Skip to main content

Search

Cloudi-Fi Knowledge Base

Mikrotik RouterOS integration with Cloudi-Fi

Default Admin
  • Updated

This article describes how to enable Cloudi-Fi Captive Portal directly and natively in your Mikrotik RouterOS.

Learn how to create a secure captive portal with  Mikrotik RouterOS using Radius for user authentication. Step-by-step guide for network control.

 

Use case

Employing the authentication features of a Radius server enables you to enforce access control policies and improve device identification and network management. The upcoming sections will guide you through the process of setting up this configuration step by step.

 

Prerequisites

Before starting, ensure that you have the following prerequisites:

  • A Mikrotik access point.
  • Cloudi-Fi Radius IPs and Secret  
  • Access to the Mikrotik RouterOS dashboard.
  • Knowledge of your network's IP addressing scheme.
  • Permission to configure your firewall to allow specific ports.
Source Destination Port Protocol Action Comment
* Cloudi-Fi IPs 1812-1813 UDP Allow RADIUS traffic
Guest subnet Any 80 TCP Allow HTTP traffic
Guest subnet Any 443 TCP Allow HTTPS traffic
Guest subnet Any 53 UDP/TCP Allow DNS resolution
* * * * Deny To be adjusted according to your needs

 

1. Get Cloudi-Fi required URL

To create a new location in the Cloudi-fi Admin interface if it doesn't already exist, go to the "Location" section then create a new location and enter the required details for the new location:

  • Location Name
  • Type (Redirect URL)
  • Portal template
  • Country 

Location URL: this URL will be used to configure an External Captive Portal

  • Access the Cloudi-Fi administration console
  • Select the location
  • Click on the menu button for the location
  • Select "Copy Splash page URL"

Cloudi-Fi Get captive portal url

Transform the URL as follows:

Cloudi-Fi

https://login.cloudi-fi.net/start/ch/ebd2egzrfgrgq2/lh/qgrzqrgegs/sp/spsomething.com

Mikrotik

https://login.cloudi-fi.net/start/ch/ebd2egzrfgrgq2/lh/qgrzqrgegs/sp/spmikrotik.com

 

2. Get Radius informations

You will need the Radius informations (server IPs, ports, secret) to set up.

You can get the Secret by asking in the Chatbot, Cloudi-Fi’s Support team will provide you with the necessary information.

Cloudi-Fi - Get radius information for Mikrotik

What shared secret is used for the Radius server? (Please save this confidential information securely, and do not share it publicly).

 

3. Verify SNTP Client

​​After connecting to your Mikrotik, first, let's make sure your SNTP client is configured.

Go to: "System > SNTP Client"

  1. Set Enabled
  2. Primary NTP Server: xxxxxx
  3. Secondary NTP Server: xxxxxx

The NTP Servers can be found here; make sure to select the nearest ones to your location.

Click on Apply, Mode should now be Uni-cast and some others information appeared

Next, let's check the system time.

Go to: "System > Clock"

  1. Time Zone Name: select your location time zone

 

4. Configure your Guest's SSID

Go to: "Wireless > Security Profiles > Add New"

  1. Name: Guest-Open
  2. Mode: None
  3. Interim Update: 00:10:00. (10 minutes)
  4. Save

Go to: "Wireless > WiFi Interface tab > Add New > Virtual"

  1. Name: Cloudi-Fi Guest WiFi
  2. SSID: Cloudi-Fi Guest WiFi
  3. Mode: ap bridge
  4. Master Interface: Your WLAN interface
  5. Security Profile: Guest-Open
For V6.45.9

Go to: "Wireless > Wifi Interface Tab > Add new Virtual"

  1. General
    - Name: Your SSID
  2. Wireless
    - Mode: AP Bridge
    - Master Interface: Your WLAN Interface
    - Security profile: Guest-Open
    - WPS Mode: Disabled

 

5. Add the SSL certificates

We strongly recommend using HTTPS redirection during authentication workflow (instead of HTTP redirection).

The Cloudi-Fi team can provide you with our dedicated public certificate for HTTPS Redirection but you can also manage your public certificate.

To import the certificate, go to "Files", then drag and drop certificates and public keys from your computer :

Add the SSL certificates Cloudi-Fi integration Mikrotik.gif

Go to: "System > Certificates > Certificates tab"

  • Click on "Import":
    - Select the Certificate and add a passphrase
    - Select the Public key and add a passphrase

Make sure to have KLT Label next to your certificate Name

 

6. Create Cloudi-Fi Radius Server

​​Go to: "Radius" and add a new server

  1. Service: hotspot
  2. Address: Radius Servers and Ports 
  3. Secret: Provided by the Cloudi-Fi Support team
  4. Authentication Port: 1812
  5. Accounting Port: 1813
  6. Src Address: 0.0.0.0
For V6.45.9
  1. Called Id: The Mikrotik MAC Address

Go to: "IP > Hotspot > Server Profiles"

  1. On "Radius Tab":
    - Location ID: The Mikrotik MAC Address

 

7. Create Cloudi-Fi hotspot

Go to: "IP > Hotspot > Servers > Hotspot Setup"

The Hotspot Setup will run a wizard automatically created according to firewall rules.

