Mikrotik

Owned by Adrián Macarro (Unlicensed)
Last updated: Oct 18, 2021 by Santiago Nanclares (Unlicensed)
8 min read

CONFIGURATION GUIDE

The purpose of the following manual is to describe the necessary configuration of Mikrotik equipment for integration with Octopus Platform

1- Pre-requisites

  • If there is a firewall in the network that might block the traffic, you will need to allow access to some domains to enable user's authentication:

    • Radius Servers:

      • Primary: <IP_Radius_1> 1812 and 1813 UDP ports

      • Secondary: <IP_Radius_2> 1812 and 1813 UDP ports

    • Splash Portal server: 

      • Domain <captive_portal_domain> 80 and 443 TCP ports

  • For the operation of the Guest and Enterprise modules configuration, it will be necessary to previously contract the Octopus platform licenses with the respective modules.

2- Guest module configuration

2.1 Radius Servers

The first thing to do is to set up the Radius servers by opening a Terminal session and entering the following script. Replace the labels with the data provided by the provider.

/radius add address=<IP_Radius_1> comment="RADIUS 1" secret=<Secret> service=hotspot timeout=5s add address=<IP_Radius_2> comment="RADIUS 2" secret=<Secret> service=hotspot timeout=5s

2.2 Load login pages

Access the equipment configuration through Winbow and within the Files menu load the pages provided by the provider. 

  1. The computer does not have the "flash" folder preloaded. You can upload the login pages directly on the Files root.

  2. The team has the "flash" folder pre-installed (this happens to newer teams). We must upload the login pages into the flash folder.

2.3 Hotspot Configuration

It will be necessary to have clear the interface where to create the Hotspot, since it will be where the captive portal will be associated. It can be a vlan, ethernet interface, wireless interface, bridge, ...

It is assumed that the network addressing associated with the interface and generic DNS servers has already been configured in the mikrotik.

The easiest way to create the Hotspot is through a simple Wizard from the Winbox environment. To do this, go to the IP > Hotspot submenu and in the Servers tab click on the Hotspot Setup option

The differents steps of the Wizard will be:

1- Hospot Interface: Select the interface to which the hotspot will be associated. 

2- Local Address of Network: Select the local network, where the hotspot will be applied. It will automatically load the configuration associated to the selected interface.

Mark the option "Masquerade Network"

3- Address Pool of Network: Pool of IP addresses that would be delivered to the client. It will be automatically filled with the range of addresses available in the configured network. Change if you want to reduce the pool.

4- Select certificate: none

5- IP Address of SMTP Setup: Leave as default

6- DNS Servers: Configure network DNS servers. It is advisable to configure the network's own gateway. 

7- DNS Name: Configure the name associated to the hotspot address. 

8- Local Hotspot User: Leave as default, as it will be deleted later

Once the Wizard is finished, it will be necessary to make some changes on the Hotspot.

1- Changes in Hotspot Server. In Winbox IP > Hotspot > Servers tab, double click on the hotspot created in the previous section.

  • Name: modify the name with the format MAC:SSID, being the MAC the address of the Ethernet 1 (Interfaces > Interface tab > ether1 > MAC Address) of the equipment and SSID the name of the WiFi network that will be radiated by the APs. For example: aa-bb-cc-dd-ee-ff:WifiGuest

It does not have to be the SSID of the network, but at least a tag that identifies the network and that matches the Server Name tag field configured in the platform. 

  • Addresses Per MAC, put a high number since the limitation will be delimited by the Radius servers

 

 

  1. Cambios Server Profile. During the wizard Hotspot Setup, a new profile will have been created that we will edit to make the changes

 

 

  • Pestaña General > HTML Directory: Select the root directory of the loaded login pages in section 2.

  • Pestaña Login > Login By: Select HTTP PAP. 

  • RADIUS Tab:

    • Check Use Radius

    • Check Accounting. 

    • Interium Update: 00:10:00

  1. Users Changes

  • Users Tab, delete the user created during the Hotspot Setup process, default "admin

  1. User Profile Changes.

  • User Profiles Tab, double click on the default profile and check parameters:

    • idle Timeout: Time of inactivity before the user is disconnected. About 15 minutes is recommended: 00:15:00

    • Keepalive Timeout: Disconnect time before user disconnects. We recommend about 5 minutes: 00:05:00

    • Shared Users: Set a very high value as it will be controlled by the radius server.

    • Rate Limit (rx/tx): Leave it blank as it will be controlled by the platform/radius.

2.4 Walled Garden

It would be necessary to configure a series of domains with free access from the Hotspot network for the captive portal to function correctly.

