Free Internet access through Hotspot when RADIUS is down

From MikroTik Wiki
Revision as of 18:46, 14 July 2010 by Fewi (talk | contribs) (Created page with 'It may be desirable in some situations to grant blanket Internet access to users on a Hotspot if the RADIUS servers are unreachable. The downside to the below is that in situatio…')
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

It may be desirable in some situations to grant blanket Internet access to users on a Hotspot if the RADIUS servers are unreachable. The downside to the below is that in situations where RADIUS is unavailable, users will be redirected to an automatic logon. That will expose user credentials that work on the Hotspot at any time, and if users are smart enough to sniff traffic they can record the credentials and use them at other times. Also, the below works only with HTTP-PAP and HTTPS. I use HTTPS on all my Hotspots and have no experience with HTTP-CHAP. I'm sure this could be adapted to instead submit some pre-hashed credentials that would be more secure than HTTP-PAP. I'm currently not planning on working on that.

This is also based on the default HTML for Hotspots.

The original login.html contain the following at the top of the file:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html> <head> <title>internet hotspot > login</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="pragma" content="no-cache" /> <meta http-equiv="expires" content="-1" /> <style type="text/css">

Replace that with:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html> <head> <title>internet hotspot > login</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="pragma" content="no-cache" /> <meta http-equiv="expires" content="-1" /> $(if error == 'RADIUSTIMEOUT') <meta http-equiv="refresh" content="0;url=/login?username=test&password=test"> $(endif) <style type="text/css">

This evaluates the variable $error and checks if it is set to the string 'RADIUSTIMEOUT', and if so adds a header that will cause an automatic redirect to the login servlet with user credentials filled out. This will, of course, require that a local username 'test' exist with password 'test', and that the account is permitted to log into the specific Hotspot instance.

It turns out that if statements in Hotspots can only evaluate single values without spaces. The default RADIUS error is 'RADIUS server not responding'. This can be changed to 'RADIUSTIMEOUT' by editing the errors.txt file in the Hotspots HTML directory and replacing the following section:

  1. radius-timeout
  2. User is authenticated by RADIUS server, but no response is received from it,
  3. following error will be shown.

radius-timeout = RADIUS server is not responding

with the below:

  1. radius-timeout
  2. User is authenticated by RADIUS server, but no response is received from it,
  3. following error will be shown.

radius-timeout = RADIUSTIMEOUT