Community discussions

MikroTik App
 
netboyzin
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Thu Mar 21, 2013 3:42 pm

IP Authentication in Mikrotik Hotspot

Wed Mar 04, 2015 4:56 pm

Hi All

I wish to achieve exactly same thing what is done by MAC Authentication in Mikrotik Hotspots ( client is authenticated without asking for login credentials in Captive Portal ) but for my case it is IP not MAC, since we do not get MAC of subscribers in Hotspot due to presence of L3 Switch beneath the Hotspot.

Is it possible in Mikrotik Hotspots to authenticate the subscribers automatically by IP address of subscribers ? In Cisco ISG we can do it by creating a database of IP Address in the ISG itself, so that when a subscriber session comes for authentication it first checks in TAL database, if it gets the IP address in the database it allows the customer to log in otherwise it redirects towards the Captive Portal for manual login.

Any help is most welcome.

Thanks in advance.

Abhishek
 
netboyzin
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Thu Mar 21, 2013 3:42 pm

Re: IP Authentication in Mikrotik Hotspot

Fri Mar 06, 2015 7:51 am

Any type of scripts can help ?

Abhishek
 
netboyzin
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Thu Mar 21, 2013 3:42 pm

Re: IP Authentication in Mikrotik Hotspot

Tue Apr 07, 2015 11:35 am

Hi All

There should be some way to account for IP Authentication , where users are not required to supply their credentials manually to log in.

If it is not possible in present Firmware- can it be done in future releases ?


Abhishek
 
TomosRider
Member Candidate
Member Candidate
Posts: 209
Joined: Thu Nov 20, 2014 1:51 pm

Re: IP Authentication in Mikrotik Hotspot

Tue Apr 07, 2015 12:27 pm

Hello.
From which i understand, you search for a way users can skip the login process in hotspot? If thats the case, you can achieve this using ip binding feature.
 
netboyzin
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Thu Mar 21, 2013 3:42 pm

Re: IP Authentication in Mikrotik Hotspot

Tue Apr 07, 2015 4:16 pm

Hi
First of all thanks for the reply.
I am not going to bypass the login process- that is done via IP Binding feature, that's OK.

When a subscriber tries to open a Website he is presented with a captive portal via which he logs in and Surfs the Internet. Now if I want , that Subscriber just not want to see the Captive Portal , once he tries to open the Internet the authentication is done automatically and customer surfs the Internet. Now in Mikrotik , this authentication can be done via Mac Authentication, in this case the Customer is authenticated automatically via his MAC Address and is not presented to the Captive Portal screen every time he tries to surf the Internet.
Now , in my case, I did not have each subscriber MAC Address so that I can use MAC Authentication feature of Mikrotik. I do have the IP Address of each subscriber by which I have achieve same goal like MAC Authentication - is it possible in Mikrotik ?

Any reply is most welcome.

Abhishek
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: IP Authentication in Mikrotik Hotspot

Tue Apr 07, 2015 4:54 pm

If you go into ip > hotspot > ip bindings, you can create permanent bindings.
Address = the real address of the device.
To Address = same as address
Type = bypass

This will permanently allow a user - but it won't do AAA accounting anymore. Basically, if a host has that IP address, then it can go online always.

IP-based authentication is pretty weak though. Have you tried cookies?
 
netboyzin
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Thu Mar 21, 2013 3:42 pm

Re: IP Authentication in Mikrotik Hotspot

Wed Apr 08, 2015 11:47 am

Hi
Thanks for your reply.

Bypassing an IP via IP Binding feature bypasses all authentication and accounting process. You are right.

I didn't tried Cookies feature, can you elaborate this one ? Can it do AAA features along with eliminating requirement of Captive Portal to login manually every time ?

Abhishek
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: IP Authentication in Mikrotik Hotspot

Wed Apr 08, 2015 3:48 pm

Hi

I didn't tried Cookies feature, can you elaborate this one ? Can it do AAA features along with eliminating requirement of Captive Portal to login manually every time ?
Yes, if you enable http cookies as a login method, then when a browser hits the login page, it will see the cookie and process the authentication automatically. If your after-login page can successfully send the browser onward to the page it was originally requesting (no thank you page / welcome page / etc) then the process will be transparent for a browser.

