The following guide was created using a Mikrotik network with the following components:
- Router: Mikrotik RouterBoard 450G
- Firmware: 3.22
- RouterOS: v6.23
You need to have a Mikrotik RouterBoard with Internet access already configured.
You can reset your RouterBoard and connect the cable with Internet access at the ethernet gateway port (ether1-gateway).
By default, the RouterBoard is configured with automatic address acquisition, so it will get the IP and Gateway from your Internet cable connection and will set up a DHCP Client also.
This guide was created using the WebFig configuration interface, but you can apply the same settings using the Winbox.
By default, the RouterBoard 450G comes with 5 ports and the following interfaces:
In this guide, we'll create a new interface (bridge-hotspot) and associate one of the slaves interface to the bridge.
Go to Interfaces and edit one of the interfaces (e.g. ether4-slave-local). Change the following options:
- Name: ether4
- Master Port: none
Go to Bridge and click in "Add New". Set the following options:
- Name: bridge-hotspot
Now you need to associate the Ethernet interface to the bridge.
Go to Bridge > Ports tab and click in "Add New". Set the following options:
- Interface: ether4
- Bridge: bridge-hotspot
Go to Radius and click in "Add New". Set the following options:
- Enabled: checked
- Service: Hotspot
- Address: the RADIUS server IP according to your environment/region
- Secret: the provided RADIUS client secret
- Authentication Port: 1812
- Accounting Port: 1813
Go to IP > Hotspot.
Mikrotik offers a wizard (Hotspot Setup) to create almost all resources related to the Hotspot.
Click in "Hotspot Setup".
Choose the "bridge-hotspot" as the "Hotspot Interface":
Set "Local Address of Network" as 10.5.50.1/24:
Let the default value (10.5.50.2-10.5.50.254) for "Address Pool of Network":
Set "Select Certificate" as "none":
Set the "IP Address of SMTP Server" as "0.0.0.0":
Set the DNS servers:
- 18.104.22.168 (optional)
- 22.214.171.124 (optional)
Set the "DNS Name" as "social-id-hotspot-dns":
And create the default Hotspot user:
You can remove this user later.
Now you have your Hotspot resources created. You'll need to change some settings in the following steps.
Go to IP > Hotspot > User Profiles. Edit the default entry and change the following options:
- Session Timeout: 00:30:00
- Idle Timeout: clear this entry
- Shared Users: clear this entry
Go to IP > Hotspot > Server Profiles. Edit the hsprof1 entry and change the following options:
- Login By: check only "HTTP PAP" option
- Use RADIUS: checked
- MAC Format: XX:XX:XX:XX:XX:XX (default option)
- Accounting: checked (default option)
Go to IP > Hotspot > Servers. Edit the hs-bridge-hotspot and change the following options:
- Idle Timeout: set the desired timeout (e.g.: 00:05:00)
- Addresses Per MAC: 1
Allow Social-ID NOW platform URLs and social network URLs by configuring the Walled garden.
Go to IP > Hotspot > Walled Garden. For each Walled Garden for the Social Login domain you need to use, create an entry in the Walled Garden.
For example, to add *.socialidnow.com, click in "Add New" and set the following options:
- Dst. Host: *.socialidnow.com
At the end, you'll have something like this:
When you create a hotspot on Mikrotik, it automatically adds all the files and directories, creating an "internal" portal hosted on Mikrotik, so when a client connects to the network, it is redirected to this portal.
If you lose this files, you can recreate them by going into IP > Hotspot > Hotspot Server, click to edit your server and then click in the button "Reset HTML". The file structure is similar to this:
The Social-ID Wi-Fi portal is an external portal, in the cloud. So you need to redirect the internal login page to the external one hosted by Social-ID Platform.
You must replace your hotspot/login.html file by:
<html> <head> <title>Login</title> <meta http-equiv="refresh" content="0; url=http://wifi.socialidnow.com/portals/<portal-name>/auth?client_mac=$(mac)&client_ip=$(ip)&login_url=$(link-login-only)" /> <meta http-equiv="pragma" content="no-cache"> <meta http-equiv="expires" content="-1"> </head> <body> </body> </html>
Where <portal-name> must be replaced by your portal name.
To replace this file you can use a FTP client to connect to Mikrotik appliance.
Mikrotik offers products in the Wireless and Ethernet Routers categories, both running RouterOS.
If you have a Wireless appliance, you can just configure the Wireless Interface to the Bridge, and your Wireless network will be ready to manage user authentication by the Hotspot server.
If you have an Ethernet Router, you can use it as a gateway to manage Hotspot services. Connect an AP from any vendor to the configured Hotspot Interface, so all clients connected to the AP will be required to authenticate through Mikrotik Hotspot Server. To create this guide we set up a Cisco Aironet AP, with open authentication, and connected to the Mikrotik's ether4 port, that is a slave for the hotspot bridge.
Don't forget to follow some simple security guidelines:
- Set a strong password for any admin user.
- Review firewall rules (IP > Firewall).