HotSpot Page Editing

Adam McLaughlin · Wed Nov 14, 2007 1:34 am

Hi Everyone,

What files specifically need to be edited on the MikroTik RouterOS directories to change the default log in page?

I.E. We MAC authenticate all of our clients, but to those whom are unknown to our system, we want to show them our web page.. So, I made an auto -redirect page to display, and then shuttle them over to the main web site, but I am not sure how to implement this into our Access Points.

Can someone guide me?

Adam

csickles · Wed Nov 14, 2007 2:56 am

I cant help build the page, but..

Once a hotspot is created (server configured) the HTML page will show up under the file system under the hotspot dirrectory.

Simply download the page, make the changes you want and copy it back to the hotspot dirrectory.

NOTE !!!

Backup yuor HTML. there is a "reset HTML" function that will reset the html to factory and overwrite any changes, so I you admin accidently preeses the button, you want a copy of your work....

Adam McLaughlin · Wed Nov 14, 2007 3:05 am

So that Reset HTML button will be helpful should I make a mistake... Thanks.

Do you remember specifically what the exact HTML page is that is created for the HotSpot log in?

I keep trying this, but I keep getting Error 404 on all of my attempts.

Thanks,

Adam

CarulloS · Wed Nov 14, 2007 3:11 pm

This isn't exactly what you asked for, but it may be what you wanted any way...

You can have MT use an external web page (one on your web server) and validate the user yourself externally then once validated pass back to MT for continued service. In this manner you can customize everything the user sees.

Here is an example:

http://www.brevardwireless.com/hotspot/login.aspx

Scott

Adam McLaughlin · Wed Nov 14, 2007 5:01 pm

Dear Scott,

Can you elaborate on the mechanics of this?

I.E. How do I instruct the MikroTik A.P. to use this external page, or any specific page for that matter, to show to the clients?

I have a feeling that whatever it is, it's very simple and I am over looking it easily.

Adam

CarulloS · Wed Nov 14, 2007 5:47 pm

I modify two files from the MT hotspot files source on the router:

login.html (mofified the redirect page and some of the paramaters)
===============
<html>
<title>...</title>
<body>
<form name="redirect" action="https://www.brevardwireless.com/hotspot/login.aspx" method="post">
<input type="hidden" name="mac" value="$(mac)">
<input type="hidden" name="ip" value="$(ip)">
<input type="hidden" name="user" value="$(username)">
<input type="hidden" name="link-login" value="$(link-login)">
<input type="hidden" name="link-orig" value="$(link-orig)">
<input type="hidden" name="error" value="$(error)">
<input type="hidden" name="hostname" value="$(hostname)">
<input type="hidden" name="identity" value="$(identity)">
</form>
<script language="JavaScript">
<!--
	document.redirect.submit();
//-->
</script>
</body>
</html>
==================

status.html (I think I just modified the Title bar for the browser in this file)
====================
<html>
<head>
<title>Brevard Wireless Hotspot > Status</title>
$(if refresh-timeout)
<meta http-equiv="refresh" content="$(refresh-timeout-secs)">
$(endif)
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="expires" content="-1">
<style type="text/css">
<!--
textarea,input,select {
	background-color: #FDFBFB;
	border: 1px #BBBBBB solid;
	padding: 2px;
	margin: 1px;
	font-size: 14px;
	color: #808080;
}

.tabula{
 
border-width: 1px; 
border-collapse: collapse; 
border-color: #c1c1c1; 
background-color: transparent;
font-family: verdana;
font-size: 11px;
}

body{ color: #737373; font-size: 12px; font-family: verdana; }

a, a:link, a:visited, a:active { color: #AAAAAA; text-decoration: none; font-size: 12px; }
a:hover { border-bottom: 1px dotted #c1c1c1; color: #AAAAAA; }
img {border: none;}
td { font-size: 12px; padding: 4px;}

-->
</style>
<script language="JavaScript">
<!--
$(if advert-pending == 'yes')
    var popup = '';
    function focusAdvert() {
	if (window.focus) popup.focus();
    }
    function openAdvert() {
	popup = open('$(link-advert)', 'hotspot_advert', '');
	setTimeout("focusAdvert()", 1000);
    }
$(endif)
    function openLogout() {
	if (window.name != 'hotspot_status') return true;
        open('$(link-logout)', 'hotspot_logout', 'toolbar=0,location=0,directories=0,status=0,menubars=0,resizable=1,width=280,height=250');
	window.close();
	return false;
    }
//-->
</script>
</head>
<body bottommargin="0" topmargin="0" leftmargin="0" rightmargin="0"
$(if advert-pending == 'yes')
	onLoad="openAdvert()"
$(endif)
>
<table width="100%" height="100%">