Of course, it won't be so transparent for users who are using other applications than the web, so do keep that in mind.

Personally - I'm not a fan of hotspots. I find them to be an annoying headache for both the user and for me as the administrator.
 
netboyzin
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Thu Mar 21, 2013 3:42 pm

Re: IP Authentication in Mikrotik Hotspot

Wed Apr 08, 2015 4:44 pm

As long as I could understand , enabling http cookie method will be applicable to all users who are using that hotspot . Is there any way by which I can selectively enable http-cookie authentication specifically for some users ?

For example in MAC Address Authentication , I can selectively enable the feature for some users by creating the User-Name by MAC Address in AAA.

Abhishek
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: IP Authentication in Mikrotik Hotspot

Wed Apr 08, 2015 4:56 pm

Well, a user only has a cookie if they've successfully logged in before, and if the account is expired, then the cookie won't let them in anyway - it's just a shortcut to skip the manual login screen.

I don't think there's any way to only allow cookie login for some users but not others.
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2400
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: IP Authentication in Mikrotik Hotspot

Wed Apr 08, 2015 7:03 pm

There are MAC cookies, which do pretty much the same thing, but are bound to the MAC address (and log in the user that last logged in from that MAC addres), as opposed to normal cookies, which are bound to the username (and would work even if the user has changed their MAC address in the mean time).

MAC cookies can be selectively enabled or disabled per user profile.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: IP Authentication in Mikrotik Hotspot

Wed Apr 08, 2015 7:16 pm

Do MAC cookies work if the clients are behind a non-nat router / wifi client pseudobridge? (anything which makes it impossible to get the real MAC address of the user)
 
netboyzin
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Thu Mar 21, 2013 3:42 pm

Re: IP Authentication in Mikrotik Hotspot

Thu Apr 09, 2015 1:46 pm

Hi Zerobyte

Your point is right - my subscribers are behind a Layer 3 switch , so in hotspot we are unable to get actual MAC Address of the customers, in hotspot we can only see the MAC address of the Layer 3 Switch . We can only see the IP Address of the subscribers, so anything that is to be done should be based on IP Address not MAC.

In cisco ISG , we create a list of IP address of TAL Subscribers , before Session-Start , the IP Address List is Checked , if the requesting IP falls in that List he bypasses the L4 Redirection Process otherwise he is redirected towards captive portal.

Abhishek
 
loveman
Member
Member
Posts: 348
Joined: Tue Mar 10, 2015 9:32 pm

Re: IP Authentication in Mikrotik Hotspot

Fri Apr 10, 2015 12:22 am

I know , you can working in method that can active bypass , that is done via IP Binding feature ,,

bypass should need mac address ,, and your method you need in (bypass ip not mac ) ,,
my idea only on bypass (mac)
thanks
 
netboyzin
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Thu Mar 21, 2013 3:42 pm

Re: IP Authentication in Mikrotik Hotspot

Mon Apr 13, 2015 9:19 am

How can I achieve billing if I bypass IP in IP Binding feature ?

Abhishek
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: IP Authentication in Mikrotik Hotspot

Mon Apr 13, 2015 6:02 pm

How can I achieve billing if I bypass IP in IP Binding feature ?

Abhishek
Bypass binding will do exactly that - bypass the hotspot, so it will not be billed.

You have come to the following set of choices:
Give up on IP-based authorization:
- allow cookies for login (should work well for most users and only requires that they open a browser window - no more typing)
- make the network flat at layer 2 and use MAC address authentication
Insist on IP-based authorization:
- use another solution besides Mikrotik.

My personal tip -

IP authentication is very weak. There's nothing to stop anyone from statically configuring whatever IP address they want, so all they have to do is change their IP to something else and steal someone's access when the other user is away.

Don't forget this: Your actual goal is not to enable IP authentication.
Your actual goal is to give the users a more seamless experience and not need to type their password into a web page every 15 minutes they're away from their computer. I suggest using port-based-security to authenticate the user at the switch port based on MAC address, / EAP for profile-based wifi login. Or use PPPoE or some other lower-layer authentication. Basically, if you make the network know who the user is the moment they connect to it, then you're going to be much happier.

Who is online

Users browsing this forum: Ahrefs [Bot], Google [Bot] and 56 guests