Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
| technical:ppsk-meshdesk [2024/04/27 19:07] – system | technical:ppsk-meshdesk [2024/04/28 20:33] (current) – system | ||
|---|---|---|---|
| Line 8: | Line 8: | ||
| ===== Introduction ===== | ===== Introduction ===== | ||
| * RADIUSdesk includes Fair Usage Policy (FUP) profiles. | * RADIUSdesk includes Fair Usage Policy (FUP) profiles. | ||
| - | * These profiles can be tailor made into a very secure, powerful and flexible solution. | + | * These profiles can be customised to create |
| - | * In this example we will make use of these FUP profiles to: | + | * In this example, we will use these FUP profiles to: |
| - | * Allow a permanent user a daily data usage of 1GB. | + | * Allow a permanent user a daily data usage of 1 GB. |
| - | * After this the system will move them to a VLAN with a captive portal that is throttled. | + | * After that, the system will move him to a VLAN with a captive portal that is throttled. |
| - | * See the following | + | * At midnight, the system moves the permanent user back to the original network to start a new daily quota. |
| + | * See the following | ||
| <panel type=" | <panel type=" | ||
| {{ : | {{ : | ||
| </ | </ | ||
| - | * In order to get a working setup we will split it in two parts | + | * To get a working setup, we will split it into two parts |
| - | * The RADIUS related things that has to be done in RADIUSdesk. | + | * The RADIUS related things that need to be done in RADIUSdesk. |
| - | * The MESHdesk related things that has to be done in MESHdesk. | + | * The MESHdesk-related things that need to be done in MESHdesk. |
| - | * We assume you created a new cloud using the Setup Wizard. Our cloud is called **PPSK Demo**. | + | * We assume |
| + | ---------- | ||
| + | ===== RADIUS Related (preparation) ===== | ||
| + | * The RADIUS-related preparation consists of the following steps: | ||
| + | * Create an FUP profile that will cause the user to be moved to VLAN 105 (the VLAN where we will run our captive portal) after 1 GB of data consumption. | ||
| + | * Create a permanent user with a unique private PSK. This user will also be assigned to the limited FUP profile. | ||
| + | * Add an entry to the PMKs applet for the SSID that the user will connect to | ||
| + | * Add the hostapd RADIUS client (this will be waiting under RADIUS Clients -> New Arrivals) | ||
| + | ==== Create FUP Profile ==== | ||
| + | * Start by creating a new profile. This will be a Simple Profile which we will edit afterwards to change to a FUP Profile. | ||
| + | <panel type=" | ||
| + | {{ : | ||
| + | </ | ||
| + | * Select the profile after it has been created and select **FUP Edit** from the Edit drop-down button. | ||
| + | * On the first screen, you can leave the default settings as hostapd is not able to limit the user's connection speed. | ||
| + | <panel type=" | ||
| + | {{ : | ||
| + | </ | ||
| + | * Among the FUP components, we will add a component that throttles the speed if the daily usage exceeds 1 GB of data volume. | ||
| + | * Again, this speed reduction cannot be implemented by hostapd, but we can optionally specify a VLAN to assign the user to. | ||
| + | * Here we specify **VLAN 105** on which the captive portal is running. | ||
| + | <alert type=" | ||
| + | * We do not block the user when the 1G data limit is reached. | ||
| + | * The system simply kicks them off the WiFi network, and when their phone or laptop reconnects, it belongs to a different VLAN. | ||
| + | * In our setup, this VLAN will contain a captive portal. | ||
| + | </ | ||
| + | <panel type=" | ||
| + | {{ : | ||
| + | </ | ||
| + | ==== Add new Permanent User ==== | ||
| + | * RADIUSdesk makes it possible to assign an optional PPSK and a VLAN to a permanent user. | ||
| + | * In our setup, we will let the user directly into the LAN (default VLAN). | ||
| + | * However, we will assign it a PPSK (11223344). | ||
| + | <panel type=" | ||
| + | {{ : | ||
| + | </ | ||
| + | <panel type=" | ||
| + | {{ : | ||
| + | </ | ||
| + | ==== Add SSID to PMK's applet ==== | ||
| + | * We have a special applet that creates the PMK hashes for fast processing. | ||
| + | * To do this, we need to specify the SSID that the user will connect to. | ||
| + | * We add the SSID that the wizard created in the example mesh network. (PPSK Demo Wireless) | ||
| + | * To get to the PMKs applet, go to. RADIUS → Realms and click on the button with the lock. | ||
| + | |||
| + | <panel type=" | ||
| + | {{ : | ||
| + | </ | ||
| + | |||
| + | * Click on the Add button to add a new SSID | ||
| + | |||
| + | <panel type=" | ||
| + | {{ : | ||
| + | </ | ||
| + | |||
| + | * Here you can see the PMKs that were created after you added the SSID. | ||
| + | |||
| + | <panel type=" | ||
| + | {{ : | ||
| + | </ | ||
| + | |||
| + | * We keep the list of PMKs small and thus ensure a quick search and matching by doing the following: | ||