<tr>
<td align="center" valign="middle">
<form action="$(link-logout)" name="logout" onSubmit="return openLogout()">
<table border="1" class="tabula">
$(if login-by == 'trial')
	<br><div style="text-align: center;">Welcome trial user!</div><br>
$(elif login-by != 'mac')
	<br><div style="text-align: center;">Welcome $(username)!</div><br>
$(endif)
	<tr><td align="right">IP address:</td><td>$(ip)</td></tr>
	<tr><td align="right">bytes up/down:</td><td>$(bytes-in-nice) / $(bytes-out-nice)</td></tr>
$(if session-time-left)
	<tr><td align="right">connected / left:</td><td>$(uptime) / $(session-time-left)</td></tr>
$(else)
	<tr><td align="right">connected:</td><td>$(uptime)</td></tr>
$(endif)
$(if blocked == 'yes')
	<tr><td align="right">status:</td><td><div style="color: #FF8080">
<a href="$(link-advert)" target="hotspot_advert">advertisement</a> required</div></td>
$(elif refresh-timeout)
	<tr><td align="right">status refresh:</td><td>$(refresh-timeout)</td>
$(endif)

</table>
$(if login-by-mac != 'yes')
<br>
<input type="submit" value="log off">
$(endif)
</form>
</td>
</table>
</body>
</html>
====================

There is quite a bit that goes on with the code behind my web pages though... Much more than I can just show. To summarize - the web page takes username and password and validates it against a SQL database and returns to MT whether valid or not. If they need a new account I take their credit card info - charge their account and if successful I create new account in sql database and return to MT hotspot. MT can validate against RADIUS server which uses the same SQL database as my code. I purchased clearbox radius server for this purpose.

Quite complex to figure out - I'll give you that. But once you do you almost forget what you did because its something you only have to do once. Then you just setup DNS entries for each HS and I add the new HS IP to my code (case statement) that sends me (and accounting) an email everytime someone signs up or renews service. It sure is nice to have an inbox full of money being deposited into your bank each day

Scott

Adam McLaughlin · Wed Nov 14, 2007 5:55 pm

Scott,

Thank you for the example!! THe script here is exactly what I was looking for; it ought to be a great "getting started" suggestion.

All I am really interested in doing is to show people our company web page; that's all.

My application should be much simpler than what you've done, but your example is a great "jumping off point" for my next group of experiments.

Adam

CarulloS · Wed Nov 14, 2007 6:13 pm

No problem, I got help when I set mine up running so its only right to *give back*

This forum has been priceless for me...

Scott

Adam McLaughlin · Wed Nov 14, 2007 6:21 pm

Hey Scott,

Well, thanks again. I will do some experimenting on Thursday when I get back to the shop with your suggestions - this is what I was looking for.

Some of the info on the forum has been very valuable, I will agree.

On the other hand, I think that perhaps for the size of our user base, that there should be more traffic here, but maybe everyone is an expert already, whom knows...

Adam

eneimi · Wed Nov 14, 2007 10:57 pm

Dear Scott,

Can you elaborate on the mechanics of this?

I.E. How do I instruct the MikroTik A.P. to use this external page, or any specific page for that matter, to show to the clients?

I have a feeling that whatever it is, it's very simple and I am over looking it easily.

Adam

I assume you have the hotspot all setup.
Through winbox, go to ip/hotspot/servers/profiles (i assume you have setup profiles already for the clients). Double click on any of the profiles that you want to assign the login page for. Go to the section that says HTML Directory and select the 'hotspot' folder.
Use an ftp client to access the router and download its files.
Backup and then modify the 'login.html' file located in the 'hotspot' folder to your taste (any html editor will do) and then upload it back to the router overwriting whatever is already there (make sure you have backed up first!).
Presto.

davidw · Tue Dec 11, 2007 5:02 am

This isn't exactly what you asked for, but it may be what you wanted any way...

You can have MT use an external web page (one on your web server) and validate the user yourself externally then once validated pass back to MT for continued service. In this manner you can customize everything the user sees.

Here is an example:

http://www.brevardwireless.com/hotspot/login.aspx

Scott

Hi Scott,
I understand the part about redirecting the user to the login.aspx page and validating the user...but how do you tell the Mikrotik that the user is ok ?

Also I have a question for you generally about .dot net and your signup page. Sometime ago I rewrote our entire signup page in plain old asp because the dot net version was giving us problems. Specifically when the customer would click on the buy now button it would hang and eventually come up and say page could not be displayed.
Didn't happen all the time but enought to lose revenue.

