This is an old revision of the document!
Private PSK with data limits
Introduction
- RADIUSdesk includes Fair Usage Policy (FUP) profiles.
- These profiles can be tailor made into a very secure, powerful and flexible solution.
- In this example we will make use of these FUP profiles to:
- Allow a permanent user a daily data usage of 1GB.
- After this the system will move them to a VLAN with a captive portal that is throttled.
- See the following illustration for more clarity.
- In order to get a working setup we will split it in two parts
- The RADIUS related things that has to be done in RADIUSdesk.
- The MESHdesk related things that has to be done in MESHdesk.
- We assume you created a new cloud using the Setup Wizard. Our cloud is called PPSK Demo.
RADIUS Related (Prep)
- The RADIUS related prep will consist of the following:
- Create a FUP profile that will cause the user to be moved the VLAN 105 (The VLAN we will run our Captive Portal on) after 1GB of data usage.
- Create a permanent user with a unique Private PSK and who will be assigned to the limited FUP profile.
- Add an entry for the SSID that the user will connect to to the PMKs Applet.
- Add the hostapd RADIUS client (this will be waiting under RADIUS Clients → New Arrivals)
Create FUP Profile
- Start by creating a new profile. This will be a Simple Profile which we will edit afterwards to change to a FUP Profile.
- Select the profile after it was created and on the edit drop-down button, select FUP Edit.
- The first screen you can leave the defaults since hostapd is not capable of limiting the connection speed of the user.
- Under the FUP components we will add a component that will reduce the speed when the daily usage exceeds 1GB of data.
- Again this speed reduction can not be implemented by hostapd, however we can optionally specify a VLAN which the user should be assinged to.
- This is where we specify VLAN 105 where the Captive Portal is running on.
- We are not blocking the user when the 1G data has been reached.
- The system will simply be kicking them off from the WiFi network and when their phone or laptop reconnects it will be part of a different VLAN.
- In our setup this VLAN will feature a Captive Portal.
Add new Permanent User
- RADIUSdesk allows a Permanent User to be assigned an optional PPSK and VLAN.
- In our setup, we will allow the user straight onto the LAN (Default VLAN).
- We will however assign a PPSK to her (11223344).
Add SSID to PMKs Applet
- We have dedicated applet that will create the PMK hashes for fast processing.
- This requires that we specify the SSID to which the user will connect to.
- We will add the SSID which the wizard created on the the sample mesh network. (PPSK Demo Wireless)
- To get to the PMKs Applet, go to. RADIUS → Realms and click on the button with the lock.
- Click on the Add button to add a new SSID
- Here you can see the PMKs that has been generated after you added the SSID.
- We keep the list of PMKs small and thus ensure a speedy lookup and match action by the following:
- Pre-calculating the PMKs based on the SSID.
- Assigning the RADIUS Client to a single Realm.
- The RADIUSdesk code then ensures each PPSK key is unique in the realm.
Add RADIUS Client (For Later)
- This final part on the RADIUS side will be completed after the mesh network has been configured for Private PSK.
MESHdesk Related
- We will modify the default PPSK Demo mesh network to support Private PSK.
- Our server also has MQTT installed and implemented which will allow real time disconnection of RADIUS users.
Change Entry Point (SSID) security
- We modify the PPSK Demo Wireless Entry point to the following:
- The items Default VLAN, Default Key and Realm For PPSK are only for info recording.
- We will consult them later when we add the RADIUS Client (RADIUS part final step).
Add VLANs to MESH network
- We include a range of VLANs (105-106) which will then be available to add to the exit points.
- They are added under Node Settings.
Add VLAN 105 to Captive Portal
- The wizard already created and Captive Portal exit point for us.
- We can simply connect it to VLAN 105.
- This means that traffic from the open SSID as well as traffic from VLAN 105 will hit the Captive Portal and be presented with a login page.
- Everything is now in place on the mesh network for the PPSK to work and we can start to add nodes to the mesh network.
- After we added a mesh nodes we can try to connect to the PPSK Demo Wireless SSID with the key of 11223344
- If will fail first since we have not yet did the final step which is to add it as a RADIUS client.
RADIUS Related (Final)
Add RADIUS Client
- Go to RADIUS → RADIUS Clients and click on the New Arrivals button (The one with the car icon).
- This should list the hotsapd program's info from the mesh node on which you tried to connect to.
- Click on the Attach button to show the Add Window.
- Make sure you select only the PPSK Demo realm.
- After you attached it, there is one last bit and then we're done.
- Edit the RADIUS Client and specify the type as Private PSK.
- We use the info we recorded when we modified the mesh network entry point (SSID)
- Everything is now complete and in place for us to enjoy the fruit of our labour.
PPSK client session
- When we try to connect again to the PPSK Demo Wireless SSID, our connection should go through since the RADIUS has now been taken care of.
- Lets see all the places where it is recorded.