Filter
Top Products
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers 225
RouterOS v3 Configuration and User Guide
amount of time per MAC address to be freely used with some limitations imposed by the provided user
profile. In case the MAC address still has some trial time unused, the login page will contain the link for
trial login. The time is automatically reset after the configured amount of time (so that, for example, any
MAC address may use 30 minutes a day without ever registering). The username of such a user (as seen
in the active user table and in the login link) is "T-XX:XX:XX:XX:XX:XX" (where XX:XX:XX:XX:XX:XX
is his/her MAC address). The authentication procedure will not ask RADIUS server permission to
authorise such a user.
HotSpot can authenticate users consulting the local user database or a RADIUS server (local database is
consulted first, then - a RADIUS server). In case of HTTP cookie authentication via RADIUS server, the
router will send the same information to the server as was used when the cookie was first generated. If
authentication is done locally, profile corresponding to that user is used, otherwise (in case RADIUS reply
did not contain the group for that user) the default profile is used to set default values for parameters,
which are not set in RADIUS access-accept message. For more information on how the interaction with a
RADIUS server works, see the respective manual section.
The HTTP PAP method also makes it possible to authenticate by requesting the page
/login?username=username&password=password . In case you want to log in using telnet connection, the
exact HTTP request would look like that: GET /login?username=username&password=password
HTTP/1.0 (note that the request is case-sensitive)
Authorization
After authentication, user gets access to the Internet, and receives some limitations (which are user
profile specific). HotSpot may also perform a one-to-one NAT for the client, so that a particular user
would always receive the same IP address regardless of what PC is he/she working at.
The system will automatically detect and redirect requests to a proxy server a client is using (if any; it
may be set in his/her settings to use an unknown to us proxy server) to the proxy server embedded in
the router.
Authorization may be delegated to a RADIUS server, which delivers similar configuration options as the
local database. For any user requiring authorization, a RADIUS server gets queried first, and if no reply
received, the local database is examined. RADIUS server may send a Change of Authorization request
according to standards to alter the previously accepted parameters.
Advertisement
The same proxy used for unauthorized clients to provide Walled-Garden facility, may also be used for
authorized users to show them advertisement popups. Transparent proxy for authorized users allows to
monitor http requests of the clients and to take some action if required. It enables the possibility to open
status page even if client is logged in by mac address, as well as to show advertisements time after time
When time has come to show an advertisement, the server redirects client's web browser to the status
page. Only requests, which provide html content, are redirected (images and other content will not be
affected). The status page displays the advertisement and next advertise-interval is used to schedule next
advertisement. If status page is unable to display an advertisement for configured timeout starting from
moment, when it is scheduled to be shown, client access is blocked within walled-garden (as unauthorized
clients are). Client is unblocked when the scheduled page is finally shown. Note that if popup windows
are blocked in the browser, the link on the status page may be used to open the advertisement manually.
While client is blocked, FTP and other services will not be allowed. Thus requiring client to open an
advertisement for any Internet activity not especially allowed by the Walled-Garden.
Accounting
The HotSpot system implement accounting internally, you are not required to do anything special for it
to work. The accounting information for each user may be sent to a RADIUS server.
Configuration menus
• /ip hotspot - HotSpot servers on particular interfaces (one server per interface). HotSpot server
must be added in this menu in order for HotSpot system to work on an interface
• /ip hotspot profile - HotSpot server profiles. Settings, which affect login procedure for HotSpot
clients are configured here. More than one HotSpot servers may use the same profile
• /ip hotspot host - dynamic list of active network hosts on all HotSpot interfaces. Here you can also
find IP address bindings of the one-to-one NAT
• /ip hotspot ip-binding - rules for binding IP addresses to hosts on hotspot interfaces