This article describes how to enable Cloudi-Fi Captive Portal directly and natively in your Mikrotik RouterOS.
Learn how to create a secure captive portal with Mikrotik RouterOS using Radius for user authentication. Step-by-step guide for network control.
Use case
Employing the authentication features of a Radius server enables you to enforce access control policies and improve device identification and network management. The upcoming sections will guide you through the process of setting up this configuration step by step.
Prerequisites
Before starting, ensure that you have the following prerequisites:
- A Mikrotik access point.
- Cloudi-Fi Radius IPs and Secret
- Access to the Mikrotik RouterOS dashboard.
- Knowledge of your network's IP addressing scheme.
- Permission to configure your firewall to allow specific ports.
Source | Destination | Port | Protocol | Action | Comment |
* | Cloudi-Fi IPs | 1812-1813 | UDP | Allow | RADIUS traffic |
Guest subnet | Any | 80 | TCP | Allow | HTTP traffic |
Guest subnet | Any | 443 | TCP | Allow | HTTPS traffic |
Guest subnet | Any | 53 | UDP/TCP | Allow | DNS resolution |
* | * | * | * | Deny | To be adjusted according to your needs |
1. Get Cloudi-Fi required URL
To create a new location in the Cloudi-fi Admin interface if it doesn't already exist, go to the "Location" section then create a new location and enter the required details for the new location:
- Location Name
- Type (Redirect URL)
- Portal template
- Country
Location URL: this URL will be used to configure an External Captive Portal
- Access the Cloudi-Fi administration console
- Select the location
- Click on the menu button for the location
- Select "Copy Splash page URL"
Transform the URL as follows:
Cloudi-Fi
https://login.cloudi-fi.net/start/ch/ebd2egzrfgrgq2/lh/qgrzqrgegs/sp/spsomething.com
Mikrotik
https://login.cloudi-fi.net/start/ch/ebd2egzrfgrgq2/lh/qgrzqrgegs/sp/spmikrotik.com
2. Get Radius informations
You will need the Radius informations (server IPs, ports, secret) to set up.
- IPs: IPs address of the Radius servers
- Ports: UDP 1812 (Authentication) & 1813 (Accounting)
- Secret: provided by Cloudi-Fi Support
You can get the Secret by asking in the Chatbot, Cloudi-Fi’s Support team will provide you with the necessary information.
What shared secret is used for the Radius server? (Please save this confidential information securely, and do not share it publicly).
3. Verify SNTP Client
After connecting to your Mikrotik, first, let's make sure your SNTP client is configured.
Go to: "System > SNTP Client"
- Set Enabled
- Primary NTP Server: xxxxxx
- Secondary NTP Server: xxxxxx
The NTP Servers can be found here; make sure to select the nearest ones to your location.
Click on Apply, Mode should now be Uni-cast and some others information appeared
Next, let's check the system time.
Go to: "System > Clock"
- Time Zone Name: select your location time zone
4. Configure your Guest's SSID
Go to: "Wireless > Security Profiles > Add New"
- Name: Guest-Open
- Mode: None
- Interim Update: 00:10:00. (10 minutes)
- Save
Go to: "Wireless > WiFi Interface tab > Add New > Virtual"
- Name: Cloudi-Fi Guest WiFi
- SSID: Cloudi-Fi Guest WiFi
- Mode: ap bridge
- Master Interface: Your WLAN interface
- Security Profile: Guest-Open
For V6.45.9
Go to: "Wireless > Wifi Interface Tab > Add new Virtual"
- General
- Name: Your SSID - Wireless
- Mode: AP Bridge
- Master Interface: Your WLAN Interface
- Security profile: Guest-Open
- WPS Mode: Disabled
5. Add the SSL certificates
We strongly recommend using HTTPS redirection during authentication workflow (instead of HTTP redirection).
The Cloudi-Fi team can provide you with our dedicated public certificate for HTTPS Redirection but you can also manage your public certificate.
To import the certificate, go to "Files", then drag and drop certificates and public keys from your computer :
Go to: "System > Certificates > Certificates tab"
-
Click on "Import":
- Select the Certificate and add a passphrase
- Select the Public key and add a passphrase
Make sure to have KLT Label next to your certificate Name
6. Create Cloudi-Fi Radius Server
Go to: "Radius" and add a new server
- Service: hotspot
- Address: Radius Servers and Ports
- Secret: Provided by the Cloudi-Fi Support team
- Authentication Port: 1812
- Accounting Port: 1813
- Src Address: 0.0.0.0
For V6.45.9
- Called Id: The Mikrotik MAC Address
Go to: "IP > Hotspot > Server Profiles"
- On "Radius Tab":
- Location ID: The Mikrotik MAC Address
7. Create Cloudi-Fi hotspot
Go to: "IP > Hotspot > Servers > Hotspot Setup"
The Hotspot Setup will run a wizard automatically created according to firewall rules.
- Hotspot Interface: Your Guest WLAN interface
- Address Pool: Whatever you wish
- Select Certificate: Select the imported certificate.
