Sign up a new Access Provider

This page can be used as a reference when you sign up new clients to RADIUSdesk Hosted or that will be using a RADIUSdesk server which is deployed somewhere on the Internet.

• You've suggested to your local shopping mall to use MESHdesk as a wireless solution and subsequently deployed a WiFi mesh which covers all the shops including the parking area.
• They are very happy with the fact that there is now blanket WiFi coverage in all the shops.
• One of the shops is a coffee shop called Funky Bean There.
• Funky Bean There wants to draw more customers and approached you to incorporate them into the mesh.
• Funky Bean There wants to give anyone a daily limit of 500Mb data for free.

The following sections will stipulate how to go about in order to add Funky Bean There to your server in such a way that they will have their own isolated playpen. We will:

• Add their owner as an Access Provider.
• Log in as their owner and complete the rest of the set-up.

• Log into RADIUSdesk with the root user.
• Select Menu → Realms & Providers → Access Providers
• Add a new Access Provider by providing the required and optional detail.

• You can now log out as root and log in as the newly created Access Provider.
• Now you need to:
  • Create a Realm called Funky Bean There including the upload of their logo
  • Create a Profile with it's Profile components to allow a daily usage of 500Mb.
  • Create a Click-To-Connect user with the 500Mb profile as its profile.
  • Add the NAS device.
  • Create a Dynamic Login Page for Funky Bean There and upload the logo and graphics for the slideshow.

• Click on Menu → Realms & Providers → Realms to open the Realm management applet.

• Click on the plus sign in the toolbar and add the new realm.
• Also be sure to upload a logo for the realm

Next we will tackle the Profile

• Go Menu → Profiles → Profiles to open the Profile management applet.
• There will most probably already be a list of available profiles which is selectable but not editable since you are logged in as an Access Provider who do not own them.
• Add your own new profile and make it NOT available to sub-providers.
• We will call it Funky_Free.
• For now we just create it and will not attach any profile components to this profile (we will create them just now)

• Go Menu → Profiles → Profile Components to open the Profile Component management applet.
• We will create two Profile Components.
  • One to control the bandwidth of each connection.
  • One to control the daily usage.
• To control the bandwidth we create a Profile Component called BW-512Kb with the following:

• To control usage that will reset daily and limit data to 500M we create a Profile Component called Data-500M with the following:

• Go back to Profile manager applet and select the the Funky_Free profile then click on the edit button in the toolbar.
• Select the Add component action and then select a Profile component (The BW-512Kb and Data-500M Profile Components) from the list along with a Priority.
• The default Priority of 100 for both should be fine since these two profile components do not have attributes in common which my cause contention.

Next we will create a Permanent User that will be used for the Click-to-Connect user

• Go Menu → Permanent Users → Permanent Users to open the Permanent Users management applet.
• Create a permanent user called click_to_connect@fbt-01.
• Give it the password of click_to_connect
• Select the Funky Been There Realm and the Funky_Free Profile.
• Also ensure that the Cap type for Data says on Hard.
• After you created this user, run a Test RADIUS on him (Under Extra actions) to ensure you get the following reply attributes:
  • ChilliSpot-Max-Total-Octets = 500000000
  • Mikrotik-Total-Limit = 500000000
  • WISPr-Bandwidth-Max-Up = 512000
  • WISPr-Bandwidth-Max-Down = 512000
• This shows the counter is alive and well.

• You may wonder why we call the Click-to-Connect user click_to_connect@fbt-01.
• The name can be broken up in two parts.
• The first part is everything before the @.
• The last part is everything after the @.
• The user's password has to be the same as the first part e.g. click_to_connect.
• The second part will be automatically added by the login pages when the user clicks the Click-to-connect button and is determined by a the configuration of the Dynamic login pages.

Time to tackle the last bit which is the NAS device and Dynamic login pages and see how it all comes together.

• Click on Menu → NAS devices → NAS devices to open the NAS devices management applet.
• Since the Coova Chilli captive portal used by Funky Bean There comes from an unknown IP Address we will add a NAS device with connection type Dynamic client.
• We will use the value of nasid specified in the Coova Chilli set-up to uniquely identify the incoming connection.
• We assume that it was specified as fbt-01 (Short for Funky Been There - 01). The value of nasid will then be used by Coova-Chilli in the RADIUS requests which it sends out to the RADIUS server in the form of the NAS-Identifier attribute.
• After you selected Dynamic client you can specify Unique AVP combination as NAS-Identifier and the value fbt-01 in the Dynamic AVP detail sub-tab.
• On the NAS sub-tab you can specify the Name also as fbt-01 (It is a good convention to keep them the same) along with a shared secret. This shared secret is the same as the one defined in the Coova Chilli configuration.
• The realms should only show the Funky Been There realm.

• After you added the device; be sure to edit it again and ensure that the NAS → Optional info sub-tab also have the NAS-Identifier specified as fbt-01.
• Save you work and wait at least 10 minutes to allow the cron job to restart the FreeRADIUS server in order for this device to be added.

#Every 10 minutes to keep it stable
*/10 * * * * www-data /var/www/cake2/rd_cake/Console/cake -app /var/www/cake2/rd_cake Freeradius >> /dev/null 2>&1

Now that we have the NAS device added to RADIUSdesk; we can do the Dynamic Login page

• Click on Menu → Dynamic login pages to open the Dynamic login pages management applet.

• Click on the plus sign in the toolbar and add the new Dynamic login page.
• Add your own new Dynamic login page and make it NOT available to sub-providers.
• After you added the Dynamic Login page you can further edit it by uploading photos for the slideshow.

• If you have an older install of RADIUSdesk be sure to check and add the following rights.
• This is a once-off action that is required.
• Log in as root.
• Click on Menu → Tools → Rights manager to open the Rights manager applet.
• On the first tab (Access Control Objects) select: Access Control Objects (ACOs) → Access Providers → Controllers → DynamicDetails
• Then Add the following:
  • edit_settings
  • edit_click_to_connect
• On the second tab (Access Provider Rights) select: Default Access Provider rights → Controllers → DynamicDetails
• Then Allow the following (the newly added rights):
  • edit_settings
  • edit_click_to_connect
• As we stated at the beginning, this is a once-off addition that will enable the Access Providers to utilize the enhancements to the Dynamic login pages.

• We use the Dynamic keys to determine which Dynamic login page to serve.
• The Dynamic keys is simply one of the items in the query string of the login page (the one which you decided) that will be used to connect the captive portal with a pre-defined Dynamic login page.
• We will use nasid.
• With our captive portal setup we will have a login page that contains ….&nasid=fbt-01&…..
• Add this → Name = nasid; Value = fbt-01 and Priority =1.

• This tab specifies things such as:
  • A URL containing T&C's and whether to force it.
  • Slideshow option for the photos
  • Redirect once authenticated

• This is another tab we are interested in.
• Select the Enable option to activate it.
• Then specify the Connect as as click_to_connect (in other words, the first part of the name you given the permanent Click-to-Connect user we created earlier.)
• Add suffix of we will specify as nasid. This will result that the Click-to-Connect button will build a username of click_to_connect@fbt-01 which in turn must correspond to the Click-to-Connect user we defined earlier. (Remember the URL contains …&nasid=fbt-01&….)

• You also have the option to only offer a Click-to-Connect system.

This brings us to the end of all the preparation. Time for testing