Private PSK with data limits

This is an old revision of the document!

RADIUSdesk includes Fair Usage Policy (FUP) profiles.
These profiles can be customised to create a very secure, powerful and flexible solution.
In this example, we will use these FUP profiles to:
- Allow a permanent user a daily data usage of 1 GB.
- After that, the system will move him to a VLAN with a captive portal that is throttled.
- At midnight, the system moves the permanent user back to the original network to start a new daily quota.
See the following figure for more clarity.

To get a working setup, we will split it into two parts
- The RADIUS related things that need to be done in RADIUSdesk.
- The MESHdesk-related things that need to be done in MESHdesk.
We assume that you have created a new cloud with the setup wizard. Our cloud is called PPSK Demo.

The RADIUS-related preparation consists of the following steps:
- Create an FUP profile that will cause the user to be moved to VLAN 105 (the VLAN where we will run our captive portal) after 1 GB of data consumption.
- Create a permanent user with a unique private PSK. This user will also be assigned to the limited FUP profile.
- Add an entry to the PMKs applet for the SSID that the user will connect to
- Add the hostapd RADIUS client (this will be waiting under RADIUS Clients → New Arrivals)

Start by creating a new profile. This will be a Simple Profile which we will edit afterwards to change to a FUP Profile.

Select the profile after it has been created and select FUP Edit from the Edit drop-down button.
On the first screen, you can leave the default settings as hostapd is not able to limit the user's connection speed.

Among the FUP components, we will add a component that throttles the speed if the daily usage exceeds 1 GB of data volume.
Again, this speed reduction cannot be implemented by hostapd, but we can optionally specify a VLAN to assign the user to.
Here we specify VLAN 105 on which the captive portal is running.

We do not block the user when the 1G data limit is reached.
The system simply kicks them off the WiFi network, and when their phone or laptop reconnects, it belongs to a different VLAN.
In our setup, this VLAN will contain a captive portal.

RADIUSdesk makes it possible to assign an optional PPSK and a VLAN to a permanent user.
In our setup, we will let the user directly into the LAN (default VLAN).
However, we will assign it a PPSK (11223344).

We have a special applet that creates the PMK hashes for fast processing.
To do this, we need to specify the SSID that the user will connect to.
We add the SSID that the wizard created in the example mesh network. (PPSK Demo Wireless)
To get to the PMKs applet, go to. RADIUS → Realms and click on the button with the lock.

We keep the list of PMKs small and thus ensure a quick search and matching by doing the following:
- Pre-calculating the PMKs based on the SSID.
- Assigning the RADIUS Client to a single Realm.
- The RADIUSdesk code then ensures that each PPSK key in the realm is unique.

This last part on the RADIUS side will be completed after the mesh network has been configured for Private PSK.

We will modify the default PPSK Demo mesh network to support Private PSK.
Our server also has MQTT installed and implemented which will allow real time disconnection of RADIUS users.

The items Default VLAN, Default Key and Realm For PPSK are only for info recording.
We will consult them later when we add the RADIUS Client (RADIUS part final step).

We include a range of VLANs (105-106) which will then be available to add to the exit points.
They are added under Node Settings.

The wizard already created and Captive Portal exit point for us.
We can simply connect it to VLAN 105.
This means that traffic from the open SSID as well as traffic from VLAN 105 will hit the Captive Portal and be presented with a login page.

Everything is now in place on the mesh network for the PPSK to work and we can start to add nodes to the mesh network.
After we added a mesh nodes we can try to connect to the PPSK Demo Wireless SSID with the key of 11223344
If will fail first since we have not yet did the final step which is to add it as a RADIUS client.

Go to RADIUS → RADIUS Clients and click on the New Arrivals button (The one with the car icon).
This should list the hotsapd program's info from the mesh node on which you tried to connect to.

We use the info we recorded when we modified the mesh network entry point (SSID)
Everything is now complete and in place for us to enjoy the fruit of our labour.

When we try to connect again to the PPSK Demo Wireless SSID, our connection should go through since the RADIUS has now been taken care of.
Lets see all the places where it is recorded.

Introduction