Manual:IP/Hotspot/Profile: Difference between revisions
Jump to navigation
Jump to search
(6 intermediate revisions by 3 users not shown) | |||
Line 22: | Line 22: | ||
|type=string | |type=string | ||
|default="" | |default="" | ||
|desc=DNS name of the HotSpot server (it appears as the location of the login page). This name will automatically be added as a static DNS entry in the [[M:IP/DNS | DNS cache]]. | |desc=DNS name of the HotSpot server (it appears as the location of the login page). This name will automatically be added as a static DNS entry in the [[M:IP/DNS | DNS cache]]. Name can affect if Hotspot is automatically detected by client device. For example, iOS devices may not detect Hotspot that has a name which includes ".local". | ||
}} | }} | ||
Line 39: | Line 39: | ||
|type=string | |type=string | ||
|default=hotspot | |default=hotspot | ||
|desc=Directory name in which HotSpot HTML pages are stored (by default ''hotspot'' directory). It is possible to specify different directory with modified HTML pages. To change HotSpot login page, connect to the router with FTP and download hotspot directory contents. | |desc=Directory name in which HotSpot HTML pages are stored (by default ''hotspot'' directory). It is possible to specify different directory with modified HTML pages. To change HotSpot login page, connect to the router with FTP and download hotspot directory contents. | ||
<b> | |||
* v6.31 and older software builds: For devices where "flash" directory is present, hotspot html directory must be stored there and path must be typed in as follows: "/(hotspot_dir)". This must be done in this order as hotspot sees "flash" directory as root location. | |||
* v6.32 and newer software builds: full path must be typed in html-directory field, including "/flash/(hotspot_dir)" | |||
</b> | |||
}} | |||
{{Mr-arg-table | |||
|arg=html-directory-override | |||
|type=string | |||
|default=none | |||
|desc=Alternative path for hotspot html files. It should be used only if customized hotspot html files are stored on external storage(attached usb, hdd, etc). If configured then hotspot will switch to this html path as soon at it becomes available and switch back to html-directory path if override path becomes non-available for some reason. | |||
}} | }} | ||
Line 54: | Line 65: | ||
|default=0.0.0.0:0 | |default=0.0.0.0:0 | ||
|desc=Address and port of the proxy server for HotSpot service, when default value is used all request are resolved by the local [[M:IP/Proxy | /ip proxy]] | |desc=Address and port of the proxy server for HotSpot service, when default value is used all request are resolved by the local [[M:IP/Proxy | /ip proxy]] | ||
}} | |||
{{Mr-arg-table | |||
|arg=https-redirect | |||
|type=yes {{!}} no | |||
|default=yes | |||
|desc=Whether to redirect unauthenticated user to hotspot login page, if he is visiting a https:// url. Since certificate domain name will mismatch, often this leads to errors, so you can set this parameter to "no" and all https requests will simply be rejected and user will have to visit a http page. | |||
}} | }} | ||
Line 66: | Line 84: | ||
<li><b>http-chap</b> - login/password is required for the user to authenticate in HotSpot. CHAP challenge-response method with MD5 hashing algorithm is used for protecting passwords. | <li><b>http-chap</b> - login/password is required for the user to authenticate in HotSpot. CHAP challenge-response method with MD5 hashing algorithm is used for protecting passwords. | ||
<li><b>http-pap</b> - login/password is required for user to authenticate in HotSpot. Username and password are sent over network in plain text. | <li><b>http-pap</b> - login/password is required for user to authenticate in HotSpot. Username and password are sent over network in plain text. | ||
<li><b>https</b> - login/password is required for user to authenticate in HotSpot. Client login/password exchange between client and server is encrypted with SSL tunnel | <li><b>https</b> - login/password is required for user to authenticate in HotSpot. Client login/password exchange between client and server is encrypted with SSL tunnel. [[M:Hotspot_HTTPS_example | HTTPs example]] | ||
<li><b>mac</b> - client is authenticated without asking login form. Client MAC-address is added to /ip hotspot user database, client is authenticated as soon as connected to the HotSpot | <li><b>mac</b> - client is authenticated without asking login form. Client MAC-address is added to /ip hotspot user database, client is authenticated as soon as connected to the HotSpot | ||
<li><b>trial</b> - client is allowed to use internet without HotSpot login for the specified amount of time | <li><b>trial</b> - client is allowed to use internet without HotSpot login for the specified amount of time | ||
Line 105: | Line 123: | ||
|type=string | |type=string | ||
|default= | |default= | ||
|desc=Default domain to use for RADIUS requests. Allows to use separate RADIUS server per ''/ip hotspot profile'' | |desc=Default domain to use for RADIUS requests. Allows to use separate RADIUS server per ''/ip hotspot profile''. | ||
If used, same domain name should be specified under /radius domain value. | |||
}} | }} | ||
Latest revision as of 09:45, 28 February 2019
Applies to RouterOS: v3, v4, v5+
Summary
Sub-menu: /ip hotspot profile
This submenu contains list of Hotspot server profiles. There may be various different HotSpot systems, defined as HotSpot Server Profiles, on the same gateway machine. One or more interfaces can be grouped into one server profile. There are very few settings for the servers on particular interfaces - most of the configuration is set in the server profiles. For example, it is possible to make completely different set of servlet pages for each server profile, and define different RADIUS servers for authentication.