| + | * Pre-calculating the PMKs based on the SSID. | ||
| + | * Assigning the RADIUS Client to a single Realm. | ||
| + | * The RADIUSdesk code then ensures that each PPSK key in the realm is unique. | ||
| + | |||
| + | ==== Add RADIUS client (for later) ==== | ||
| + | * This last part on the RADIUS side will be completed after the mesh network has been configured for Private PSK. | ||
| + | |||
| + | ---------- | ||
| + | |||
| + | ===== MESHdesk Related ===== | ||
| + | * We will change the default PPSK demo mesh network to support Private PSK. | ||
| + | * MQTT is also installed and implemented on our server, which will enable real-time termination of RADIUS sessions. | ||
| + | |||
| + | ==== Change the security of the entry point (SSID) ==== | ||
| + | * We change the **PPSK Demo Wireless** Entry Point as follows: | ||
| + | <panel type=" | ||
| + | {{ : | ||
| + | </ | ||
| + | * The entries **Default VLAN**, **Default Key** and **Realm for PPSK** are for information only. | ||
| + | * We will consult them later when we add the RADIUS client (RADIUS part last step). | ||
| + | |||
| + | ==== Adding VLANs to the MESH network ==== | ||
| + | * We add a number of VLANs (105-106) which will then be available for the exit points. | ||
| + | * They are added under **Node Settings**. | ||
| + | <panel type=" | ||
| + | {{ : | ||
| + | </ | ||
| + | |||
| + | ==== Add VLAN 105 to Captive Portal ==== | ||
| + | * The wizard has already created a Captive Portal exit point for us. | ||
| + | * We can simply connect it to VLAN 105. | ||
| + | * This means that both the traffic from the open SSID and the traffic from VLAN 105 will hit the captive portal and a login page will be displayed. | ||
| + | <panel type=" | ||
| + | {{ : | ||
| + | </ | ||
| + | * Now that the mesh network is all set up for PPSK to work, we can start adding nodes to the mesh network. | ||
| + | * After we have added a mesh node, we can try to connect to the **PPSK Demo Wireless** SSID with the key **11223344** | ||
| + | * This will initially fail as we have not yet performed the final step of adding as a RADIUS client. | ||
| + | |||
| + | ---------- | ||
| + | |||
| + | ===== RADIUS related (final) ===== | ||
| + | ==== Add RADIUS client ==== | ||
| + | * Go to **RADIUS** -> **RADIUS Clients** and click on the **New Arrivals** button (The one with the car icon). | ||
| + | * This should list the hotsapd program' | ||
| + | <panel type=" | ||
| + | {{ : | ||
| + | </ | ||
| + | * Click the **Attach** button to display the Add window. | ||
| + | <panel type=" | ||
| + | {{ : | ||
| + | </ | ||
| + | * Make sure that you only select the **PPSK Demo** realm. | ||
| + | <panel type=" | ||
| + | {{ : | ||
| + | </ | ||
| + | * After you have attached it, there is one last step and then we are done. | ||
| + | * Edit the RADIUS client and specify **Private PSK** as the type. | ||
| + | <panel type=" | ||
| + | {{ : | ||
| + | </ | ||
| + | * We use the information we recorded when we changed the mesh network entry point (SSID) | ||
| + | * Now everything is ready and we can enjoy the fruits of our labour. | ||
| + | |||
| + | ------ | ||
| + | |||
| + | ===== PPSK client session ===== | ||
| + | * If we try to reconnect to the PPSK Demo Wireless SSID, our connection should work because the RADIUS is now complete. | ||
| + | * Let us take a look at all the places where it is recorded. | ||
| + | |||
| + | ==== RADIUS Clients ==== | ||
| + | * The RADIUS Clients applet shows when the client last contacted the server. | ||
| + | * It also shows the public IP address from which the RADIUS client has connected. | ||
| + | <panel type=" | ||
| + | {{ : | ||
| + | </ | ||
| + | * For MESHdesk and APdesk we use the convention {m|a}[_hosta_]{Mesh ID/AP Profile ID}[_]{Entry ID/SSID ID} | ||
| + | * We also record additional information from the accounting data sent by hostapd so that RADIUSdesk knows which AP or mesh node it needs to contact to disconnect a user from the WiFi. | ||
| + | |||
| + | ==== Activity Monitor ==== | ||
| + | * Under Activity Monitor you can view active and historical sessions. | ||
| + | * You can also end active sessions | ||
| + | <panel type=" | ||
| + | {{ : | ||
| + | </ | ||
| + | * Here you can see where we ended the active session and the user's device then automatically switched to another radio. (Note that the value of Operator Name is different) | ||
| + | <panel type=" | ||
| + | {{ : | ||
| + | </ | ||
| + | |||
| + | ==== Usage graph ==== | ||
| + | * We can also look at the user's usage graph. | ||
| + | * Here we can see that the usage is just over 1 GB, which means that the system has then disconnected from the user's device. | ||
| + | <panel type=" | ||
| + | {{ : | ||
| + | </ | ||
| + | |||
| + | ==== Life on VLAN 105 ==== | ||
| + | * After the user's phone was disconnected from the main network, it was reconnected, | ||
| + | <panel type=" | ||
| + | {{ : | ||
| + | </ | ||