Private PSK with data limits
Introduction
- RADIUSdesk includes Fair Usage Policy (FUP) profiles.
- These profiles can be customised to create a very secure, powerful and flexible solution.
- In this example, we will use these FUP profiles to:
- Allow a permanent user a daily data usage of 1 GB.
- After that, the system will move him to a VLAN with a captive portal that is throttled.
- At midnight, the system moves the permanent user back to the original network to start a new daily quota.
- See the following figure for more clarity.
Private PSK with data limits
- To get a working setup, we will split it into two parts
- The RADIUS related things that need to be done in RADIUSdesk.
- The MESHdesk-related things that need to be done in MESHdesk.
- We assume that you have created a new cloud with the setup wizard. Our cloud is called PPSK Demo.
RADIUS Related (preparation)
- The RADIUS-related preparation consists of the following steps:
- Create an FUP profile that will cause the user to be moved to VLAN 105 (the VLAN where we will run our captive portal) after 1 GB of data consumption.
- Create a permanent user with a unique private PSK. This user will also be assigned to the limited FUP profile.
- Add an entry to the PMKs applet for the SSID that the user will connect to
- Add the hostapd RADIUS client (this will be waiting under RADIUS Clients → New Arrivals)
Create FUP Profile
- Start by creating a new profile. This will be a Simple Profile which we will edit afterwards to change to a FUP Profile.
- Select the profile after it has been created and select FUP Edit from the Edit drop-down button.
- On the first screen, you can leave the default settings as hostapd is not able to limit the user's connection speed.
- Among the FUP components, we will add a component that throttles the speed if the daily usage exceeds 1 GB of data volume.
- Again, this speed reduction cannot be implemented by hostapd, but we can optionally specify a VLAN to assign the user to.
- Here we specify VLAN 105 on which the captive portal is running.
- We do not block the user when the 1G data limit is reached.
- The system simply kicks them off the WiFi network, and when their phone or laptop reconnects, it belongs to a different VLAN.
- In our setup, this VLAN will contain a captive portal.
Add new Permanent User
- RADIUSdesk makes it possible to assign an optional PPSK and a VLAN to a permanent user.
- In our setup, we will let the user directly into the LAN (default VLAN).
- However, we will assign it a PPSK (11223344).
Add SSID to PMK's applet
- We have a special applet that creates the PMK hashes for fast processing.
- To do this, we need to specify the SSID that the user will connect to.
- We add the SSID that the wizard created in the example mesh network. (PPSK Demo Wireless)
- To get to the PMKs applet, go to. RADIUS → Realms and click on the button with the lock.
- Click on the Add button to add a new SSID
- Here you can see the PMKs that were created after you added the SSID.
- We keep the list of PMKs small and thus ensure a quick search and matching by doing the following:
- Pre-calculating the PMKs based on the SSID.
- Assigning the RADIUS Client to a single Realm.
- The RADIUSdesk code then ensures that each PPSK key in the realm is unique.
Add RADIUS client (for later)
- This last part on the RADIUS side will be completed after the mesh network has been configured for Private PSK.
MESHdesk Related
- We will change the default PPSK demo mesh network to support Private PSK.
- MQTT is also installed and implemented on our server, which will enable real-time termination of RADIUS sessions.
Change the security of the entry point (SSID)
- We change the PPSK Demo Wireless Entry Point as follows:
- The entries Default VLAN, Default Key and Realm for PPSK are for information only.
- We will consult them later when we add the RADIUS client (RADIUS part last step).
Adding VLANs to the MESH network
- We add a number of VLANs (105-106) which will then be available for the exit points.
- They are added under Node Settings.
Add VLAN 105 to Captive Portal
- The wizard has already created a Captive Portal exit point for us.
- We can simply connect it to VLAN 105.
- This means that both the traffic from the open SSID and the traffic from VLAN 105 will hit the captive portal and a login page will be displayed.
- Now that the mesh network is all set up for PPSK to work, we can start adding nodes to the mesh network.
- After we have added a mesh node, we can try to connect to the PPSK Demo Wireless SSID with the key 11223344
- This will initially fail as we have not yet performed the final step of adding as a RADIUS client.
RADIUS related (final)
Add RADIUS client
- Go to RADIUS → RADIUS Clients and click on the New Arrivals button (The one with the car icon).
- This should list the hotsapd program's info from the Mesh node you have tried to connect to.
- Click the Attach button to display the Add window.
- Make sure that you only select the PPSK Demo realm.
- After you have attached it, there is one last step and then we are done.
- Edit the RADIUS client and specify Private PSK as the type.
- We use the information we recorded when we changed the mesh network entry point (SSID)
- Now everything is ready and we can enjoy the fruits of our labour.
PPSK client session
- If we try to reconnect to the PPSK Demo Wireless SSID, our connection should work because the RADIUS is now complete.
- Let us take a look at all the places where it is recorded.
RADIUS Clients
- The RADIUS Clients applet shows when the client last contacted the server.
- It also shows the public IP address from which the RADIUS client has connected.
- For MESHdesk and APdesk we use the convention {m|a}[_hosta_]{Mesh ID/AP Profile ID}[_]{Entry ID/SSID ID}
- We also record additional information from the accounting data sent by hostapd so that RADIUSdesk knows which AP or mesh node it needs to contact to disconnect a user from the WiFi.
Activity Monitor
- Under Activity Monitor you can view active and historical sessions.
- You can also end active sessions
- Here you can see where we ended the active session and the user's device then automatically switched to another radio. (Note that the value of Operator Name is different)
Usage graph
- We can also look at the user's usage graph.
- Here we can see that the usage is just over 1 GB, which means that the system has then disconnected from the user's device.
Life on VLAN 105
- After the user's phone was disconnected from the main network, it was reconnected, but this time it was moved to VLAN 105, the captive portal.
