This is an old revision of the document!
Private PSK with data limits
Introduction
- RADIUSdesk includes Fair Usage Policy (FUP) profiles.
- These profiles can be customised to create a very secure, powerful and flexible solution.
- In this example, we will use these FUP profiles to:
- Allow a permanent user a daily data usage of 1 GB.
- After that, the system will move him to a VLAN with a captive portal that is throttled.
- At midnight, the system moves the permanent user back to the original network to start a new daily quota.
- See the following figure for more clarity.
Private PSK with data limits
- To get a working setup, we will split it into two parts
- The RADIUS related things that need to be done in RADIUSdesk.
- The MESHdesk-related things that need to be done in MESHdesk.
- We assume that you have created a new cloud with the setup wizard. Our cloud is called PPSK Demo.
RADIUS Related (preparation)
- The RADIUS-related preparation consists of the following steps:
- Create an FUP profile that will cause the user to be moved to VLAN 105 (the VLAN where we will run our captive portal) after 1 GB of data consumption.
- Create a permanent user with a unique private PSK. This user will also be assigned to the limited FUP profile.
- Add an entry to the PMKs applet for the SSID that the user will connect to
- Add the hostapd RADIUS client (this will be waiting under RADIUS Clients → New Arrivals)
Create FUP Profile
- Start by creating a new profile. This will be a Simple Profile which we will edit afterwards to change to a FUP Profile.
- Select the profile after it has been created and select FUP Edit from the Edit drop-down button.
- On the first screen, you can leave the default settings as hostapd is not able to limit the user's connection speed.
- Among the FUP components, we will add a component that throttles the speed if the daily usage exceeds 1 GB of data volume.
- Again, this speed reduction cannot be implemented by hostapd, but we can optionally specify a VLAN to assign the user to.
- Here we specify VLAN 105 on which the captive portal is running.
- We do not block the user when the 1G data limit is reached.
- The system simply kicks them off the WiFi network, and when their phone or laptop reconnects, it belongs to a different VLAN.
- In our setup, this VLAN will contain a captive portal.
Add new Permanent User
- RADIUSdesk makes it possible to assign an optional PPSK and a VLAN to a permanent user.
- In our setup, we will let the user directly into the LAN (default VLAN).
- However, we will assign it a PPSK (11223344).
Add SSID to PMK's applet
- We have a special applet that creates the PMK hashes for fast processing.
- To do this, we need to specify the SSID that the user will connect to.
- We add the SSID that the wizard created in the example mesh network. (PPSK Demo Wireless)
- To get to the PMKs applet, go to. RADIUS → Realms and click on the button with the lock.
- Click on the Add button to add a new SSID
- Here you can see the PMKs that were created after you added the SSID.
- We keep the list of PMKs small and thus ensure a quick search and matching by doing the following:
- Pre-calculating the PMKs based on the SSID.
- Assigning the RADIUS Client to a single Realm.
- The RADIUSdesk code then ensures that each PPSK key in the realm is unique.
Add RADIUS client (for later)
- This last part on the RADIUS side will be completed after the mesh network has been configured for Private PSK.
MESHdesk Related
- We will change the default PPSK demo mesh network to support Private PSK.
- MQTT is also installed and implemented on our server, which will enable real-time termination of RADIUS sessions.
Change the security of the entry point (SSID)
- We change the PPSK Demo Wireless Entry Point as follows:
- The entries Default VLAN, Default Key and Realm for PPSK are for information only.
- We will consult them later when we add the RADIUS client (RADIUS part last step).
Adding VLANs to the MESH network
- We add a number of VLANs (105-106) which will then be available for the exit points.
- They are added under Node Settings.
Add VLAN 105 to Captive Portal
- The wizard has already created a Captive Portal exit point for us.
- We can simply connect it to VLAN 105.
- This means that both the traffic from the open SSID and the traffic from VLAN 105 will hit the captive portal and a login page will be displayed.
- Now that the mesh network is all set up for PPSK to work, we can start adding nodes to the mesh network.
- After we have added a mesh node, we can try to connect to the PPSK Demo Wireless SSID with the key 11223344
- This will initially fail as we have not yet performed the final step of adding as a RADIUS client.
RADIUS related (final)
Add RADIUS client
- Go to RADIUS → RADIUS Clients and click on the New Arrivals button (The one with the car icon).
- This should list the hotsapd program's info from the Mesh node you have tried to connect to.
- Click the Attach button to display the Add window.
- Make sure that you only select the PPSK Demo realm.
- After you have attached it, there is one last step and then we are done.
- Edit the RADIUS client and specify Private PSK as the type.
- We use the information we recorded when we changed the mesh network entry point (SSID)
- Now everything is ready and we can enjoy the fruits of our labour.
PPSK client session
- If we try to connect to the PPSK Demo Wireless SSID again, our connection should work as the RADIUS is now done.
- Let us take a look at all the places where it is recorded.
RADIUS Clients
- The RADIUS Clients applet will indicate when last the client contacted the server.
- It will also show the Public IP Address that the RADIUS Client used to connect with.
- With MESHdesk and APdesk we use a convention of {m|a}[_hosta_]{Mesh ID/AP Profile ID}[_]{Entry ID/SSID ID}
- In order for RADIUSdesk to know which AP or mesh node to contact to disconnect a user from the WiFi, we also record extra information from the accounting data sent by hostapd.
Activity Monitor
- Under Activity Monitor you can view activeand historical sessions.
- You can also terminate active sessions.
- Here you can see where we terminated the active session and the user's device then moved to another radio automatically. (Notice the value of Operator Name is different)
Usage graph
- We can also view the usage graph of the user.
- Here we can see that the usage are just over 1 GB which means the system then took action and disconnected the user's device.
Life on VLAN 105
- After the user's phone was disconnected from the main network, it reconnected but this time it was now moved to VLAN 105, the captive portal.
