Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
technical:ppsk-meshdesk [2024/04/27 20:49] systemtechnical:ppsk-meshdesk [2024/04/28 20:33] (current) system
Line 8: Line 8:
 ===== Introduction ===== ===== Introduction =====
   * RADIUSdesk includes Fair Usage Policy (FUP) profiles.   * RADIUSdesk includes Fair Usage Policy (FUP) profiles.
-  * These profiles can be tailor made into a very secure, powerful and flexible solution. +  * These profiles can be customised to create a very secure, powerful and flexible solution. 
-  * In this example we will make use of these FUP profiles to: +  * In this examplewe will use these FUP profiles to: 
-        * Allow a permanent user a daily data usage of 1GB+        * Allow a permanent user a daily data usage of 1 GB
-        * After this the system will move them to a VLAN with a captive portal that is throttled. +        * After that, the system will move him to a VLAN with a captive portal that is throttled
-  * See the following illustration for more clarity.+        * At midnight, the system moves the permanent user back to the original network to start a new daily quota
 +  * See the following figure for more clarity.
  
 <panel type="info" title="Private PSK with data limits"> <panel type="info" title="Private PSK with data limits">
 {{ :technical:ppsk:privatepsk-datalimit.png |}} {{ :technical:ppsk:privatepsk-datalimit.png |}}
 </panel> </panel>
-  * In order to get a working setup we will split it in two parts +  * To get a working setupwe will split it into two parts 
-    * The RADIUS related things that has to be done in RADIUSdesk. +    * The RADIUS related things that need to be done in RADIUSdesk. 
-    * The MESHdesk related things that has to be done in MESHdesk. +    * The MESHdesk-related things that need to be done in MESHdesk. 
-  * We assume you created a new cloud using the Setup Wizard. Our cloud is called **PPSK Demo**.+  * We assume that you have created a new cloud with the setup wizard. Our cloud is called **PPSK Demo**.
  
