Differences

This shows you the differences between two versions of the page.

--- technical:ppsk-meshdesk [2024/04/27 20:49] – system
+++ technical:ppsk-meshdesk [2024/04/28 20:33] (current) – system
@@ Line 8: / Line 8: @@
 ===== Introduction =====
   * RADIUSdesk includes Fair Usage Policy (FUP) profiles.
-  * These profiles can be tailor made into a very secure, powerful and flexible solution.
+  * These profiles can be customised to create a very secure, powerful and flexible solution.
-  * In this example we will make use of these FUP profiles to:
+  * In this example, we will use these FUP profiles to:
-        * Allow a permanent user a daily data usage of 1GB.
+        * Allow a permanent user a daily data usage of 1 GB.
-        * After this the system will move them to a VLAN with a captive portal that is throttled.
+        * After that, the system will move him to a VLAN with a captive portal that is throttled.
-  * See the following illustration for more clarity.
+        * At midnight, the system moves the permanent user back to the original network to start a new daily quota.
+  * See the following figure for more clarity.
 <panel type="info" title="Private PSK with data limits">
 {{ :technical:ppsk:privatepsk-datalimit.png |}}
 </panel>
-  * In order to get a working setup we will split it in two parts
+  * To get a working setup, we will split it into two parts
-    * The RADIUS related things that has to be done in RADIUSdesk.
+    * The RADIUS related things that need to be done in RADIUSdesk.
-    * The MESHdesk related things that has to be done in MESHdesk.
+    * The MESHdesk-related things that need to be done in MESHdesk.
-  * We assume you created a new cloud using the Setup Wizard. Our cloud is called **PPSK Demo**.
+  * We assume that you have created a new cloud with the setup wizard. Our cloud is called **PPSK Demo**.
 ----------
-===== RADIUS Related =====
+===== RADIUS Related (preparation) =====
-  * The RADIUS related prep will consist of the following:
+  * The RADIUS-related preparation consists of the following steps:
-    * Create a FUP profile that will cause the user to be moved the VLAN 105 (The VLAN we will run our Captive Portal on) after 1GB of data usage.
+    * Create an FUP profile that will cause the user to be moved to VLAN 105 (the VLAN where we will run our captive portal) after 1 GB of data consumption.
-    * Create a permanent user with a unique Private PSK and who will be assigned to the limited FUP profile.
+    * Create a permanent user with a unique private PSK. This user will also be assigned to the limited FUP profile.
-    * Add an entry for the SSID that the user will connect to to the PMKs Applet.
+    * Add an entry to the PMKs applet for the SSID that the user will connect to
     * Add the hostapd RADIUS client (this will be waiting under RADIUS Clients -> New Arrivals)
 ==== Create FUP Profile ====
@@ Line 35: / Line 36: @@
 {{ :technical:ppsk:ppsk_demo_1g_daily_add.png |}}
 </panel>
-  * Select the profile after it was created and on the edit drop-down button, select **FUP Edit**.
+  * Select the profile after it has been created and select **FUP Edit** from the Edit drop-down button.
-  * The first screen you can leave the defaults since hostapd is not capable of limiting the connection speed of the user.
+  * On the first screen, you can leave the default settings as hostapd is not able to limit the user's connection speed.
 <panel type="primary">
 {{ :technical:ppsk:ppsk_demo_1g_daily_fup1.png |}}
 </panel>
-  * Under the FUP components we will add a component that will reduce the speed when the daily usage exceeds 1GB of data.
+  * Among the FUP components, we will add a component that throttles the speed if the daily usage exceeds 1 GB of data volume.
-  * Again this speed reduction can not be implemented by hostapd, however we can optionally specify a VLAN which the user should be assinged to.
+  * Again, this speed reduction cannot be implemented by hostapd, but we can optionally specify a VLAN to assign the user to.
-  * This is where we specify **VLAN 105** where the Captive Portal is running on.
+  * Here we specify **VLAN 105** on which the captive portal is running.
 <alert type="success">
-  * We are not blocking the user when the 1G data has been reached.
+  * We do not block the user when the 1G data limit is reached.
-  * The system will simply be kicking them off from the WiFi network and when their phone or laptop reconnects it will be part of a different VLAN.
+  * The system simply kicks them off the WiFi network, and when their phone or laptop reconnects, it belongs to a different VLAN.
-  * In our setup this VLAN will feature a Captive Portal.
+  * In our setup, this VLAN will contain a captive portal.
 </alert>
 <panel type="primary">
@@ Line 52: / Line 53: @@
 </panel>
 ==== Add new Permanent User ====
-  * RADIUSdesk allows a Permanent User to be assigned an optional PPSK and VLAN.
+  * RADIUSdesk makes it possible to assign an optional PPSK and a VLAN to a permanent user.
-  * In our setup, we will allow the user straight onto the LAN (Default VLAN).
+  * In our setup, we will let the user directly into the LAN (default VLAN).
-  * We will however assign a PPSK to her (11223344).
+  *  However, we will assign it a PPSK (11223344).
 <panel type="primary">
 {{ :technical:ppsk:ppsk_bessie_smith1.png |}}
@@ Line 61: / Line 62: @@
 {{ :technical:ppsk:ppsk_bessie_smith2.png |}}
 </panel>
-==== Add SSID to PMKs Applet ====
+==== Add SSID to PMK's applet ====
-  * We have dedicated applet that will create the PMK hashes for fast processing.
+  * We have a special applet that creates the PMK hashes for fast processing.
-  * This requires that we specify the SSID to which the user will connect to.
+  * To do this, we need to specify the SSID that the user will connect to.