Ever experienced something like that ?
David

CarulloS · Tue Dec 11, 2007 5:21 am

No, sure haven't. It's worked really well. Only problem I need to still fix is when someone gets to the credit card info page then they wait till the next day to complete the form. Session is expiring and I'm not handling it correctly because I never thought about that happening... When I have some free time

Here is the logic I use to determine if they are good and react accordingly...

    If oHotspot.ValidateLogin(txtUsername.Text.Trim, txtPassword.Text.Trim) Then
	Response.Redirect("http://" & Session("HOSTNAME") & "/login.html?Username=" & HttpUtility.UrlEncode(txtUsername.Text.Trim) & "&Password=" & HttpUtility.UrlEncode(txtPassword.Text.Trim) & "&dst=" & HttpUtility.UrlEncode(Session("LINK_ORIG")))
	'lblDebugInfo.Visible = True
	'lblDebugInfo.Text = "http://***" & Session("HOSTNAME") & "###/login.html?Username=***" & txtUsername.Text.Trim & "###&Password=***" & txtPassword.Text.Trim & "###&dst=***" & Session("LINK_ORIG") & "###"
    Else
	'One of three options now exist:  They have an expired account // the username doesn't exist // the password is bad
	'Now check to see if this is a valid user whos paid time has expired (offer them a chance to add more time to account)
	If oHotspot.IsAccountExpired(txtUsername.Text.Trim, txtPassword.Text.Trim) Then
	    Response.Redirect("AccountExpired.aspx?Username=" & HttpUtility.UrlEncode(txtUsername.Text.Trim.ToString) & "&Password=" & HttpUtility.UrlEncode(txtPassword.Text.Trim.ToString))
	End If
	'I guess it is safe to assume now that the username or password is incorrect - tell them about their problem
	lblError.Text = "ERROR : Invalid Username or Password!"
	lblError.Visible = True
    End If

Scott

davidw · Tue Dec 11, 2007 5:53 am

No, sure haven't. It's worked really well. Only problem I need to still fix is when someone gets to the credit card info page then they wait till the next day to complete the form. Session is expiring and I'm not handling it correctly because I never thought about that happening... When I have some free time

Here is the logic I use to determine if they are good and react accordingly...

    If oHotspot.ValidateLogin(txtUsername.Text.Trim, txtPassword.Text.Trim) Then
	Response.Redirect("http://" & Session("HOSTNAME") & "/login.html?Username=" & HttpUtility.UrlEncode(txtUsername.Text.Trim) & "&Password=" & HttpUtility.UrlEncode(txtPassword.Text.Trim) & "&dst=" & HttpUtility.UrlEncode(Session("LINK_ORIG")))
	'lblDebugInfo.Visible = True
	'lblDebugInfo.Text = "http://***" & Session("HOSTNAME") & "###/login.html?Username=***" & txtUsername.Text.Trim & "###&Password=***" & txtPassword.Text.Trim & "###&dst=***" & Session("LINK_ORIG") & "###"
    Else
	'One of three options now exist:  They have an expired account // the username doesn't exist // the password is bad
	'Now check to see if this is a valid user whos paid time has expired (offer them a chance to add more time to account)
	If oHotspot.IsAccountExpired(txtUsername.Text.Trim, txtPassword.Text.Trim) Then
	    Response.Redirect("AccountExpired.aspx?Username=" & HttpUtility.UrlEncode(txtUsername.Text.Trim.ToString) & "&Password=" & HttpUtility.UrlEncode(txtPassword.Text.Trim.ToString))
	End If
	'I guess it is safe to assume now that the username or password is incorrect - tell them about their problem
	lblError.Text = "ERROR : Invalid Username or Password!"
	lblError.Visible = True
    End If

Scott

Response.Redirect("http://" & Session("HOSTNAME") & "/login.html?Username=" & HttpUtility.UrlEncode(txtUsername.Text.Trim) & "&Password=" & HttpUtility.UrlEncode(txtPassword.Text.Trim) & "&dst=" & HttpUtility.UrlEncode(Session("LINK_ORIG")))

Does this line send the password in an unencrypted format ?

CarulloS · Tue Dec 11, 2007 6:12 am

Yep - sends it back to the MT hotspot so unless you have a sniffer monitoring a port on my switched network you will never see it. Furthermore, if you were able to do that you wouldn't waste your time like this because the wireless side is easier to pick off usernames, mac addresses etc. The way I see it it's a mute point.

Scott

davidw · Tue Dec 11, 2007 12:00 pm

Yep - sends it back to the MT hotspot so unless you have a sniffer monitoring a port on my switched network you will never see it. Furthermore, if you were able to do that you wouldn't waste your time like this because the wireless side is easier to pick off usernames, mac addresses etc. The way I see it it's a mute point.