To do this it will be necessary to add some domains in the section IP > Hostpot > Walled Garden

/ip hotspot walled-garden add dst-host=<domain-name>

and others in IP > Hostpot > Walled Garden IP List (those marked in the listing with IPList)

/ip hotspot walled-garden ip add action=accept dst-host=<domain-name>

If you wish to add extra domains (Social Networks, Paypal, etc...) they can be consulted from the following link.

2.5 Option configuration login process: HTTPS

For the whole process to be validated safely, a certificate must be uploaded to the computer and associated with the hotspot login.  To do this:

1- Access the configuration of the equipment through Winbow and within the Files menu load the certificates that will be associated to the secure login. 

  1. The equipment does not have the "flash" folder pre-set. You can upload the certificates directly on the root of Files.

  2. The computer has the "flash" folder pre-installed. We must put the login pages into a folder called "Hotspot" and upload it into the Flash folder of the mikrotik "flash/hotspot".

 

2- Once the 3 files have been loaded in the computer open the New Terminal section and execute the following commands one by one (in passphrase press enter).

It is advisable to change the name to be more identifying, you can search by the name of the subdomain associated with the certificate.

3- After executing these commands, go to the System > Certificates section and check that the certificates have been correctly imported. The file must have the name cert_securelogin.

4- In IP > Hotspot > Server Profile tab, edit the one created during the Hotspot Wizard.  On the General tab > DNS Name parameter set the name associated with the certificate's subdomain (<certificate-domain-name>)

5- Within Server Profile > Login

  • Enable the HTTPS option in the Login By parameter

  • Select in SSL Certficate the previously imported certificate.

2.6 Authorized MAC Addresses

For user validation to work correctly, it is necessary to identify the NAS that will be able to make authentication requests to the Radius Server. In this case, the MAC configured in IP > Hotspot > Server must be added, which should match the MAC address of Ethernet 1 of the unit:

In the same way, the WLAN tag must match the platform's Service Name Tag

For information on how to add the MAC address of each AP as an authorized NAS on the platform, please refer to the following link locations

3- Enterprise module configuration

In order to integrate the configurations of this module with the platform, it is necessary to contract the Octopus Wifi Enterprise Module.

3.1  Captive portal + MAC Authentication configuration

To enable MAC authentication you need to edit the Server Profile created earlier and enable this option. To do this, in the Hotspot configuration, go to the Server Profile tab and select the profile created previously. Once in the configuration, access the Login tab and enable the MAC option in the Login By tab. 

Leave the default options MAC Auth. Mode and MAC Auth. Password

3.2 MAC Authentication configuration

To create an SSID dedicated to MAC Authentication validation only, go to the IP > Hotspot submenu and in the Servers tab create a new Hotspot as described in point 2.3 but with the network data dedicated to MAC Authentication validation.

  • Name: modify the name with the MAC:SSID format, where MAC is the Ethernet 1 address (Interfaces > Interface tab > ether1 > MAC Address) of the device and SSID is the name of the WiFi network that will be radiated by the APs.Por ejemplo: aa-bb-cc-dd-ee-ff:Mac_Auth_Guest

  • Addresses Per MAC, set a high number as the limitation will be set by the Radius servers

Server Profile changes. During the Hotspot Setup wizard, a new profile will be created and we will edit it to make the changes.

  • Go to Login > Login By: MAC Auth. Mode, MAC Cookie y MAC Auth. Password

RADIUS tab:

  • Check Use Radius

  • Check Accounting. 

  • Interium Update configure: 00:10:00

3.2 Configuration of Access Profiles

Through the Octopus platform it is possible to configure a series of reply attributes of the Access-Accept packages, grouped in the so-called Access Profile. These Access Profiles allow to activate a series of functionalities in the Mikrotik. Although the most common and proprietary Mikrotik radius dictionaries are available, the following is a list of some of the most interesting ones:

Atributo

Descripción

Format

Atributo

Descripción

Format

Idle-Timeout

Maximum idle time. If the user does not transfer any data on the network during this time, the session will be terminated and the user will have to re-authenticate.

Seconds

Acct-Interim-Interval

Defines the time interval at which the NAS sends the accounting packet update with all the user's session information.

Seconds

WISPr-Bandwidth-Max-Down

Define downstream speed limits.

Bytes

WISPr-Bandwidth-Max-Up

Define upload speed limits.

Bytes

Mikrotik-Recv-Limit

Defines the downstream traffic limit quota.

Bytes

Mikrotik-Xmit-Limit

Defines the upstream traffic limit quota.

Bytes

Mikrotik-Group

Assignment of a previously created Role Name/ Profile.

 

Reply-Message

Useful for troubleshooting functions, since it allows to identify associated elements of the Octopus platform, such as an access profile, access method, location, ...

 

Example of an Access Profile configuration with the attributes explained above:

 

 

Â