-----
====== Private PSK with data limits ======
===== Introduction =====
* RADIUSdesk includes Fair Usage Policy (FUP) profiles.
* These profiles can be customised to create a very secure, powerful and flexible solution.
* In this example, we will use these FUP profiles to:
* Allow a permanent user a daily data usage of 1 GB.
* After that, the system will move him to a VLAN with a captive portal that is throttled.
* At midnight, the system moves the permanent user back to the original network to start a new daily quota.
* See the following figure for more clarity.
{{ :technical:ppsk:privatepsk-datalimit.png |}}
* To get a working setup, we will split it into two parts
* The RADIUS related things that need to be done in RADIUSdesk.
* The MESHdesk-related things that need to be done in MESHdesk.
* We assume that you have created a new cloud with the setup wizard. Our cloud is called **PPSK Demo**.
----------
===== RADIUS Related (preparation) =====
* The RADIUS-related preparation consists of the following steps:
* Create an FUP profile that will cause the user to be moved to VLAN 105 (the VLAN where we will run our captive portal) after 1 GB of data consumption.
* Create a permanent user with a unique private PSK. This user will also be assigned to the limited FUP profile.
* Add an entry to the PMKs applet for the SSID that the user will connect to
* Add the hostapd RADIUS client (this will be waiting under RADIUS Clients -> New Arrivals)
==== Create FUP Profile ====
* Start by creating a new profile. This will be a Simple Profile which we will edit afterwards to change to a FUP Profile.
{{ :technical:ppsk:ppsk_demo_1g_daily_add.png |}}
* Select the profile after it has been created and select **FUP Edit** from the Edit drop-down button.
* On the first screen, you can leave the default settings as hostapd is not able to limit the user's connection speed.
{{ :technical:ppsk:ppsk_demo_1g_daily_fup1.png |}}
* Among the FUP components, we will add a component that throttles the speed if the daily usage exceeds 1 GB of data volume.
* Again, this speed reduction cannot be implemented by hostapd, but we can optionally specify a VLAN to assign the user to.
* Here we specify **VLAN 105** on which the captive portal is running.
* We do not block the user when the 1G data limit is reached.
* The system simply kicks them off the WiFi network, and when their phone or laptop reconnects, it belongs to a different VLAN.
* In our setup, this VLAN will contain a captive portal.
{{ :technical:ppsk:ppsk_demo_1g_daily_fup2.png |}}
==== Add new Permanent User ====
* RADIUSdesk makes it possible to assign an optional PPSK and a VLAN to a permanent user.
* In our setup, we will let the user directly into the LAN (default VLAN).
* However, we will assign it a PPSK (11223344).
{{ :technical:ppsk:ppsk_bessie_smith1.png |}}
{{ :technical:ppsk:ppsk_bessie_smith2.png |}}
==== Add SSID to PMK's applet ====
* We have a special applet that creates the PMK hashes for fast processing.
* To do this, we need to specify the SSID that the user will connect to.
* We add the SSID that the wizard created in the example mesh network. (PPSK Demo Wireless)
* To get to the PMKs applet, go to. RADIUS → Realms and click on the button with the lock.
{{ :technical:ppsk:pmk-ssid0.png |}}
* Click on the Add button to add a new SSID
{{ :technical:ppsk:pmk-ssid1.png |}}
* Here you can see the PMKs that were created after you added the SSID.
{{ :technical:ppsk:pmk-ssid2.png |}}
* We keep the list of PMKs small and thus ensure a quick search and matching by doing the following:
* Pre-calculating the PMKs based on the SSID.
* Assigning the RADIUS Client to a single Realm.
* The RADIUSdesk code then ensures that each PPSK key in the realm is unique.
==== Add RADIUS client (for later) ====
* This last part on the RADIUS side will be completed after the mesh network has been configured for Private PSK.
----------
===== MESHdesk Related =====
* We will change the default PPSK demo mesh network to support Private PSK.
* MQTT is also installed and implemented on our server, which will enable real-time termination of RADIUS sessions.
==== Change the security of the entry point (SSID) ====
* We change the **PPSK Demo Wireless** Entry Point as follows:
{{ :technical:ppsk:md_ppsk_entry.png |}}
* The entries **Default VLAN**, **Default Key** and **Realm for PPSK** are for information only.
* We will consult them later when we add the RADIUS client (RADIUS part last step).
==== Adding VLANs to the MESH network ====
* We add a number of VLANs (105-106) which will then be available for the exit points.
* They are added under **Node Settings**.
{{ :technical:ppsk:md_ppsk_vlan.png |}}
==== Add VLAN 105 to Captive Portal ====
* The wizard has already created a Captive Portal exit point for us.
* We can simply connect it to VLAN 105.
* This means that both the traffic from the open SSID and the traffic from VLAN 105 will hit the captive portal and a login page will be displayed.
{{ :technical:ppsk:md_ppsk_exit.png |}}
* Now that the mesh network is all set up for PPSK to work, we can start adding nodes to the mesh network.
* After we have added a mesh node, we can try to connect to the **PPSK Demo Wireless** SSID with the key **11223344**
* This will initially fail as we have not yet performed the final step of adding as a RADIUS client.
----------
===== RADIUS related (final) =====
==== Add RADIUS client ====
* Go to **RADIUS** -> **RADIUS Clients** and click on the **New Arrivals** button (The one with the car icon).
* This should list the hotsapd program's info from the Mesh node you have tried to connect to.
{{ :technical:ppsk:radius_arrival.png |}}
* Click the **Attach** button to display the Add window.
{{ :technical:ppsk:radius_attach1.png |}}
* Make sure that you only select the **PPSK Demo** realm.
{{ :technical:ppsk:radius_attach2.png |}}
* After you have attached it, there is one last step and then we are done.
* Edit the RADIUS client and specify **Private PSK** as the type.
{{ :technical:ppsk:radius_edit.png |}}
* We use the information we recorded when we changed the mesh network entry point (SSID)
* Now everything is ready and we can enjoy the fruits of our labour.
------
===== PPSK client session =====
* If we try to reconnect to the PPSK Demo Wireless SSID, our connection should work because the RADIUS is now complete.
* Let us take a look at all the places where it is recorded.
==== RADIUS Clients ====
* The RADIUS Clients applet shows when the client last contacted the server.
* It also shows the public IP address from which the RADIUS client has connected.
{{ :technical:ppsk:radius_client_online.png |}}
* For MESHdesk and APdesk we use the convention {m|a}[_hosta_]{Mesh ID/AP Profile ID}[_]{Entry ID/SSID ID}
* We also record additional information from the accounting data sent by hostapd so that RADIUSdesk knows which AP or mesh node it needs to contact to disconnect a user from the WiFi.
==== Activity Monitor ====
* Under Activity Monitor you can view active and historical sessions.
* You can also end active sessions
{{ :technical:ppsk:permanent_session.png |}}
* Here you can see where we ended the active session and the user's device then automatically switched to another radio. (Note that the value of Operator Name is different)
{{ :technical:ppsk:permanent_session_kick.png |}}
==== Usage graph ====
* We can also look at the user's usage graph.
* Here we can see that the usage is just over 1 GB, which means that the system has then disconnected from the user's device.
{{ :technical:ppsk:graph.png |}}
==== Life on VLAN 105 ====
* After the user's phone was disconnected from the main network, it was reconnected, but this time it was moved to VLAN 105, the captive portal.
{{ :technical:ppsk:captive_p.jpeg |}}