Setting Up a Hotspot (Public Wireless Internet Access)

Contents

Overview

In this article the basic principles of network arrangement for providing wireless Internet access are discussed. As almost anyone can access to wireless medium by using a laptop or a handheld PC, the most important is the problem of secure identification of subscribers and accurate calculation of consumed services. The most popular, yet the most vulnerable, is an open wireless network connection (public SSID, no WEP), when IP address is given out automatically via DHCP, and Internet is accessed after authorizing on a Web page. For this only an Internet browser is required on a subscriber's PC. As far as such solutions are easier to deploy, let's begin our consideration with them.

Basic Terminology

802.11b

The standard uses the 2.4 GHz band and has a raw data rate of 11 Mbit/s (5.9 Mbit/s for TCP, 7.1 Mbit/s using UDP). For more details see http://en.wikipedia.org/wiki/802.11b.

802.11g

The up-to-date standard for WiFi data transfer. Devices that support the standard work at 2.4 GHz band and provide data rate up to 54 Mb per second in the full-duplex mode.

Wireless network interface card (WNIC)

A client device that is inserted in a standard slot of a PC, laptop, PDA (PCI, PCMCI, CF II, etc) and able to communicate with other devices over radio-waves. Examples of such devices are: D-Link DWL 650+, D-Link DCF 660W, Cisco Aironet 350 Series, Lucent Orinoco Wireless PC card, etc. Cards may support various wireless access standards and provide various network access rates.

Wireless access point (WAP)

A device that connects client wireless communication devices together. Usually a WAN has one port for common wired Ethernet and an aerial. Examples of such devices are: D-Link DWL-2000AP+, Orinoco AP-200, etc.

Hotspot, Wi-Fi

These terms identify network equipment (wireless access points, aerials, servers, routers) and software in the aggregate that allow users to obtain wireless Internet access. Normally these points have a finite coverage area (e.g., cafe area, restaurant or a hotel). Usually for obtaining Internet access it's enough to have a laptop or a PDA with a wireless card and a personal secret code (PIN code, or login/password, etc). Personal secret code is used to identify a user and to prevent network resources from using by a third person. Sometimes a secret code may be bought at administrator of a Hotspot (e.g., at reception of a hotel). At that it is possible to gain access for a certain time interval. When the interval finishes the Internet access is blocked. In order to continue surfing the Internet it is required to use a new secret code.


Deploying a Hotspot on Basis of a PC Router and the ISP Billing System
NetUP UTM v5


General scheme of Hotspot arrangement on basis of ISP billing system "NetUP UTM5"


In the proposed scheme it is used a simple wireless access point D-Link DWL-2000AP+. In its settings it is set SSID and WEP is disabled. As an operating system for the PC router it is used Linux RedHat 9.0. Additionally it is installed Apache Web server, caching DNS server, and ISP billing system "NetUP UTM5".
For fully automated subscriber log on the network it should be installed and configured a DHCP server that will assign an IP address to a client's PC. The most popular and widely used DHCP server is isc-dhcpd. It can be downloaded at ftp://ftp.isc.org/isc/dhcp/dhcp-latest.tar.gz

Installation is processed by using the commands:

./configuremakemake install

Also isc-dhcpd can be installed from distributives provided along with the operating system.

DHCP Server Configuration

The basic configuration file is dhcpd.conf. It should contain the following strings:

option domain-name "yourdomain.com";
option domain-name-servers 10.1.2.1;
option subnet-mask 255.255.255.0;
default-lease-time 36000;
max-lease-time 86400;
authoritative;
ddns-update-style none;
log-facility local7;
subnet 10.1.2.0 netmask 255.255.255.0
{
option routers 10.1.2.1;pool
{
range 10.1.2.10 10.1.2.200;
allow unknown clients;
}
}

Having such a configuration the server gives out IP addresses from range 10.1.2.10–10.1.2.200, usually beginning from the end of the range. The server should have an address 10.1.2.1. It is very important to check interface the DHCP server works on, as far as giving out IP addresses into the Internet may cause unwanted consequences. That is why the DHCP server should be started specifying the Interface to work at (for example, the internal interface fxp0; the correct command is dhcpd fxp0). The interface is specified as a command line parameter. Several interfaces may be set, they should be separated by space, e.g., dhcpd fxp0 fxp1 ed0. After automatic IP address allocation is complete, it should be configured an easy subscriber access for activating his card. For that a subscriber that has not been authorized yet should be forcedly redirected to an activation page. This can be done by means of a firewall.