 ---------- ----------
  
-===== RADIUS Related ===== +===== RADIUS Related (preparation) ===== 
-  * The RADIUS related prep will consist of the following: +  * The RADIUS-related preparation consists of the following steps
-    * Create FUP profile that will cause the user to be moved the VLAN 105 (The VLAN we will run our Captive Portal on) after 1GB of data usage+    * Create an FUP profile that will cause the user to be moved to VLAN 105 (the VLAN where we will run our captive portal) after 1 GB of data consumption
-    * Create a permanent user with a unique Private PSK and who will be assigned to the limited FUP profile. +    * Create a permanent user with a unique private PSK. This user will also be assigned to the limited FUP profile. 
-    * Add an entry for the SSID that the user will connect to to the PMKs Applet.+    * Add an entry to the PMKs applet for the SSID that the user will connect to
     * Add the hostapd RADIUS client (this will be waiting under RADIUS Clients -> New Arrivals)     * Add the hostapd RADIUS client (this will be waiting under RADIUS Clients -> New Arrivals)
 ==== Create FUP Profile ==== ==== Create FUP Profile ====
Line 35: Line 36:
 {{ :technical:ppsk:ppsk_demo_1g_daily_add.png |}} {{ :technical:ppsk:ppsk_demo_1g_daily_add.png |}}
 </panel> </panel>
-  * Select the profile after it was created and on the edit drop-down button, select **FUP Edit**. +  * Select the profile after it has been created and select **FUP Edit** from the Edit drop-down button
-  * The first screen you can leave the defaults since hostapd is not capable of limiting the connection speed of the user.+  * On the first screenyou can leave the default settings as hostapd is not able to limit the user'connection speed.
 <panel type="primary"> <panel type="primary">
 {{ :technical:ppsk:ppsk_demo_1g_daily_fup1.png |}} {{ :technical:ppsk:ppsk_demo_1g_daily_fup1.png |}}
 </panel> </panel>
-  * Under the FUP components we will add a component that will reduce the speed when the daily usage exceeds 1GB of data. +  * Among the FUP componentswe will add a component that throttles the speed if the daily usage exceeds 1 GB of data volume
-  * Again this speed reduction can not be implemented by hostapd, however we can optionally specify a VLAN which the user should be assinged to. +  * Againthis speed reduction cannot be implemented by hostapd, but we can optionally specify a VLAN to assign the user to. 
-  * This is where we specify **VLAN 105** where the Captive Portal is running on.+  * Here we specify **VLAN 105** on which the captive portal is running.
 <alert type="success"> <alert type="success">
-  * We are not blocking the user when the 1G data has been reached.  +  * We do not block the user when the 1G data limit is reached. 
-  * The system will simply be kicking them off from the WiFi network and when their phone or laptop reconnects it will be part of a different VLAN. +  * The system simply kicks them off the WiFi networkand when their phone or laptop reconnectsit belongs to a different VLAN. 
-  * In our setup this VLAN will feature Captive Portal.+  * In our setupthis VLAN will contain captive portal.
 </alert> </alert>
 <panel type="primary"> <panel type="primary">
Line 52: Line 53:
 </panel> </panel>
 ==== Add new Permanent User ==== ==== Add new Permanent User ====
-  * RADIUSdesk allows a Permanent User to be assigned an optional PPSK and VLAN. +  * RADIUSdesk makes it possible to assign an optional PPSK and VLAN to a permanent user
-  * In our setup, we will allow the user straight onto the LAN (Default VLAN). +  * In our setup, we will let the user directly into the LAN (default VLAN). 
-  * We will however assign a PPSK to her (11223344).+  *  However, we will assign it a PPSK (11223344).
 <panel type="primary"> <panel type="primary">
 {{ :technical:ppsk:ppsk_bessie_smith1.png |}} {{ :technical:ppsk:ppsk_bessie_smith1.png |}}
Line 61: Line 62:
 {{ :technical:ppsk:ppsk_bessie_smith2.png |}} {{ :technical:ppsk:ppsk_bessie_smith2.png |}}
 </panel> </panel>
-==== Add SSID to PMKs Applet ==== +==== Add SSID to PMK's applet ==== 
-  * We have dedicated applet that will create the PMK hashes for fast processing. +  * We have a special applet that creates the PMK hashes for fast processing. 
-  * This requires that we specify the SSID to which the user will connect to. +  * To do this, we need to specify the SSID that the user will connect to. 
-  * We will add the SSID which the wizard created on the the sample mesh network. (PPSK Demo Wireless) +  * We add the SSID that the wizard created in the example mesh network. (PPSK Demo Wireless) 
-  * To get to the PMKs Applet, go to. RADIUS -> Realms and click on the button with the lock.+  * To get to the PMKs applet, go to. RADIUS → Realms and click on the button with the lock.
  
 <panel type="primary"> <panel type="primary">
Line 77: Line 78:
 </panel> </panel>
  
-  * Here you can see the PMKs that has been generated after you added the SSID.+  * Here you can see the PMKs that were created after you added the SSID.
  
 <panel type="primary"> <panel type="primary">
Line 83: Line 84:
 </panel>  </panel> 
  
-  * We keep the list of PMKs small and thus ensure a speedy lookup and match action by the following:+  * We keep the list of PMKs small and thus ensure a quick search and matching by doing the following:
     * Pre-calculating the PMKs based on the SSID.     * Pre-calculating the PMKs based on the SSID.
     * Assigning the RADIUS Client to a single Realm.      * Assigning the RADIUS Client to a single Realm. 
-    * The RADIUSdesk code then ensures each PPSK key is unique in the realm.+    * The RADIUSdesk code then ensures that each PPSK key in the realm is unique.
    
 +==== Add RADIUS client (for later) ====
 +  * This last part on the RADIUS side will be completed after the mesh network has been configured for Private PSK.
  
