HotSpot User AAA
Document revision: | 2.3 (Tue Sep 27 14:30:17 GMT 2005) |
Applies to: | V2.9 |
General Information
Summary
This document provides information on authentication, authorization and accounting parameters and configuration for HotSpot gateway system.
Specifications
Packages required: systemLicense required: Level1
Submenu level: /ip hotspot user
Standards and Technologies: RADIUS
Hardware usage: Local traffic accounting requires additional memory
Related Documents
Description
HotSpot User Profiles
Submenu level: /ip hotspot user profileDescription
HotSpot User profiles are used for common user settings. Profiles are like user groups, they are grouping users with the same limits.
Property Description
address-pool (name | none; default: none) - the IP poll name which the users will be given IP addresses from. This works like dhcp-pool method in earlier versions of MikroTik RouterOS, except that it does not use DHCP, but rather the embedded one-to-one NATalways - open http status page in case of mac login as well
Notes
When idle-timeout or keepalive is reached, session-time for that user is reduced by the actual period of inactivity in order to prevent the user from being overcharged.
Example
HotSpot Users
Submenu level: /ip hotspot userProperty Description
address (IP address; default: 0.0.0.0) - static IP address. If not 0.0.0.0, client will always get the same IP address. It implies, that only one simultaneous login for that user is allowed. Any existing address will be replaced with this one using the embedded one-to-one NATbytes-in (read-only: integer) - total amount of bytes received from userbytes-out (read-only: integer) - total amount of bytes sent to userlimit-bytes-in (integer; default: 0) - maximum amount of bytes user can transmit (i.e., bytes received from the user)Notes
In case of mac authentication method, clients' MAC addresses can be used as usernames (without password)
The byte limits are total limits for each user (not for each session as at /ip hotspot active). So, if a user has already downloaded something, then session limit will show the total limit - (minus) already downloaded. For example, if download limit for a user is 100MB and the user has already downloaded 30MB, then session download limit after login at /ip hotspot active will be 100MB - 30MB = 70MB.
Should a user reach his/her limits (bytes-in >= limit-bytes-in or bytes-out >= limit-bytes-out), he/she will not be able to log in anymore.
The statistics is updated if a user is authenticated via local user database each time he/she logs out. It means, that if a user is currently logged in, then the statistics will not show current total values. Use /ip hotspot active submenu to view the statistics on the current user sessions.
If the user has IP address specified, only one simultaneous login is allowed. If the same credentials are used again when the user is still active, the active one will be automatically logged off.
Example
To add user ex with password ex that is allowed to log in only with 01:23:45:67:89:AB MAC address and is limited to 1 hour of work:
[admin@MikroTik] ip hotspot user> add name=ex password=ex \ \... mac-address=01:23:45:67:89:AB limit-uptime=1h [admin@MikroTik] ip hotspot user> print Flags: X - disabled # SERVER NAME ADDRESS PROFILE UPTIME 0 ex default 00:00:00 [admin@MikroTik] ip hotspot user> print detail Flags: X - disabled 0 name="ex" password="ex" mac-address=01:23:45:67:89:AB profile=default limit-uptime=01:00:00 uptime=00:00:00 bytes-in=0 bytes-out=0 packets-in=0 packets-out=0 [admin@MikroTik] ip hotspot user>
HotSpot Active Users
Submenu level: /ip hotspot activeDescription
The active user list shows the list of currently logged in users. Nothing can be changed here, except user can be logged out with the remove command
Property Description
address (read-only: IP address) - IP address of the userblocked (read-only: flag) - whether the user is blocked by advertisement (i.e., usual due advertisement is pending)bytes-in (read-only: integer) - how many bytes did the router receive from the clientbytes-out (read-only: integer) - how many bytes did the router send to the clientdomain (read-only: text) - domain of the user (if split from username)idle-time (read-only: time) - the amount of time has the user been idleidle-timeout (read-only: time) - the exact value of idle-timeout that applies to this user. This property shows how long should the user stay idle for it to be logged off automaticallykeepalive-timeout (read-only: time) - the exact value of keepalive-timeout that applies to this user. This property shows how long should the user's computer stay out of reach for it to be logged off automaticallylimit-bytes-in (read-only: integer) - maximal amount of bytes the user is allowed to send to the routerlimit-bytes-out (read-only: integer) - maximal amount of bytes the router is allowed to send to the clientlogin-by (multiple choice, read-only: cookie | http-chap | http-pap | https | mac | trial) - authentication method used by usermac-address (read-only: MAC address) - actual MAC address of the userpackets-in (read-only: integer) - how many packets did the router receive from the clientpackets-out (read-only: integer) - how many packets did the router send to the clientradius (read-only: yes | no) - whether the user was authenticated via RADIUSserver (read-only: name) - the particular server the used is logged on at.session-time-left (read-only: time) - the exact value of session-time-left that applies to this user. This property shows how long should the user stay logged-in (see uptime) for it to be logged off automaticallyuptime (read-only: time) - current session time of the user (i.e., how long has the user been logged in)user (read-only: name) - name of the userExample
To get the list of active users:
[admin@MikroTik] ip hotspot active> print Flags: R - radius, B - blocked # USER ADDRESS UPTIME SESSION-TIMEOUT IDLE-TIMEOUT 0 ex 10.0.0.144 4m17s 55m43s [admin@MikroTik] ip hotspot active>