  1. Hotspot Interface: Your Guest WLAN interface
  2. Address Pool: Whatever you wish
  3. Select Certificate: Select the imported certificate.
  4. IP Address of SMTP Server: 0.0.0.0
  5. DNS Server: 8.8.8.8 and 8.8.4.4 (or any other DNS like yours or Umbrella)
  6. DNS Name: Domain name related to the SSL certificate imported previously
  7. Name of Local Hotspot User: user
  8. The password of the User: Enter a complex password (it will not be used)
  9. Finish

Now Double click on the server you created and modify:

  1. Name: Paste your Mikrotik MAC Address (Quick set > Wireless Mac Address)
  2. Addresses Per MAC: 1
Note the selected profile for the next step

Go to: "IP > Hotspot > Server Profiles"

  1. Double-click on the hsprofX (The one selected in the previous step)
    Login Tab:
    - Check only HTTPS and select the SSL Certificate
    Radius Tab:
    - Check Use Radius
    - Select Mac format: xx:xx:xx:xx:xx
    - Interim Update: 00:10:00

Go to: "IP > Hotspot > User Profiles > Select default"

  • Keepalive Timeout: Equal to Cloudi-Fi Session Lifetime
  • Shared Users: clear

Select Hotspot default Cloudi-Fi Integration Mikrotik.gif

Now, we are going to set up the Walled-Garden.

Note: if you have social media connectors in your captive portal, an additional domain must be added to the walledgarden. The Cloudi-Fi Support team will provide you with the needed URLs.

Go to: "System > Scripts and add a new Script"

  • Name: Cloudifi_Walledgarden
  • Copy and paste the following in the Source field:
/ip hotspot walled-garden
add dst-host=*.cloudi-fi.com
add dst-host=*.cloudi-fi.net
add dst-host=*.3wi.fi

Note: If you have imported your own SSL certificate for HTTPS redirection, add also your domain to the list above.

Click on Apply, then Run script:

Run Script walled_garden Ccloudi-Fi integration Mikrotik.gif

Check if the list appeared in "IP > Hotspot > Walled Garden".

Now we need to make sure your guests are correctly redirected. Copy and paste the following text into a text editor and save it as login.html

<html>
<head>
<meta http-equiv="refresh" content="0; url=<!-- Location URL-->?res=notyet&host=$(server-name)&client_mac=$(mac)&client_ip=$(ip)&userurl=$(link-orig)&login_url=$(link-login-only)&error=$(error)&user=$(username)" />
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="expires" content="-1">
</head>
</html>

Go to Cloudi-Fi administration interface "Cloudi-Fi administration > Locations" then click on the menu button of the location and select Copy Splash page URI.

Replace <!-- Location URL--> by this URI in the HTML Code.

Note: Make sure that the Cloudi-Fi location URL contains the following attribute :

spentityid=spmikrotik.com

Next, copy and paste the following text into a text editor and save it as alogin.html; the redirect URI can be your company website or any other service you want:

<!-- Redirection page -->
<html>
<head>
<meta http-equiv="refresh" content="0; url=https://login.cloudi-fi.net/success.php" />
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="expires" content="-1">
</head>
</html>

Back in Mikrotik Winbox, "Files", drag and drop those two files into the hotspot folder

 

8. Add log server

Go to: "System > Logging"

  • On "Actions" tab, add new:
    - Name: Cloudifi_syslog
    - Type: Remote
    - Remote Address: Provided by Cloudi-fi
    - Remote Port: 514
    - Src. Addresses: 0.0.0.0
  • On "Rules" tab, add new:
    - Topics: Firewall
    - Prefix: Empty
    - Action: Select the server you’ve created

Go to: "IP > Firewall > Filter rules"

    1. On "General" tab, add new:
      - Chain: Forward
      - Protocol: TCP
      - Dst. Port: 80,443 (Others if needed)
      - In Interface: Your SSID Interface
    2. On "Action" tab, add new:
      - Action: Accept
      - Check "log"
      - Log prefix: Your Company name-Your Mikrotik MAC Address

 

Troubleshooting

If you’re facing issues with your captive portal, it may have several root causes.

Firewall problem

Before beginning, please check that the following Firewall rules are active, as mentioned in the Solution prerequisites section.

If you still encounter problems after following all the configuration steps, follow the steps below and provide it to the Cloudi-Fi support team:

  1. Make a web capture of your browser
  2. Share with the Cloudi-Fi support team
  3. The URL of the captive portal configured on Mikrotik 
  4. Capture HTTP data
  5. User ID facing the error page Mikrotik troubleshooting command lists

Certificates issues 

If the certificate is not valid or not applied correctly, you need to add the certificate and apply it to the captive portal.

Error certificat not valid cloudi-Fi integration Mikrotik.png

To import the certificate, go to "Files", then drag and drop certificates and public keys from your computer :

Import certificat for Cloudi-Fi ntegration Mikrotik.gif

Go to: "System > Certificates > Certificates"

  • Click on "Import":
    - Select the Certificate and add a passphrase
    - Select the Public key and add a passphrase
Make sure to have "KLT" Label next to your certificate Name !

Captive portal display issue before or after authentication

The problem may be related to DHCP or DNS.

  1. Check that your IP address is valid.
  2. Check that login.cloudi-fi.net is resolved.
  3. Assuming the DNS and IP address function correctly, you still have a captive portal problem.
  4. You must type http://neverssl.com on your browser to apply the redirection on the portal.

Error after authentication on the page

Once connected to the SSID, if you notice a Cloudi-Fi error page instead of your captive portal.

Check if: 

  • The URL transformed at the beginning is not misconfigured, 
  • Radius does not receive requests from Cloudi-Fi.

Check the configuration of the Radius server: 

  • The IP address of RADIUS   RADIUS port (default port 1812)
  • The shared password.

Check the availability of the Radius server: 

  • In the Mikrotik administration interface, click on the RADIUS tab and check that the information is correct.
  • Ping <IP_RADIUS_Server ou FQDN>

Test authentification

To conduct this test, connect to the SSID, then try to authenticate yourself on the captive portal page and check that the authentication process is successful.

 

If you have any questions, don't hesitate to contact us - How to contact your support?