-  * We will add the SSID which the wizard created on the the sample mesh network. (PPSK Demo Wireless)
+  * We add the SSID that the wizard created in the example mesh network. (PPSK Demo Wireless)
-  * To get to the PMKs Applet, go to. RADIUS -> Realms and click on the button with the lock.
+  * To get to the PMKs applet, go to. RADIUS → Realms and click on the button with the lock.
 <panel type="primary">
@@ Line 77: / Line 78: @@
 </panel>
-  * Here you can see the PMKs that has been generated after you added the SSID.
+  * Here you can see the PMKs that were created after you added the SSID.
 <panel type="primary">
@@ Line 83: / Line 84: @@
 </panel>
-  * We keep the list of PMKs small and thus ensure a speedy lookup and match action by the following:
+  * We keep the list of PMKs small and thus ensure a quick search and matching by doing the following:
     * Pre-calculating the PMKs based on the SSID.
     * Assigning the RADIUS Client to a single Realm.
-    * The RADIUSdesk code then ensures each PPSK key is unique in the realm.
+    * The RADIUSdesk code then ensures that each PPSK key in the realm is unique.
+==== Add RADIUS client (for later) ====
+  * This last part on the RADIUS side will be completed after the mesh network has been configured for Private PSK.
+----------
+===== MESHdesk Related =====
+  * We will change the default PPSK demo mesh network to support Private PSK.
+  *  MQTT is also installed and implemented on our server, which will enable real-time termination of RADIUS sessions.
+==== Change the security of the entry point (SSID) ====
+  * We change the **PPSK Demo Wireless** Entry Point as follows:
+<panel type="primary">
+{{ :technical:ppsk:md_ppsk_entry.png |}}
+</panel>
+  * The entries **Default VLAN**, **Default Key** and **Realm for PPSK** are for information only.
+  * We will consult them later when we add the RADIUS client (RADIUS part last step).
+==== Adding VLANs to the MESH network ====
+  * We add a number of VLANs (105-106) which will then be available for the exit points.
+  * They are added under **Node Settings**.
+<panel type="primary">
+{{ :technical:ppsk:md_ppsk_vlan.png |}}
+</panel>
+==== Add VLAN 105 to Captive Portal ====
+  * The wizard has already created a Captive Portal exit point for us.
+  * We can simply connect it to VLAN 105.
+  * This means that both the traffic from the open SSID and the traffic from VLAN 105 will hit the captive portal and a login page will be displayed.
+<panel type="primary">
+{{ :technical:ppsk:md_ppsk_exit.png |}}
+</panel>
+  * Now that  the mesh network is all set up for PPSK to work, we can start adding nodes to the mesh network.
+  * After we have added a mesh node, we can try to connect to the **PPSK Demo Wireless** SSID with the key **11223344**
+  * This will initially fail as we have not yet performed the final step of adding as a RADIUS client.
+----------
+===== RADIUS related (final) =====
+==== Add RADIUS client ====
+  * Go to **RADIUS** -> **RADIUS Clients** and click on the **New Arrivals** button (The one with the car icon).
+  * This should list the hotsapd program's info from the Mesh node you have tried to connect to.
+<panel type="primary">
+{{ :technical:ppsk:radius_arrival.png |}}
+</panel>
+  * Click the **Attach** button to display the Add window.
+<panel type="primary">
+{{ :technical:ppsk:radius_attach1.png |}}
+</panel>
+  * Make sure that you only select the **PPSK Demo** realm.
+<panel type="primary">
+{{ :technical:ppsk:radius_attach2.png |}}
+</panel>
+  * After you have attached it, there is one last step and then we are done.
+  * Edit the RADIUS client and specify **Private PSK** as the type.
+<panel type="primary">
+{{ :technical:ppsk:radius_edit.png |}}
+</panel>
+  * We use the information we recorded when we changed the mesh network entry point (SSID)
+  * Now everything is ready and we can enjoy the fruits of our labour.
+------
+===== PPSK client session =====
+  * If we try to reconnect to the PPSK Demo Wireless SSID, our connection should work because the RADIUS is now complete.
+  * Let us take a look at all the places where it is recorded.
+==== RADIUS Clients ====
+  * The RADIUS Clients applet shows when the client last contacted the server.
+  * It also shows the public IP address from which the RADIUS client has connected.
+<panel type="primary">
+{{ :technical:ppsk:radius_client_online.png |}}
+</panel>
+  * For MESHdesk and APdesk we use the convention {m|a}[_hosta_]{Mesh ID/AP Profile ID}[_]{Entry ID/SSID ID}
+  * We also record additional information from the accounting data sent by hostapd so that RADIUSdesk knows which AP or mesh node it needs to contact to disconnect a user from the WiFi.
+==== Activity Monitor ====
+  * Under Activity Monitor you can view active and historical sessions.
+  * You can also end active sessions
+<panel type="primary">
+{{ :technical:ppsk:permanent_session.png |}}
+</panel>
+  * Here you can see where we ended the active session and the user's device then automatically switched to another radio. (Note that the value of Operator Name is different)
+<panel type="primary">
+{{ :technical:ppsk:permanent_session_kick.png |}}
+</panel>
+==== Usage graph ====
+  * We can also look at the user's usage graph.
+  * Here we can see that the usage is just over 1 GB, which means that the system has then disconnected from the user's device.
+<panel type="primary">
+{{ :technical:ppsk:graph.png |}}
+</panel>
+==== Life on VLAN 105 ====
+  * After the user's phone was disconnected from the main network, it was reconnected, but this time it was moved to VLAN 105, the captive portal.
+<panel type="primary">
+{{ :technical:ppsk:captive_p.jpeg |}}
+</panel>