- IP Address of SMTP Server: 0.0.0.0
- DNS Server: 8.8.8.8 and 8.8.4.4 (or any other DNS like yours or Umbrella)
- DNS Name: Domain name related to the SSL certificate imported previously
- Name of Local Hotspot User: user
- The password of the User: Enter a complex password (it will not be used)
- Finish
Now Double click on the server you created and modify:
- Name: Paste your Mikrotik MAC Address (Quick set > Wireless Mac Address)
- Addresses Per MAC: 1
Note the selected profile for the next step
Go to: "IP > Hotspot > Server Profiles"
- Double-click on the hsprofX (The one selected in the previous step)
Login Tab:
- Check only HTTPS and select the SSL Certificate
Radius Tab:
- Check Use Radius
- Select Mac format: xx:xx:xx:xx:xx
- Interim Update: 00:10:00
Go to: "IP > Hotspot > User Profiles > Select default"
- Keepalive Timeout: Equal to Cloudi-Fi Session Lifetime
- Shared Users: clear
Now, we are going to set up the Walled-Garden.
Note: if you have social media connectors in your captive portal, an additional domain must be added to the walledgarden. The Cloudi-Fi Support team will provide you with the needed URLs.
Go to: "System > Scripts and add a new Script"
- Name: Cloudifi_Walledgarden
- Copy and paste the following in the Source field:
/ip hotspot walled-garden
add dst-host=*.cloudi-fi.com
add dst-host=*.cloudi-fi.net
add dst-host=*.3wi.fi
Note: If you have imported your own SSL certificate for HTTPS redirection, add also your domain to the list above.
Click on Apply, then Run script:
Check if the list appeared in "IP > Hotspot > Walled Garden".
Now we need to make sure your guests are correctly redirected. Copy and paste the following text into a text editor and save it as login.html
<html>
<head>
<meta http-equiv="refresh" content="0; url=<!-- Location URL-->?res=notyet&host=$(server-name)&client_mac=$(mac)&client_ip=$(ip)&userurl=$(link-orig)&login_url=$(link-login-only)&error=$(error)&user=$(username)" />
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="expires" content="-1">
</head>
</html>
Go to Cloudi-Fi administration interface "Cloudi-Fi administration > Locations" then click on the menu button of the location and select Copy Splash page URI.
Replace <!-- Location URL-->
by this URI in the HTML Code.
Note: Make sure that the Cloudi-Fi location URL contains the following attribute :
spentityid=spmikrotik.com
Next, copy and paste the following text into a text editor and save it as alogin.html; the redirect URI can be your company website or any other service you want:
<!-- Redirection page -->
<html>
<head>
<meta http-equiv="refresh" content="0; url=https://login.cloudi-fi.net/success.php" />
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="expires" content="-1">
</head>
</html>
Back in Mikrotik Winbox, "Files", drag and drop those two files into the hotspot folder.
8. Add log server
Go to: "System > Logging"
- On "Actions" tab, add new:
- Name: Cloudifi_syslog
- Type: Remote
- Remote Address: Provided by Cloudi-fi
- Remote Port: 514
- Src. Addresses: 0.0.0.0 - On "Rules" tab, add new:
- Topics: Firewall
- Prefix: Empty
- Action: Select the server you’ve created
Go to: "IP > Firewall > Filter rules"
-
- On "General" tab, add new:
- Chain: Forward
- Protocol: TCP
- Dst. Port: 80,443 (Others if needed)
- In Interface: Your SSID Interface - On "Action" tab, add new:
- Action: Accept
- Check "log"
- Log prefix: Your Company name-Your Mikrotik MAC Address
- On "General" tab, add new:
Troubleshooting
If you’re facing issues with your captive portal, it may have several root causes.
Firewall problem
Before beginning, please check that the following Firewall rules are active, as mentioned in the Solution prerequisites section.
If you still encounter problems after following all the configuration steps, follow the steps below and provide it to the Cloudi-Fi support team:
- Make a web capture of your browser
- Share with the Cloudi-Fi support team
- The URL of the captive portal configured on Mikrotik
- Capture HTTP data
- User ID facing the error page Mikrotik troubleshooting command lists
Certificates issues
If the certificate is not valid or not applied correctly, you need to add the certificate and apply it to the captive portal.
To import the certificate, go to "Files", then drag and drop certificates and public keys from your computer :
Go to: "System > Certificates > Certificates"
- Click on "Import":
- Select the Certificate and add a passphrase
- Select the Public key and add a passphrase
Make sure to have "KLT" Label next to your certificate Name !
Captive portal display issue before or after authentication
The problem may be related to DHCP or DNS.
- Check that your IP address is valid.
- Check that login.cloudi-fi.net is resolved.
- Assuming the DNS and IP address function correctly, you still have a captive portal problem.
- You must type http://neverssl.com on your browser to apply the redirection on the portal.
Error after authentication on the page
Once connected to the SSID, if you notice a Cloudi-Fi error page instead of your captive portal.
Check if:
- The URL transformed at the beginning is not misconfigured,
- Radius does not receive requests from Cloudi-Fi.
Check the configuration of the Radius server:
- The IP address of RADIUS • RADIUS port (default port 1812)
- The shared password.
Check the availability of the Radius server:
- In the Mikrotik administration interface, click on the RADIUS tab and check that the information is correct.
- Ping <IP_RADIUS_Server ou FQDN>
Test authentification
To conduct this test, connect to the SSID, then try to authenticate yourself on the captive portal page and check that the authentication process is successful.
If you have any questions, don't hesitate to contact us - How to contact your support?