Scott

Scott, are you sure about this ? As I understand it the mikrotik redirects the customer to your login.aspx page. At this stage the connection is between your web server and your wireless connection all via SSL which is fine. However its the part where it redirects to the login page on the mikrotik that concerns me.

The customers web browser would be redirected to http://hostname/login&username=<usernam ... =<password>

Given this information is not sent via ssl it would be clear for anyone to sniff over wireless.

Have you sniffed your network to test ?

Can anyone else confirm my concerns ?

CarulloS · Tue Dec 11, 2007 4:48 pm

Hello, two quick answers...

First of all, even if the guy could see it in his browser (have you tried it

he already knows what it is because he just typed it.

Second, if someone else wanted to sniff the wireless network he can and would get the info any way having the correct tools and experience to use them. On an unencrypted open public network this is just something you have to live with.

To summarize - we are very pleased with the solution we have built and implemented. It works for us. I am sharing info with this thread because I can - I gain lots of info from all the other people so its good to give back when possible, everybody wins. If what I do doesn't work for you or you want to test further to see how safe you deem it then go for it. Everything takes lots of time - that is our enemy

Its not worth my time to sniff anything to try and save $5... or $50 for that matter. Have better things to do...

Scott

davidw · Wed Dec 12, 2007 3:08 am

Hello, two quick answers...

First of all, even if the guy could see it in his browser (have you tried it he already knows what it is because he just typed it.

Second, if someone else wanted to sniff the wireless network he can and would get the info any way having the correct tools and experience to use them. On an unencrypted open public network this is just something you have to live with.

To summarize - we are very pleased with the solution we have built and implemented. It works for us. I am sharing info with this thread because I can - I gain lots of info from all the other people so its good to give back when possible, everybody wins. If what I do doesn't work for you or you want to test further to see how safe you deem it then go for it. Everything takes lots of time - that is our enemy Its not worth my time to sniff anything to try and save $5... or $50 for that matter. Have better things to do...

Scott

Hi Scott,

Don't get me wrong I am very grateful for this information.
At one stage we were using a different system to Mikrotik and the username and passwords were being sent via wireless in clear text - ie not SSL
At this stage we thought...well what are the chances of someone doing that...very slim to none.

Until one day we had serveral users ringing up saying..."hey it says I am logged in and I am defintely not."

and

"all my data has gone and I most defintely did not download that much and it says that someone with a mac address XX:XX:XX which is not mine has downloaded it.

At that point we were a little concerned and found out that there were 2 people sniffing our network for usernames and passwords.

After moving to the mikrotik system and using there default login page...in particular this line of code

document.sendin.password.value = hexMD5('$(chap-id)' + document.login.password.value + '$(chap-challenge)');

alot of our problems went away.

Only down side with this is that if you want to make any changes, you have to make it to all sites. Can be very time consuming especially if you have over 100 sites.
Scripting with FTP can help ease this process though.

Good to talk to someone experiencing the same issues as me

Cheers

CarulloS · Wed Dec 12, 2007 3:44 am

Just to make sure you know, since you made the 100 sites comment -- I only edit the web server pages, every MT load has the same exact pages. I actually drag and dorp the two files (login & status) from a running MT to a new one and thats all I do to the pages, the code is identical because it uses a variable to send and receive the hostname from the hotspot.

Again - there is one set of pages both on the server and all 100 hotspots - they are all identical - not unique.

Scott

davidw · Wed Dec 12, 2007 8:06 am

Just to make sure you know, since you made the 100 sites comment -- I only edit the web server pages, every MT load has the same exact pages. I actually drag and dorp the two files (login & status) from a running MT to a new one and thats all I do to the pages, the code is identical because it uses a variable to send and receive the hostname from the hotspot.

Again - there is one set of pages both on the server and all 100 hotspots - they are all identical - not unique.

Scott

Yep totally understand.

HotSpot Page Editing

HotSpot Page Editing

Re: HotSpot Page Editing

Re: HotSpot Page Editing

Re: HotSpot Page Editing

Re: HotSpot Page Editing

Re: HotSpot Page Editing

Re: HotSpot Page Editing

Re: HotSpot Page Editing

Re: HotSpot Page Editing

Re: HotSpot Page Editing

Re: HotSpot Page Editing

Re: HotSpot Page Editing

Re: HotSpot Page Editing

Re: HotSpot Page Editing

Re: HotSpot Page Editing

Re: HotSpot Page Editing

Re: HotSpot Page Editing

Re: HotSpot Page Editing

Re: HotSpot Page Editing

Who is online