4:26 pm
Location: Netherlands

Re: HotSpot as a PEAP alternative

Wed Mar 21, 2012 11:18 pm

Hi Feklar,

Thank you for your constructive reaction!

The problem is not so much the billing problem, but more the fact that the hotspot or user manager RADIUS doesn't provide a user-based security solution that can control the edge of the network, before actually connecting to the network.

This way, the wireless is more secure (and perhaps even more stable).

The problem could partly be solved by implementing WPA2-AEP authentication with a pre-shared key, but that will kill the wireless solution as beeing an single sing-on solution (of the (wireless) network itself).
If you like my ideas or reactions, give me karma :-)
 
Feklar
Forum Guru
Forum Guru
Posts: 1726
Joined: Tue Dec 01, 2009 11:46 pm

Re: HotSpot as a EAP-TLS alternative

Thu Mar 22, 2012 5:55 pm

You should be able to use EAP with the wireless and a Radius server so that each end user will have their own user name and password and you can enable/disable it whenever you choose. I've never used that however, so I don't know what would be involved or how it would handle roaming between access points. I don't think it should require people to put in their user name and password each time they connect to the access point, but I could be wrong.

So exactly what are your goals with a "user-based security solution that can control the edge of the network"? Are you just looking to control who can attempt to connect to the internet totally so before they can even connect to the wireless they have to pay for access? Are you looking to prevent people from "seeing" each others traffic over the layer2 network or being able to sniff wireless traffic? That will require a slightly different setup, but is easy enough to do if you have the right equipment. If you are just looking for a way to get people to sign in via a hotspot where they can sign up for service and pay in advance, then that again requires a different kind of setup. You can still have an encrypted wireless setup with the hotspot solution through WPA or WPA2.

It all comes down to what goals you have and what kind of solution you want to implement. The more specific you can get with what you want to see happen, the easier it is to give answers and look for the solution you want. RouterOS is very powerful and has a ton of options and ways to go about doing things, some are easier and some are very complex. Radius gives you the ability to give each person a unique username/password that you can control from a central location, you can control how many people can sign in with the password, and the other access parameters they have such as bandwidth, and length of connection.
 
User avatar
SunnyNL
just joined
Topic Author
Posts: 9
Joined: Sat Feb 25, 2012 4:26 pm
Location: Netherlands

Re: HotSpot as a EAP-TLS alternative

Thu Mar 22, 2012 6:22 pm

Billing is pretty much part 2, to enable or disable an account is sufficient at the moment.

If a 'roomie' wants to connect to the wireless network (by clicking the right SSID in Windows, for example), I would like it in such a way that this user has to give his personal username / password. After that he connects to the wireless network.

Pretty much the same way WPA(2)-PSK but then with a personal username/password..
If you like my ideas or reactions, give me karma :-)
 
pjulian
Member Candidate
Member Candidate
Posts: 267
Joined: Mon May 31, 2004 12:16 pm
Location: Sydney, Australia

Re: HotSpot as a EAP-TLS alternative

Sun May 20, 2012 6:41 pm

You could just use the internal hotspot user section on the RB1100 and do MAC authentication, you can even mix MAC and user ID based authentication if you want.
That way it would work for xbox and phones and laptops no problem, and your Internet Master can still disable access as required, it's just a matter of adding a comment on each MAC entry so he knows which MAC is for which person.

Once you add them in you just create a IP binding which allows the users MAC to bypass the hotspot authentication and get access, set the MAC address to the MAC of the device, Address field to 0.0.0.0, the To Address field leave empty, set server to All, or if you have multiple hotspot servers profiles defined choose the server, then set Type to bypassed and you are done.

Easy to manage, full control.

Regards
Paul
 
User avatar
nickshore
Member
Member
Posts: 468
Joined: Thu Mar 03, 2005 4:14 pm
Location: Suffolk, UK.
Contact:

Re: HotSpot as a EAP-TLS alternative

Mon May 21, 2012 1:12 pm

You can also use an entry in the access list to set a specific wpa2 key for each user, you need to set them up using the mac address of the device they will use to connect.

Once all users have been set up this way, you would turn off the Default Authenticate on the wireless interface.

Nick.
Nick Shore MTCNA MTCWE MTCRE MTCINE MTCTCE
LinITX.com - MultiThread Consultants
Get your MikroTik RBs and Training: http://linitx.com/brand/mikrotik
Official UK MikroTik Distributor
IRC chan: #routerboard on irc.z.je (IPv4 and IPv6)

Who is online

Users browsing this forum: Google [Bot] and 8 guests