Private PSK with data limits

This is an old revision of the document!

RADIUSdesk includes Fair Usage Policy (FUP) profiles.
These profiles can be tailor made into a very secure, powerful and flexible solution.
In this example we will make use of these FUP profiles to:
- Allow a permanent user a daily data usage of 1GB.
- After this the system will move them to a VLAN with a captive portal that is throttled.
See the following illustration for more clarity.

In order to get a working setup we will split it in two parts
- The RADIUS related things that has to be done in RADIUSdesk.
- The MESHdesk related things that has to be done in MESHdesk.
We assume you created a new cloud using the Setup Wizard. Our cloud is called PPSK Demo.

The RADIUS related prep will consist of the following:
- Create a FUP profile that will cause the user to be moved the VLAN 105 (The VLAN we will run our Captive Portal on) after 1GB of data usage.
- Create a permanent user with a unique Private PSK and who will be assigned to the limited FUP profile.
- Add an entry for the SSID that the user will connect to to the PMKs Applet.
- Add the hostapd RADIUS client (this will be waiting under RADIUS Clients → New Arrivals)

Start by creating a new profile. This will be a Simple Profile which we will edit afterwards to change to a FUP Profile.

Select the profile after it was created and on the edit drop-down button, select FUP Edit.
The first screen you can leave the defaults since hostapd is not capable of limiting the connection speed of the user.

Under the FUP components we will add a component that will reduce the speed when the daily usage exceeds 1GB of data.
Again this speed reduction can not be implemented by hostapd, however we can optionally specify a VLAN which the user should be assinged to.
This is where we specify VLAN 105 where the Captive Portal is running on.

We are not blocking the user when the 1G data has been reached.
The system will simply be kicking them off from the WiFi network and when their phone or laptop reconnects it will be part of a different VLAN.
In our setup this VLAN will feature a Captive Portal.

We have dedicated applet that will create the PMK hashes for fast processing.
This requires that we specify the SSID to which the user will connect to.
We will add the SSID which the wizard created on the the sample mesh network. (PPSK Demo Wireless)
To get to the PMKs Applet, go to. RADIUS → Realms and click on the button with the lock.

We keep the list of PMKs small and thus ensure a speedy lookup and match action by the following:
- Pre-calculating the PMKs based on the SSID.
- Assigning the RADIUS Client to a single Realm.
- The RADIUSdesk code then ensures each PPSK key is unique in the realm.

This final part on the RADIUS side will be completed after the mesh network has been configured for Private PSK.

We will modify the default PPSK Demo mesh network to support Private PSK.
Our server also has MQTT installed and implemented which will allow real time disconnection of RADIUS users.

The items Default VLAN, Default Key and Realm For PPSK are only for info recording.
We will consult them later when we add the RADIUS Client (RADIUS part final step).

We include a range of VLANs (105-106) which will then be available to add to the exit points.
They are added under Node Settings.

The wizard already created and Captive Portal exit point for us.
We can simply connect it to VLAN 105.
This means that traffic from the open SSID as well as traffic from VLAN 105 will hit the Captive Portal and be presented with a login page.

Everything is now in place on the mesh network for the PPSK to work and we can start to add nodes to the mesh network.
After we added a mesh nodes we can try to connect to the PPSK Demo Wireless SSID with the key of 11223344
If will fail first since we have not yet did the final step which is to add it as a RADIUS client.

Introduction