Properties
Property | Description |
---|---|
dns-name (string; Default: "") | DNS name of the HotSpot server (it appears as the location of the login page). This name will automatically be added as a static DNS entry in the DNS cache. Name can affect if Hotspot is automatically detected by client device. For example, iOS devices may not detect Hotspot that has a name which includes ".local". |
hotspot-address (IP; Default: 0.0.0.0) | IP address of HotSpot service. |
html-directory (string; Default: hotspot) | Directory name in which HotSpot HTML pages are stored (by default hotspot directory). It is possible to specify different directory with modified HTML pages. To change HotSpot login page, connect to the router with FTP and download hotspot directory contents.
|
html-directory-override (string; Default: none) | Alternative path for hotspot html files. It should be used only if customized hotspot html files are stored on external storage(attached usb, hdd, etc). If configured then hotspot will switch to this html path as soon at it becomes available and switch back to html-directory path if override path becomes non-available for some reason. |
http-cookie-lifetime (time; Default: 3d) | HTTP cookie validity time, the option is related to cookie HotSpot login method |
http-proxy (IP:Port; Default: 0.0.0.0:0) | Address and port of the proxy server for HotSpot service, when default value is used all request are resolved by the local /ip proxy |
https-redirect (yes | no; Default: yes) | Whether to redirect unauthenticated user to hotspot login page, if he is visiting a https:// url. Since certificate domain name will mismatch, often this leads to errors, so you can set this parameter to "no" and all https requests will simply be rejected and user will have to visit a http page. |
login-by (cookie|http-chap|http-pap|https|mac|trial|mac-cookie; Default: http-chap, cookie) | Used HotSpot authentication method
|
mac-auth-password (string; Default: ) | Used together with MAC authentication, field used to specify password for the users to be authenticated by their MAC addresses. The following option is required, when specific RADIUS server rejects authentication for the clients with blank password |
name (string; Default: ) | Descriptive name of the profile |
nas-port-type (string; Default: wireless-802.11) | NAS-Port-Type value to be sent to RADIUS server, NAS-Port-Type values are described in the RADIUS RFC 2865. This optional value attribute indicates the type of the physical port of the HotSpot server. |
radius-accounting (yes | no; Default: yes) | Send RADIUS server accounting information for each user, when yes is used |
radius-default-domain (string; Default: ) | Default domain to use for RADIUS requests. Allows to use separate RADIUS server per /ip hotspot profile. If used, same domain name should be specified under /radius domain value. |
radius-interim-update (time | received; Default: received) | How often to send accounting updates . When received is set, interim-time is used from RADIUS server. 0s is the same as received. |
radius-location-name (string; Default: ) | RADIUS-Location-Id to be sent to RADIUS server. Used to identify location of the HotSpot server during the communication with RADIUS server. Value is optional and used together with RADIUS server. |
radius-mac-format ("XX XX XX XX XX XX"|XX:XX:XX:XX:XX:XX|XXXXXX-XXXXXX|XXXXXXXXXXXX|XX-XX-XX-XX-XX-XX|XXXX:XXXX:XXXX|XXXXXX:XXXXXX; Default: XX:XX:XX:XX:XX:XX) | |
rate-limit (string; Default: "") | Rate limitation in form of rx-rate[/tx-rate] [rx-burst-rate[/tx-burst-rate] [rx-burst-threshold[/tx-burst-threshold] [rx-burst-time[/tx-burst-time]]]] [priority] [rx-rate-min[/tx-rate-min]] from the point of view of the router (so "rx" is client upload, and "tx" is client download). All rates should be numbers with optional 'k' (1,000s) or 'M' (1,000,000s). If tx-rate is not specified, rx-rate is as tx-rate too. Same goes for tx-burst-rate and tx-burst-threshold and tx-burst-time. If both rx-burst-threshold and tx-burst-threshold are not specified (but burst-rate is specified), rx-rate and tx-rate is used as burst thresholds. If both rx-burst-time and tx-burst-time are not specified, 1s is used as default. rx-rate-min and tx-rate min are the values of limit-at properties |
smtp-server (IP; Default: 0.0.0.0) | SMTP server address to be used to redirect HotSpot users SMTP requests. |
split-user-domain (yes | no; Default: no) | Split username from domain name when the username is given in "user@domain" or in "domain\user" format from RADIUS server |
ssl-certificate (string | none; Default: none) | Name of the SSL certificate on the router to to use only for HTTPS authentication. |
trial-uptime (time/time; Default: 30m/1d) | Used only with trial authentication method. First time value specifies, how long trial user identified by MAC address can use access to public networks without HotSpot authentication. Second time value specifies amount of time, that has to pass until user is allowed to use trial again. |
trial-user-profile (string; Default: default) | Specifies hotspot user profile for trial users. |
use-radius (yes | no; Default: no) | Use RADIUS to authenticate HotSpot users. |
[ Top | Back to Content ]