 +----------
  
 +===== MESHdesk Related =====
 +  * We will change the default PPSK demo mesh network to support Private PSK.
 +  *  MQTT is also installed and implemented on our server, which will enable real-time termination of RADIUS sessions.
 +
 +==== Change the security of the entry point (SSID) ====
 +  * We change the **PPSK Demo Wireless** Entry Point as follows:
 +<panel type="primary">
 +{{ :technical:ppsk:md_ppsk_entry.png |}}
 +</panel>
 +  * The entries **Default VLAN**, **Default Key** and **Realm for PPSK** are for information only.
 +  * We will consult them later when we add the RADIUS client (RADIUS part last step).
 +
 +==== Adding VLANs to the MESH network ==== 
 +  * We add a number of VLANs (105-106) which will then be available for the exit points.
 +  * They are added under **Node Settings**.
 +<panel type="primary">
 +{{ :technical:ppsk:md_ppsk_vlan.png |}}
 +</panel> 
 +
 +==== Add VLAN 105 to Captive Portal ====  
 +  * The wizard has already created a Captive Portal exit point for us. 
 +  * We can simply connect it to VLAN 105.
 +  * This means that both the traffic from the open SSID and the traffic from VLAN 105 will hit the captive portal and a login page will be displayed.
 +<panel type="primary">
 +{{ :technical:ppsk:md_ppsk_exit.png |}}
 +</panel>
 +  * Now that  the mesh network is all set up for PPSK to work, we can start adding nodes to the mesh network.
 +  * After we have added a mesh node, we can try to connect to the **PPSK Demo Wireless** SSID with the key **11223344**
 +  * This will initially fail as we have not yet performed the final step of adding as a RADIUS client.
 +
 +----------
 +
 +===== RADIUS related (final) =====
 +==== Add RADIUS client ====
 +  * Go to **RADIUS** -> **RADIUS Clients** and click on the **New Arrivals** button (The one with the car icon).
 +  * This should list the hotsapd program's info from the Mesh node you have tried to connect to.
 +<panel type="primary">
 +{{ :technical:ppsk:radius_arrival.png |}}
 +</panel>
 +  * Click the **Attach** button to display the Add window.
 +<panel type="primary">
 +{{ :technical:ppsk:radius_attach1.png |}}
 +</panel>
 +  * Make sure that you only select the **PPSK Demo** realm.
 +<panel type="primary">
 +{{ :technical:ppsk:radius_attach2.png |}}
 +</panel>
 +  * After you have attached it, there is one last step and then we are done.
 +  * Edit the RADIUS client and specify **Private PSK** as the type.
 +<panel type="primary">
 +{{ :technical:ppsk:radius_edit.png |}}
 +</panel>
 +  * We use the information we recorded when we changed the mesh network entry point (SSID)
 +  * Now everything is ready and we can enjoy the fruits of our labour.
 +
 +------
 +
 +===== PPSK client session =====
 +  * If we try to reconnect to the PPSK Demo Wireless SSID, our connection should work because the RADIUS is now complete.
 +  * Let us take a look at all the places where it is recorded.
 +
 +==== RADIUS Clients ====
 +  * The RADIUS Clients applet shows when the client last contacted the server.
 +  * It also shows the public IP address from which the RADIUS client has connected.
 +<panel type="primary">
 +{{ :technical:ppsk:radius_client_online.png |}}
 +</panel>
 +  * For MESHdesk and APdesk we use the convention {m|a}[_hosta_]{Mesh ID/AP Profile ID}[_]{Entry ID/SSID ID}
 +  * We also record additional information from the accounting data sent by hostapd so that RADIUSdesk knows which AP or mesh node it needs to contact to disconnect a user from the WiFi.
 +
 +==== Activity Monitor ====
 +  * Under Activity Monitor you can view active and historical sessions.
 +  * You can also end active sessions
 +<panel type="primary">
 +{{ :technical:ppsk:permanent_session.png |}}
 +</panel>
 +  * Here you can see where we ended the active session and the user's device then automatically switched to another radio. (Note that the value of Operator Name is different)
 +<panel type="primary">
 +{{ :technical:ppsk:permanent_session_kick.png |}}
 +</panel>
 +
 +==== Usage graph ====
 +  * We can also look at the user's usage graph.
 +  * Here we can see that the usage is just over 1 GB, which means that the system has then disconnected from the user's device.
 +<panel type="primary">
 +{{ :technical:ppsk:graph.png |}}
 +</panel>
 +
 +==== Life on VLAN 105 ====
 +  * After the user's phone was disconnected from the main network, it was reconnected, but this time it was moved to VLAN 105, the captive portal.
 +<panel type="primary">
 +{{ :technical:ppsk:captive_p.jpeg |}}
 +</panel>
  
  
  
  • technical/ppsk-meshdesk.1714243755.txt.gz
  • Last modified: 2024/04/27 20:49
  • by system