Community discussions

MUM Europe 2020
 
twistmachine
just joined
Topic Author
Posts: 2
Joined: Mon Dec 02, 2019 5:15 pm

How to reverse captive portal (aka juniper web auth)

Mon Dec 02, 2019 5:24 pm

Hello everyone,

First thanks to mikrotik for their great products, we work on it since 6 years now and we use them on all our deployments.

Currently we deploy mikrotik CHR as virtual router in our Openstack public cluster and they are great.
One of my customer is currently challenging me with an old crappy solution called Juniper Web auth.
This features simply create a web portal that allow a public user (from wan) to login and then to be granted by this public ip in the firewall.

so the process is simple :

user -> web interface -> login -> user public ip is alowed in the firewall and then user is nated

Im currently trying to recreate that kind of behaviour with mikrotik hotspot but im a bit confused with this solution. (its my first time on it)

Does soemone that well known hotspot can help me to reproduce ?

Thanks in advance.
 
Zacharias
Forum Guru
Forum Guru
Posts: 1083
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: How to reverse captive portal (aka juniper web auth)

Mon Dec 02, 2019 7:50 pm

Well you could create a simple web portal where when a user succesfully logins, with the help of Mikrotik API a firewall accept rule would be created...
 
User avatar
eworm
Member
Member
Posts: 425
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: How to reverse captive portal (aka juniper web auth)

Mon Dec 02, 2019 8:07 pm

No need for API... If you have to modify the configuration use "on-login" script in "/ip hotspot user profile".
https://wiki.mikrotik.com/wiki/Manual:I ... er_Profile
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
Zacharias
Forum Guru
Forum Guru
Posts: 1083
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: How to reverse captive portal (aka juniper web auth)

Mon Dec 02, 2019 8:12 pm

No need for API... If you have to modify the configuration use "on-login" script in "/ip hotspot user profile".
https://wiki.mikrotik.com/wiki/Manual:I ... er_Profile
I never said anything about hotspot... i would not implement it with the use of hotspot...
 
User avatar
eworm
Member
Member
Posts: 425
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: How to reverse captive portal (aka juniper web auth)

Mon Dec 02, 2019 8:31 pm

Ah, using an external captive portal... Yes, possible as well.
Still if you want to go Mikrotik-only - hotspot with on-login script would be a possibility.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
twistmachine
just joined
Topic Author
Posts: 2
Joined: Mon Dec 02, 2019 5:15 pm

Re: How to reverse captive portal (aka juniper web auth)

Tue Dec 03, 2019 2:41 pm

Hi all,

Well in fact i did it with hot spot !
The solution was :
- Setup hotspot features
- Add my head quarter IP to walled-garden ip (to not be disconnected with others features deployement)
- Create a hotspot : hotspot1 on wan interface without Adress pool (or router will try to DHCP the end user)
- Create a server profiles with some DNS walled.com for the PoC then HTTP PAP only (i know this is not secure but its for the PoC)
- Create a user admin linked to hotpsot1
- Create a user profile without MAC Cookie and without Transparent proxy
- Create a new rules for the ports you wants to allow throught the web interface as hotspot only allow 25 by default, so for exemple for RDP i allowed 3389
- NAT the rdp port as usual

And well done you created a web gateway with web auth

Its a simple PoC, next step will be to connect to active directory with radius and to push some html to make it more sexy !

Thanks to all

Who is online

Users browsing this forum: No registered users and 83 guests