This is an old revision of the document!
Mikrotik Hotspot (Basic)
Introduction
With this scenario we assume you have:
- A recent installation of RADIUSdesk which includes Dynamic RADIUS Clients support.- We will use our cloud.radiusdesk.com demo server which has an IP Address of 164.160.89.129 in this document.
- Our cloud.radiusdesk.com demo server has a site wide RADIUS shared secret of testing123.
 
- A new (or reset to defaults) Mikrotik RouterBOARD 751U which you will set up from scratch.
- You want to run a Captive portal on the Mikrotik's WiFi interface.
Getting started
- To reset the RouterBOARD 751U simply hold the reset button in during start-up until the ACT LED starts flashing. Now release the reset button.
- You should now be able to connect on any of the Ethernet ports 2-5. (Port 1 needs to connect to the Internet).
- If you connect with a machine which has DHCP enabled; you will get a 192.168.88.x IP Address while the RouterBOARD 751U can be reached through 192.168.88.1.
- The default username is admin with no password.
- Newer versions of ROS insist you set a password.
- If you never had password on the device specify the old password as blank text and specify the new value and confirm it to set the password on the device.
Our approach
We will take the following configuration approach. This approach very common on the 751U.
- Ethernet port 1 (Marked PoE) will be used to connect the 751U to the Internet. (Typically a LTE router's Ethernet port)
- Ethernet port 1 will be configured to be a DCHP Client.
- Ethernet ports 2-5 will be used as a Ethernet switch which runs a DHCP Server and NAT traffic between Ethernet port 1 and Ethernet ports 2-5.
- The WiFi interface will be used to run the Captive Portal (Hotspot) on.
- This Captive Portal will regulate traffic between the WiFi interface and Ethernet port 1.
Prepare Mikrotik
Captive Portal or Hotspot?
- Mikrotik uses the term Hotspot to refer to a Captive Portal.
- We prefer to use Captive Portal which is technically speaking more correct.
In order to get a Captive Portal up and running on the Mikrotik we will need to configure and confirm the following items. We assume a device reset to factory defaults.
- Set the Mikrotik's identity.
- Confirm the Ethernet-1 port is a DHCP client and did receive a valid IP Address from our DSL router.
- Remove wlan1 WiFi interface from the bridge with the name bridge.
- Add a RADIUS server.
- Configure a Hotspot running on the wlan1 WiFi interface.- Configure a DHCP pool that the hotspot will use for assigning IP Addresses.
- Configure a Profile that makes use of the RADIUS server which we already defined.
 
Set the Mikrotik's identity
- We will use a geographic naming convention and assume that this Mikrotik is the first one deployed in the city of Johannesburg, Gauteng province, South Africa.
- The systems identity will thus be za-gp-jhb-001.
- Connect to the Mikrotik's web interface and select System → Identity.
- Specify the Identity as za-gp-jhb-001 and click Apply.
Confirm Ethernet-1's status
- Connect to the Mikrotik's web interface and select IP → DHCP Client.
- The ether1-gateway interface should be listed along with it's DHCP supplied IP Address.
- If this is not listed or the interface does not have an IP Address assigned to it; ensure that it is fixed before continuing.
Remove wlan1 from bridge-local
- Connect to the Mikrotik's web interface and select Bridge.
- Select the Ports sub-tab to see the list of ports and to which bridge they are assigned.
- By default ether2-master, wlan1, ether3, ether4 and ether5 will be members of the bridge named bridge.
- Remove wlan1 from the list of ports.
- To remove the interface click on the - button. The D button will simply disable it.
Add a RADIUS server
- Mikrotik allows you to define zero or more RADIUS servers. The Mikrotik will in turn become a client to these pre-defined servers.
- Connect to the Mikrotik's web interface and select Radius
- Click the Add new button to add a RADIUS server.- Select the Hotspot service.
- Specify the IP Address of the RADIUSdesk server running FreeRADIUS. (We use 164.160.89.129)
- Specify the shared secret. (We use testing123)
- Since our server is somewhere out on the Internet, we increase the timeout to 5000ms.
- Leave Accounting Backup unchecked.
 
