This is an old revision of the document!
Private PSK with data limits
Introduction
- RADIUSdesk includes Fair Usage Policy (FUP) profiles.
- These profiles can be customised to create a very secure, powerful and flexible solution.
- In this example, we will use these FUP profiles to:
- Allow a permanent user a daily data usage of 1 GB.
- After that, the system will move him to a VLAN with a captive portal that is throttled.
- At midnight, the system moves the permanent user back to the original network to start a new daily quota.
- See the following figure for more clarity.
- To get a working setup, we will split it into two parts
- The RADIUS related things that need to be done in RADIUSdesk.
- The MESHdesk-related things that need to be done in MESHdesk.
- We assume that you have created a new cloud with the setup wizard. Our cloud is called PPSK Demo.
RADIUS Related (preparation)
- The RADIUS-related preparation consists of the following steps:
- Create an FUP profile that will cause the user to be moved to VLAN 105 (the VLAN where we will run our captive portal) after 1 GB of data consumption.
- Create a permanent user with a unique private PSK. This user will also be assigned to the limited FUP profile.
- Create a permanent user with a unique Private PSK and who will be assigned to the limited FUP profile.
- Add an entry to the PMKs applet for the SSID that the user will connect to
- Add the hostapd RADIUS client (this will be waiting under RADIUS Clients → New Arrivals)
Create FUP Profile
- Start by creating a new profile. This will be a Simple Profile which we will edit afterwards to change to a FUP Profile.
- Select the profile after it has been created and select FUP Edit from the Edit drop-down button.
- On the first screen, you can leave the default settings as hostapd is not able to limit the user's connection speed.
- Among the FUP components, we will add a component that throttles the speed if the daily usage exceeds 1 GB of data volume.
- Again, this speed reduction cannot be implemented by hostapd, but we can optionally specify a VLAN to assign the user to.
- Here we specify VLAN 105 on which the captive portal is running.
- We do not block the user when the 1G data limit is reached.
- The system simply kicks them off the WiFi network, and when their phone or laptop reconnects, it belongs to a different VLAN.
- In our setup, this VLAN will contain a captive portal.
Add new Permanent User
- RADIUSdesk makes it possible to assign an optional PPSK and a VLAN to a permanent user.
- In our setup, we will let the user directly into the LAN (default VLAN).
- However, we will assign it a PPSK (11223344).
Add SSID to PMK's applet
- We have a special applet that creates the PMK hashes for fast processing.
- To do this, we need to specify the SSID that the user will connect to.
- We add the SSID that the wizard created in the example mesh network. (PPSK Demo Wireless)
- To get to the PMKs applet, go to. RADIUS → Realms and click on the button with the lock.
- Click on the Add button to add a new SSID
- Here you can see the PMKs that were created after you added the SSID.
- We keep the list of PMKs small and thus ensure a quick search and matching by doing the following:
- Pre-calculating the PMKs based on the SSID.
- Assigning the RADIUS Client to a single Realm.
- The RADIUSdesk code then ensures that each PPSK key in the realm is unique.
Add RADIUS client (for later)
- This last part on the RADIUS side will be completed after the mesh network has been configured for Private PSK.
MESHdesk Related
- We will modify the default PPSK Demo mesh network to support Private PSK.
- Our server also has MQTT installed and implemented which will allow real time disconnection of RADIUS users.
Change Entry Point (SSID) security
- We modify the PPSK Demo Wireless Entry point to the following:
- The items Default VLAN, Default Key and Realm For PPSK are only for info recording.
- We will consult them later when we add the RADIUS Client (RADIUS part final step).
Add VLANs to MESH network
- We include a range of VLANs (105-106) which will then be available to add to the exit points.
- They are added under Node Settings.
Add VLAN 105 to Captive Portal
- The wizard already created and Captive Portal exit point for us.
- We can simply connect it to VLAN 105.
- This means that traffic from the open SSID as well as traffic from VLAN 105 will hit the Captive Portal and be presented with a login page.
- Everything is now in place on the mesh network for the PPSK to work and we can start to add nodes to the mesh network.
- After we added a mesh nodes we can try to connect to the PPSK Demo Wireless SSID with the key of 11223344
- If will fail first since we have not yet did the final step which is to add it as a RADIUS client.
RADIUS Related (Final)
Add RADIUS Client
- Go to RADIUS → RADIUS Clients and click on the New Arrivals button (The one with the car icon).
- This should list the hotsapd program's info from the mesh node on which you tried to connect to.
- Click on the Attach button to show the Add Window.
- Make sure you select only the PPSK Demo realm.
- After you attached it, there is one last bit and then we're done.
- Edit the RADIUS Client and specify the type as Private PSK.
- We use the info we recorded when we modified the mesh network entry point (SSID)
- Everything is now complete and in place for us to enjoy the fruit of our labour.
PPSK client session
- When we try to connect again to the PPSK Demo Wireless SSID, our connection should go through since the RADIUS has now been taken care of.
- Lets see all the places where it is recorded.