Firewall Configuration in Linux

In Linux OS the firewall is a program iptables. In iptables an operation REDIRECT exists that allows redirecting specified packets to a port of a local computer replacing a destination address. Let's use the operation for redirecting all queries of non-authorized subscribers to the UTM page where they are invited to enter a number and a PIN code of a prepaid card. For that in the NAT table chain PREROUTING add the rule:

iptables -t nat -A PREROUTING -s 10.1.2.0/24 -p tcp --dport 80 -j REDIRECT --to-ports 80

After that two rules for each user should be added in UTM for switching on Internet access:

/sbin/iptables -t nat -I PREROUTING 1 -s UIP/UBITS -j ACCEPT
/sbin/iptables -A FORWARD -s UIP/UBITS -j ACCEPT
/sbin/iptables -A FORWARD -d UIP/UBITS -j ACCEPT


And for switching off:

/sbin/iptables -t nat -D PREROUTING -s UIP/UBITS -j ACCEPT
/sbin/iptables -D FORWARD -s UIP/UBITS -j ACCEPT
/sbin/iptables -D FORWARD -d UIP/UBITS -j ACCEPT


At that it should be set a prohibitive policy for the FORWARD chain. This can be done by using the command:

iptables -P FORWARD DROP

Configuring Apache Web Server

It is required to redefine the start page and page 404 in the configuration file httpd.conf.

ErrorDocument 404 “/cgi-bin/utm5/aaa5?cmd=card_login”
DirectoryIndex "/cgi-bin/utm5/aaa5?cmd=card_login" index.html

At that on every user query it is given out a page inviting to enter a number and a secret PIN code of a prepaid Internet card.


After the configuration file is corrected the web server should be restarted:

apachectl restart

After registration data has been successfully entered, a user is being redirected to a periodically refreshing web page containing connection statistics.


On successful net is being enabled on the firewall for an IP address the user is connected to. This can be checked by the command iptables -nL. If on successful authorization it is required to redirect a user to the initial URL then in aaa5 parameters it should be transmitted redirect=yes. In this case parameters in the configuration of the web server will look as follows:

ErrorDocument 404 "/cgi-bin/utm5/aaa5?cmd=card_login&redirect=yes"
DirectoryIndex "/cgi-bin/utm5/aaa5?cmd=card_login&redirect=yes" index.html

Also in the configuration file web5.cfg there should be a string:

src_redirect=yes

In this case on the first access to aaa5 it is saved an address from the environment variable SERVER_HOST, and if a user has entered correct authorization parameters then he is automatically redirected to the saved address. For example, when a user has obtained an IP address via DHCP, launches a browser and enters the address www.utm-billing.com. As a result of redirection a user is invited to enter a prepaid card number and a PIN code. If the data is correct, the user is automatically redirected to www.utm-billing.com.

Configuring the Hotspot Service in the Billing System

In the Administrator Control Center section Tariffication/Tariff plans it should be added a tariff plan containing Hotspot service, set time ranges and cost.


This tariff plan ID should be set on adding cards to the system.


After a number and a PIN code have been successfully entered, the web page periodically refreshes letting the server know that the session is still active and the service is being used. If during a set timeout the page refreshing doesn't occur (a user has closed the page or just shut down his PC), or it has come a signal of session closure (a user has clicked «Exit») then Internet access is blocked and a charge for the consumed time interval is processed. Also Internet access is blocked on exhausting the credit.


Deploying a Hotspot on Basis of MikroTik RouterOS
and the ISP Billing System NetUP UTM5


General scheme of Hotspot arrangement on basis of MikroTik RouterOS and billing system NetUP UTM5

In the current scheme IP address allocation via DHCP, authorization page, and Internet access switching on/off is performed by a router operated by MikroTik RouterOS (hereafter MikroTik). More detailed information concerning MikroTik can be found on the official site of developer www.mikrotik.com.
Tariffs and user database is stored in the billing system on a separate server. Authorization and accounting is processed via RADIUS protocol.

