----- ====== Private PSK with data limits ====== ===== Introduction ===== * RADIUSdesk includes Fair Usage Policy (FUP) profiles. * These profiles can be customised to create a very secure, powerful and flexible solution. * In this example, we will use these FUP profiles to: * Allow a permanent user a daily data usage of 1 GB. * After that, the system will move him to a VLAN with a captive portal that is throttled. * At midnight, the system moves the permanent user back to the original network to start a new daily quota. * See the following figure for more clarity. {{ :technical:ppsk:privatepsk-datalimit.png |}} * To get a working setup, we will split it into two parts * The RADIUS related things that need to be done in RADIUSdesk. * The MESHdesk-related things that need to be done in MESHdesk. * We assume that you have created a new cloud with the setup wizard. Our cloud is called **PPSK Demo**. ---------- ===== RADIUS Related (preparation) ===== * The RADIUS-related preparation consists of the following steps: * Create an FUP profile that will cause the user to be moved to VLAN 105 (the VLAN where we will run our captive portal) after 1 GB of data consumption. * Create a permanent user with a unique private PSK. This user will also be assigned to the limited FUP profile. * Add an entry to the PMKs applet for the SSID that the user will connect to * Add the hostapd RADIUS client (this will be waiting under RADIUS Clients -> New Arrivals) ==== Create FUP Profile ==== * Start by creating a new profile. This will be a Simple Profile which we will edit afterwards to change to a FUP Profile. {{ :technical:ppsk:ppsk_demo_1g_daily_add.png |}} * Select the profile after it has been created and select **FUP Edit** from the Edit drop-down button. * On the first screen, you can leave the default settings as hostapd is not able to limit the user's connection speed. {{ :technical:ppsk:ppsk_demo_1g_daily_fup1.png |}} * Among the FUP components, we will add a component that throttles the speed if the daily usage exceeds 1 GB of data volume. * Again, this speed reduction cannot be implemented by hostapd, but we can optionally specify a VLAN to assign the user to. * Here we specify **VLAN 105** on which the captive portal is running. * We do not block the user when the 1G data limit is reached. * The system simply kicks them off the WiFi network, and when their phone or laptop reconnects, it belongs to a different VLAN. * In our setup, this VLAN will contain a captive portal. {{ :technical:ppsk:ppsk_demo_1g_daily_fup2.png |}} ==== Add new Permanent User ==== * RADIUSdesk makes it possible to assign an optional PPSK and a VLAN to a permanent user. * In our setup, we will let the user directly into the LAN (default VLAN). * However, we will assign it a PPSK (11223344). {{ :technical:ppsk:ppsk_bessie_smith1.png |}} {{ :technical:ppsk:ppsk_bessie_smith2.png |}} ==== Add SSID to PMK's applet ==== * We have a special applet that creates the PMK hashes for fast processing. * To do this, we need to specify the SSID that the user will connect to. * We add the SSID that the wizard created in the example mesh network. (PPSK Demo Wireless) * To get to the PMKs applet, go to. RADIUS → Realms and click on the button with the lock. {{ :technical:ppsk:pmk-ssid0.png |}} * Click on the Add button to add a new SSID {{ :technical:ppsk:pmk-ssid1.png |}} * Here you can see the PMKs that were created after you added the SSID. {{ :technical:ppsk:pmk-ssid2.png |}} * We keep the list of PMKs small and thus ensure a quick search and matching by doing the following: * Pre-calculating the PMKs based on the SSID. * Assigning the RADIUS Client to a single Realm. * The RADIUSdesk code then ensures that each PPSK key in the realm is unique. ==== Add RADIUS client (for later) ==== * This last part on the RADIUS side will be completed after the mesh network has been configured for Private PSK. ---------- ===== MESHdesk Related ===== * We will change the default PPSK demo mesh network to support Private PSK. * MQTT is also installed and implemented on our server, which will enable real-time termination of RADIUS sessions. ==== Change the security of the entry point (SSID) ==== * We change the **PPSK Demo Wireless** Entry Point as follows: {{ :technical:ppsk:md_ppsk_entry.png |}} * The entries **Default VLAN**, **Default Key** and **Realm for PPSK** are for information only. * We will consult them later when we add the RADIUS client (RADIUS part last step). ==== Adding VLANs to the MESH network ==== * We add a number of VLANs (105-106) which will then be available for the exit points. * They are added under **Node Settings**. {{ :technical:ppsk:md_ppsk_vlan.png |}} ==== Add VLAN 105 to Captive Portal ==== * The wizard has already created a Captive Portal exit point for us. * We can simply connect it to VLAN 105. * This means that both the traffic from the open SSID and the traffic from VLAN 105 will hit the captive portal and a login page will be displayed. {{ :technical:ppsk:md_ppsk_exit.png |}} * Now that the mesh network is all set up for PPSK to work, we can start adding nodes to the mesh network. * After we have added a mesh node, we can try to connect to the **PPSK Demo Wireless** SSID with the key **11223344** * This will initially fail as we have not yet performed the final step of adding as a RADIUS client. ---------- ===== RADIUS related (final) ===== ==== Add RADIUS client ==== * Go to **RADIUS** -> **RADIUS Clients** and click on the **New Arrivals** button (The one with the car icon). * This should list the hotsapd program's info from the Mesh node you have tried to connect to. {{ :technical:ppsk:radius_arrival.png |}} * Click the **Attach** button to display the Add window. {{ :technical:ppsk:radius_attach1.png |}} * Make sure that you only select the **PPSK Demo** realm. {{ :technical:ppsk:radius_attach2.png |}} * After you have attached it, there is one last step and then we are done. * Edit the RADIUS client and specify **Private PSK** as the type. {{ :technical:ppsk:radius_edit.png |}} * We use the information we recorded when we changed the mesh network entry point (SSID) * Now everything is ready and we can enjoy the fruits of our labour. ------ ===== PPSK client session ===== * If we try to reconnect to the PPSK Demo Wireless SSID, our connection should work because the RADIUS is now complete. * Let us take a look at all the places where it is recorded. ==== RADIUS Clients ==== * The RADIUS Clients applet shows when the client last contacted the server. * It also shows the public IP address from which the RADIUS client has connected. {{ :technical:ppsk:radius_client_online.png |}} * For MESHdesk and APdesk we use the convention {m|a}[_hosta_]{Mesh ID/AP Profile ID}[_]{Entry ID/SSID ID} * We also record additional information from the accounting data sent by hostapd so that RADIUSdesk knows which AP or mesh node it needs to contact to disconnect a user from the WiFi. ==== Activity Monitor ==== * Under Activity Monitor you can view active and historical sessions. * You can also end active sessions {{ :technical:ppsk:permanent_session.png |}} * Here you can see where we ended the active session and the user's device then automatically switched to another radio. (Note that the value of Operator Name is different) {{ :technical:ppsk:permanent_session_kick.png |}} ==== Usage graph ==== * We can also look at the user's usage graph. * Here we can see that the usage is just over 1 GB, which means that the system has then disconnected from the user's device. {{ :technical:ppsk:graph.png |}} ==== Life on VLAN 105 ==== * After the user's phone was disconnected from the main network, it was reconnected, but this time it was moved to VLAN 105, the captive portal. {{ :technical:ppsk:captive_p.jpeg |}}