This article describes how to enable Cloudi-Fi Captive Portal directly and natively in your Mikrotik RouterOS
Summary:
-
Get Cloudi-Fi required information
-
Verify SNTP Client
-
Configure your Guest SSID
-
Add the SSL certificates
-
Create Cloudi-Fi Radius Server
-
Configure the Hotspot service
-
Add log server
Testing environment:
This configuration has been tested with RouterOS 6.43.2 and v6.45.9 on HAP AC^2 using Winbo
1) Get Cloudi-Fi required URL and Radius Secret
Go to your Cloudi-Fi administration interface and get the URL for external authentication.
Go to Locations Menu
Click on the menu button of the location and select "Copy Splash page URI"
Go to the chat interface and ask for your Radius secret
-
Copy the secret as well
2) Verify SNTP Client
After connecting to your Mikrotik, first, let's make sure your SNTP client is configured:
Go to System > SNTP Client:
-
Set Enabled
-
Primary NTP Server: xxxxxx
-
Secondary NTP Server: xxxxxx
The NTP Servers can be found here; make sure to select the nearest ones to your location.
Click on Apply, Mode should now be Uni-cast and some others information appeared
Next, let's check the system time.
Go to System > Clock:
-
Time Zone Name: select your location time zone
3) Configure your Guest's SSID
Go to Wireless > Security Profiles > Add New
-
Name: Guest-Open
-
Mode: None
-
Interim Update: 00:10:00. (10 minutes)
-
Save
Go to Wireless > WiFi Interface tab > Add New > Virtual
-
Name: Cloudi-Fi Guest WiFi
-
SSID: Cloudi-Fi Guest WiFi
-
Mode: ap bridge
-
Master Interface: Your WLAN interface
-
Security Profile: Guest-Open
For V6.45.9
Go to Wireless > Wifi Interface Tab > Add new Virtual
-
General
- Name: Your SSID -
Wireless
- Mode: AP Bridge
- Master Interface: Your WLAN Interface
- Security profile: Guest-Open
- WPS Mode: Disabled
4) Add the SSL certificates
We strongly recommend using HTTPS redirection during authentication workflow (instead of HTTP redirection).
The Cloudi-Fi team can provide you with our dedicated public certificate for HTTPS Redirection.
You can also manage your public certificate.
To import the certificate: Go to Files:
-
Drag and drop certificates and public keys from your computer.
Go to System > Certificates > Certificates tab:
-
Click on Import:
Select the Certificate and add a passphrase
Select the Public key and add a passphrase
Make sure to have KLT Label next to your certificate Name
5) Create Cloudi-Fi Radius Server
Go to Radius and add a new server:
-
Service: hotspot
-
Address: Radius Servers and Ports
-
Secret: Provided by the Cloudi-Fi Support team
-
Authentication Port: 1812
-
Accounting Port: 1813
-
Src Address: 0.0.0.0
For V6.45.9
-
Called Id: The Mikrotik MAC Address
Go to IP > Hotspot > Server Profiles
-
Radius Tab
- Location ID: The Mikrotik MAC Address
6) Create Cloudi-Fi Hotspot
Go to IP > Hotspot > Servers > Hotspot Setup.
The Hotspot Setup will run a wizard automatically created according to firewall rules.
-
Hotspot Interface: Your Guest WLAN interface
-
Address Pool: Whatever you wish
-
Select Certificate: Select the imported certificate.
-
IP Address of SMTP Server: 0.0.0.0
-
DNS Server: 8.8.8.8 and 8.8.4.4 (or any other DNS like yours or Umbrella)
-
DNS Name: Domain name related to the SSL certificate imported previously
-
Name of Local Hotspot User: user
-
The password of the User: Enter a complex password (it will not be used)
-
Finish
Now Double click on the server you created and modify:
-
Name: Paste your Mikrotik MAC Address (Quick set > Wireless Mac Address)
-
Addresses Per MAC: 1
Note the selected profile for the next step
Go to IP > Hotspot > Server Profiles:
-
Double-click on the hsprofX (The one selected in the previous step)
Login Tab:
- Check only HTTPS and select the SSL Certificate
Radius Tab:
- Check Use Radius
- Select Mac format: xx:xx:xx:xx:xx
- Interim Update: 00:10:00
Go to IP > Hotspot > User Profiles > Select default
-
Keepalive Timeout: Equal to Cloudi-Fi Session Lifetime
-
Shared Users: clear
Now we are going to set up the Walled-Garden
Note: if you have social media connectors in your captive portal, an additional domain must be added to the walledgarden.
The Cloudi-Fi Support team will provide you with the needed URLs.
Go to System > Scripts and add a new Script:
-
Name: Cloudifi_Walledgarden
-
Copy and paste the following in the Source field:
/ip hotspot walled-garden
add dst-host=*.cloudi-fi.com
add dst-host=*.cloudi-fi.net
add dst-host=*.3wi.fi
Note: If you have imported your own SSL certificate for HTTPS redirection, add also your domain to the list above.
-
Click on Apply, then Run script
-
Check if the list appeared in IP > Hotspot > Walled Garden
Now we need to make sure your guests are correctly redirected. Copy and paste the following text into a text editor and save it as login.html
<html>
<head>
<meta http-equiv="refresh" content="0; url=<!-- Location URL-->?res=notyet&host=$(server-name)&client_mac=$(mac)&client_ip=$(ip)&userurl=$(link-orig)&login_url=$(link-login-only)&error=$(error)&user=$(username)" />
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="expires" content="-1">
</head>
</html>
Go to Cloudi-Fi administration interface: Cloudi-Fi administration > Locations > Click on the menu button of the location and select Copy Splash page URI.
Replace <!-- Location URL-->
by this URI in the HTML Code.
Note: Make sure that the Cloudi-Fi location URL contains the following attribute :
spentityid=spmikrotik.com
Next, copy and paste the following text into a text editor and save it as alogin.html; the redirect URI can be your company website or any other service you want:
<!-- Redirection page -->
<html>
<head>
<meta http-equiv="refresh" content="0; url=https://login.cloudi-fi.net/success.php" />
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="expires" content="-1">
</head>
</html>
Back in Mikrotik Winbox, Files > drag and drop those two files into the hotspot folder.
7) Add log server
Go to System > Logging
-
Click on the Actions tab and add new
- Name: Cloudifi_syslog
- Type: Remote
- Remote Address: Provided by Cloudi-fi
- Remote Port: 514
- Src. Addresses: 0.0.0.0
-
Rules tab and add new
- Topics: Firewall
- Prefix: Empty
- Action: Select the server you’ve created
Go to IP > Firewall > Filter rules
-
General tab
- Chain: Forward
- Protocol: TCP
- Dst. Port: 80,443 (Others if needed)
- In Interface: Your SSID Interface -
Action tab
- Action: Accept
- Check log
- Log prefix: Your Company name-Your Mikrotik MAC Addr