For enabling Hotspot on MikroTik it is necessary to configure network interfaces and run the commands:

[admin@MikroTik] ip hotspot> setup
Select interface to run Hotspot on
hotspot interface: ether2
Add hotspot authentication for existing interface setup?
interface already configured: yes
Use SSL authentication?
use ssl: no
Use transparent web proxy for hotspot clients?
use transparent web proxy: no
Use local DNS cache?
use local dns cache: no
DNS name of local hotspot server
dns name: 192.168.0.1
Select another port for (www) service
port 80 is used by www service, select some other port for this service
another port for service: 8081
Create local hotspot user
name of local hotspot user: admin
password for the user: admin
[admin@MikroTik] ip hotspot>

For configuring it to work with a RADIUS server run the commands:

[admin@MikroTik] ip hotspot> aaa set use-radius=yes accounting=yes
[admin@MikroTik] radius> add service=hotspot address=10.1.2.105 secret=secret
authentication-port=1812 accounting-port=1813

For enabling DHCP server run the commands:

[admin@MikroTik] ip dhcp-server> setup
Select interface to run DHCP server on
dhcp server interface: ether2
Select network for DHCP addresses
dhcp address space: 192.168.0.0/24
Select gateway for given network
gateway for dhcp network: 192.168.0.1
Select pool of ip addresses given out by DHCP server
addresses to give out: 192.168.0.2-192.168.0.254
Select DNS servers
dns servers: 10.1.2.5
Select lease time
lease time: 3d
[admin@MikroTik] ip dhcp-server>

Also it is necessary to enable caching DNS server by using the commands:

[admin@MikroTik] ip dns> set primary-dns=10.1.2.5
[admin@MikroTik] ip dns> set allow-remote-requests=yes

As a result of these settings on connecting a user via wireless network it is automatically given out (via DHCP) an IP address, default gateway, DNS server. At that by default all packets from a user are forwarded to the MikroTik authorization page:

Mikrotik authorization page

At that after a user has entered a login and a password MikroTik attempts to authorize a user via the RADIUS server. An example of authorization packet content (Access-request) obtained by using tcpdump is below:

22:21:29.686883 IP (tos 0x0, ttl 64, id 38426, offset 0, flags [DF], length: 184)
10.1.2.67.1024 > 10.1.2.105.1812: [udp sum ok] RADIUS, length: 156
Access Request (1), id: 0x12, Authenticator:
385bb7580f1d9b568e74a4a25589a5fb
NAS ID Attribute (32), length: 10, Value: MikroTik
0x0000: 4d69 6b72 6f54 696b
NAS Port Type Attribute (61), length: 6, Value: Ethernet
0x0000: 0000 000f
Calling Station Attribute (31), length: 19, Value: 00:40:F4:59:ED:7A
0x0000: 3030 3a34 303a 4634 3a35 393a 4544 3a37
0x0010: 41
Called Station Attribute (30), length: 19, Value: 00:0C:29:11:45:64
0x0000: 3030 3a30 433a 3239 3a31 313a 3435 3a36
0x0010: 34
NAS Port ID Attribute (87), length: 8, Value: ether2
0x0000: 6574 6865 7232
Username Attribute (1), length: 9, Value: hsptest
0x0000: 6873 7074 6573 74
NAS Port Attribute (5), length: 6, Value: -2146435064
0x0000: 8010 0008
Accounting Session ID Attribute (44), length: 10, Value: 80100008
0x0000: 3830 3130 3030 3038
Framed IP Address Attribute (8), length: 6, Value: 192.168.0.2
0x0000: c0a8 0002
CHAP challenge Attribute (60), length: 18, Value: ........)Om.../O
0x0000: 06a2 12f4 10f9 c896 294f 6d1f a9e9 2f4f
CHAP Password Attribute (3), length: 19, Value:
0x0000: 596e a073 f8b9 50ea 27db 272c 6e12 923c
0x0010: 36
;
NAS IP Address Attribute (4), length: 6, Value: 10.1.2.67
0x0000: 0a01 0243

