This is an old revision of the document!

Private PSK with data limits

Introduction

  • RADIUSdesk includes Fair Usage Policy (FUP) profiles.
  • These profiles can be customised to create a very secure, powerful and flexible solution.
  • In this example, we will use these FUP profiles to:
    • Allow a permanent user a daily data usage of 1 GB.
    • After that, the system will move him to a VLAN with a captive portal that is throttled.
    • At midnight, the system moves the permanent user back to the original network to start a new daily quota.
  • See the following figure for more clarity.

Private PSK with data limits

  • To get a working setup, we will split it into two parts
    • The RADIUS related things that need to be done in RADIUSdesk.
    • The MESHdesk-related things that need to be done in MESHdesk.
  • We assume that you have created a new cloud with the setup wizard. Our cloud is called PPSK Demo.

RADIUS Related (preparation)

  • The RADIUS-related preparation consists of the following steps:
    • Create an FUP profile that will cause the user to be moved to VLAN 105 (the VLAN where we will run our captive portal) after 1 GB of data consumption.
    • Create a permanent user with a unique private PSK. This user will also be assigned to the limited FUP profile.
    • Create a permanent user with a unique Private PSK and who will be assigned to the limited FUP profile.
    • Add an entry to the PMKs applet for the SSID that the user will connect to
    • Add the hostapd RADIUS client (this will be waiting under RADIUS Clients → New Arrivals)

Create FUP Profile

  • Start by creating a new profile. This will be a Simple Profile which we will edit afterwards to change to a FUP Profile.

  • Select the profile after it has been created and select FUP Edit from the Edit drop-down button.
  • On the first screen, you can leave the default settings as hostapd is not able to limit the user's connection speed.

  • Among the FUP components, we will add a component that throttles the speed if the daily usage exceeds 1 GB of data volume.
  • Again, this speed reduction cannot be implemented by hostapd, but we can optionally specify a VLAN to assign the user to.
  • Here we specify VLAN 105 on which the captive portal is running.

Add new Permanent User

  • RADIUSdesk makes it possible to assign an optional PPSK and a VLAN to a permanent user.
  • In our setup, we will let the user directly into the LAN (default VLAN).
  • However, we will assign it a PPSK (11223344).

Add SSID to PMK's applet

  • We have a special applet that creates the PMK hashes for fast processing.
  • To do this, we need to specify the SSID that the user will connect to.
  • We add the SSID that the wizard created in the example mesh network. (PPSK Demo Wireless)
  • To get to the PMKs applet, go to. RADIUS → Realms and click on the button with the lock.

  • Click on the Add button to add a new SSID

  • Here you can see the PMKs that were created after you added the SSID.

  • We keep the list of PMKs small and thus ensure a quick search and matching by doing the following:
    • Pre-calculating the PMKs based on the SSID.
    • Assigning the RADIUS Client to a single Realm.
    • The RADIUSdesk code then ensures that each PPSK key in the realm is unique.

Add RADIUS client (for later)

  • This last part on the RADIUS side will be completed after the mesh network has been configured for Private PSK.

MESHdesk Related

  • We will modify the default PPSK Demo mesh network to support Private PSK.
  • Our server also has MQTT installed and implemented which will allow real time disconnection of RADIUS users.

Change Entry Point (SSID) security

  • We modify the PPSK Demo Wireless Entry point to the following:

  • The items Default VLAN, Default Key and Realm For PPSK are only for info recording.
  • We will consult them later when we add the RADIUS Client (RADIUS part final step).

Add VLANs to MESH network

  • We include a range of VLANs (105-106) which will then be available to add to the exit points.
  • They are added under Node Settings.

Add VLAN 105 to Captive Portal

  • The wizard already created and Captive Portal exit point for us.
  • We can simply connect it to VLAN 105.
  • This means that traffic from the open SSID as well as traffic from VLAN 105 will hit the Captive Portal and be presented with a login page.

  • Everything is now in place on the mesh network for the PPSK to work and we can start to add nodes to the mesh network.
  • After we added a mesh nodes we can try to connect to the PPSK Demo Wireless SSID with the key of 11223344
  • If will fail first since we have not yet did the final step which is to add it as a RADIUS client.

RADIUS Related (Final)

Add RADIUS Client

  • Go to RADIUSRADIUS Clients and click on the New Arrivals button (The one with the car icon).
  • This should list the hotsapd program's info from the mesh node on which you tried to connect to.

  • Click on the Attach button to show the Add Window.

  • Make sure you select only the PPSK Demo realm.

  • After you attached it, there is one last bit and then we're done.
  • Edit the RADIUS Client and specify the type as Private PSK.

  • We use the info we recorded when we modified the mesh network entry point (SSID)
  • Everything is now complete and in place for us to enjoy the fruit of our labour.

PPSK client session

  • When we try to connect again to the PPSK Demo Wireless SSID, our connection should go through since the RADIUS has now been taken care of.
  • Lets see all the places where it is recorded.
  • technical/ppsk-meshdesk.1714319941.txt.gz
  • Last modified: 2024/04/28 17:59
  • by system