In the RADIUS server log file there should appear the following records:

?Debug : Oct 01 22:14:47 RADIUS Auth: Packet from 
?Debug : Oct 01 22:14:47 RADIUS Auth: User connecting
?Debug : Oct 01 22:14:47 RADIUS DBA: login_store iter->second.dialup.session_count:0
?Debug : Oct 01 22:14:47 RADIUS Auth: Auth scheme: CHAP
?Debug : Oct 01 22:14:47 RADIUS Auth: CHAP: Challenge size: 16
?Debug : Oct 01 22:14:47 RADIUS Auth: CHAP: Authorized user
?Debug : Oct 01 22:14:47 RADIUS Auth: Dialup session limit:0 session count:0 for user:hsptest
?Debug : Oct 01 22:14:47 RADIUS Auth: Calculated maximum session time: 67
?Debug : Oct 01 22:14:47 RADIUS DBA: dialup_link_update called for slink:41
?Debug : Oct 01 22:14:47 RADIUS DBA: soft dialup_link_update for slink:41 session_count:1

As it can be seen in the string “Calculated maximum session time: 67” a user has credit enough for 67 seconds of Internet access. This value is sent to MikroTik in an Access-Accept packet (confirmation of successful authorization). Dump of the packet, obtained by using the tool tcpdump can be seen below:

length: 109) 10.1.2.105.1812 > 10.1.2.67.1024: [udp sum ok] RADIUS, length: 81
Access Accept (2), id: 0x12, Authenticator:
3fdcd4d2ef3a1272554cfa9389cd73e2
Service Type Attribute (6), length: 6, Value: Framed
0x0000: 0000 0002
Framed Protocol Attribute (7), length: 6, Value: PPP
0x0000: 0000 0001
Framed Routing Attribute (10), length: 6, Value: None
0x0000: 0000 0000
Framed MTU Attribute (12), length: 6, Value: 1500
0x0000: 0000 05dc
Framed Compression Attribute (13), length: 6, Value: None
0x0000: 0000 0000
Session Timeout Attribute (27), length: 6, Value: 01:12 min
0x0000: 0000 0048

In this case authorization was successful and the user may freely surf the Internet during allowed time period.


On exhausting allowed time the session is closed and all user requests are redirected to the authorization page. At that the RADIUS server will receive Accounting-Stop packet. Dump of the packet obtained by using tcpdump is below:

22:22:41.742386 IP (tos 0x0, ttl 64, id 45628, offset 0, flags [DF], length:207)
10.1.2.67.1024 > 10.1.2.105.1813: [udp sum ok] RADIUS, length: 179
Accounting Request (4), id: 0x14, Authenticator:
d062970d37cae32f03f37ed8d96b300f
NAS ID Attribute (32), length: 10, Value: MikroTik
0x0000: 4d69 6b72 6f54 696b
NAS Port Type Attribute (61), length: 6, Value: Ethernet
0x0000: 0000 000f
Calling Station Attribute (31), length: 19, Value: 00:40:F4:59:ED:7A
0x0000: 3030 3a34 303a 4634 3a35 393a 4544 3a37
0x0010: 41
Called Station Attribute (30), length: 19, Value: 00:0C:29:11:45:64
0x0000: 3030 3a30 433a 3239 3a31 313a 3435 3a36
0x0010: 34
NAS Port ID Attribute (87), length: 8, Value: ether2
0x0000: 6574 6865 7232
Username Attribute (1), length: 9, Value: hsptest
0x0000: 6873 7074 6573 74
NAS Port Attribute (5), length: 6, Value: -2146435064
0x0000: 8010 0008
Accounting Session ID Attribute (44), length: 10, Value: 80100008
0x0000: 3830 3130 3030 3038
Framed IP Address Attribute (8), length: 6, Value: 192.168.0.2
0x0000: c0a8 0002
Accounting Session Time Attribute (46), length: 6, Value: 01:12 min
0x0000: 0000 0048
Accounting Input Octets Attribute (42), length: 6, Value: 5699
0x0000: 0000 1643
Accounting Output Octets Attribute (43), length: 6, Value: 61042
0x0000: 0000 ee72
Accounting Input Giga Attribute (52), length: 6, Value: 0
0x0000: 0000 0000
Accounting Output Giga Attribute (53), length: 6, Value: 0
0x0000: 0000 0000
Accounting Input Packets Attribute (47), length: 6, Value: 49
0x0000: 0000 0031
Accounting Output Packets Attribute (48), length: 6, Value: 51
0x0000: 0000 0033
Accounting Status Attribute (40), length: 6, Value: Stop
0x0000: 0000 0002
Accounting Termination Cause Attribute (49), length: 6, Value: Session Timeout
0x0000: 0000 0005
NAS IP Address Attribute (4), length: 6, Value: 10.1.2.67
0x0000: 0a01 0243
Accounting Delay Attribute (41), length: 6, Value: 00 secs
0x0000: 0000 0000

In the RADIUS server log file the following records should appear:

Acct: Packet from MikroTik
?Debug : Oct 01 22:15:54 RADIUS Acct: Acct packet with session ID: 80100007
?Debug : Oct 01 22:15:54 RADIUS Acct: Acct-Stop packet
?Debug : Oct 01 22:15:54 RADIUS DBA: Dialup Discount: TR ID 1: 0.019 for 67 sec

These strings show that the session has been rated and charged to personal account of the user.

Deploying a Hotspot on basis of D-Link DSA-3100 and
the ISP billing system NetUP UTM5


General scheme of Hotspot arrangement on basis of D-Link DSA-3100 router and billing system NetUP UTM v5

In the current scheme IP address allocation (via DHCP), authorization page and Internet access switching on/off is performed by a D-Link router (www.dlink.com), model DSA-3100 (hereafter "router"). Tariffs and database for users is stored in the billing system on a separate server. Authorization and accounting is processed via RADIUS protocol.


Authorization settings on router

Authorization interface settings

Owing to these settings on connecting to the wireless network a user automatically obtains (via DHCP) an IP address, default gateway and DNS server. At that, by default all packets from the client are forwarded to an authorization page of the router:


After a user has entered a login and a password the router attempts to authorize the user via RADIUS server. If the RADIUS server confirms authorization then Internet access switches on. At that a browser window opens where status of the connection is displayed:




Deploying a Hotspot on Basis of Wireless Access Point
Nomadix AG-2000w Wireless Gateway™
and ISP billing system NetUP UTM5

In the Hotspot solution based on Nomadix AG-2000w Wireless Gateway (hereafter "AG") (figure 1) IP address allocation via DHCP, authorization page and Internet access switching on/off is performed directly by this device. Tariffs, user database and accounting system are located on a separate server in the billing system UTM5.

Figure 1. General scheme of a Hotspot solution on basis of Nomadix AG-2000w Wireless Gateway
and ISP billing system NetUP UTM

Authorization and accounting is processed via RADIUS protocol (AG should be configured to support RADIUS via its Web interface). For that select page /AG/Configuration/RADIUS Options in the settings menu and set appropriate Secret Key, an IP address and ports of a RADIUS server. NAS settings should be also specified (figure 2). Required items should be added in the UTM Administrator Control Center (figure 3).

Figure 2. RADIUS settings in Nomadix AG-2000w Web interface.
Figure 3. NAS list in UTM5 Java interface

IP address allocation is performed by built-in DHCP server that is configured at a page /AG/Configuration/DHCP. There should be set a range of guest addresses with appropriate subnet mask:

Figure 4. DHCP server settings in Nomadix AG-2000w Web interface

After all settings have been applied, on connecting the network a user gains an IP address from a specified range, default gateway and DNS server address via DHCP. By default all packets from a client are forwarded to the AG authorization page. After a login and a password have been entered on the page the router makes an attempt to authorize a user via RADIUS server. If RADIUS server confirms correctness of entered login and password then the user obtains Internet access.

If a user doesn't receive or send packets via the network (he has finished surfing the Internet, or just has left) AG automatically begins to count timeout and if a user absents for 10 minutes it closes the session, but this time is not accounted for when the session is charged for. That means that only actual session time is rated.

The schemes above were approved after examination on NetUP's test stand.
If you have any questions concerned with the article please e-mail us at: info@utm-billing.com