Архив метки: Mikrotik

MikroTik Hotspot Login by HTTP CHAP, HTTP PAP and HTTPS

MikroTik Hotspot uses various types of login methods. Among these login methods HTTP CHAP, HTTP PAP and HTTPS are basic and important login methods. So, a MikroTik system administrator should have proper understanding on Hotspot HTTP CHAP, HTTP PAP and HTTPS login methods. In my previous article I discussed how to configure MikroTik Hotspot using Winbox. In this article I will discuss how to use HTTP CHAP, HTTP PAP and HTTPS login methods properly in MikroTik Hotspot Server.




Hotspot Login by MAC Cookie
Hotspot Login by MAC Cookie




MikroTik Hotspot Login by HTTP CHAP   




HTTP CHAP is a basic and default MikroTik Hotspot login method. So, when Hotspot will be configured in MikroTik Router, HTTP CHAP login method will be enabled automatically. HTTP CHAP includes CHAP challenge in the login page. The CHAP MD5 hash challenge is used together with the user’s password for computing the string which will be sent to the Hotspot gateway. The password hash result together with username is sent over network to Hotspot service. So, password is never sent in plain text over IP network with HTTP CHAP method. The downside of HTTP CHAP is that JavaScript applet is used to implement MD5 algorithm on the client side browser. So if a browser does not support JavaScript or it has JavaScript disabled, it will not be able to authenticate users.






How to Enable HTTP CHAP Login Method




HTTP CHAP is a secure Hotspot login method. So, we should use HTTP CHAP login method in Hotspot network. As HTTP CHAP is a default login method in MikroTik Hotspot, no action require to enable HTTP CHAP but make sure HTTP CHAP is enabled and working normally following the below steps.




  • Login MikroTik Router using Winbox with full permission user.
  • Go to IP > Hotspot menu item. Hotspot window will appear.
  • Click on Server Profiles tab and then double click on active server profile. Active server profile property window will appear.
  • Click on Login tab and make sure HTTP CHAP checkbox is selected from Login By panel. If not selected, click on HTTP CHAP checkbox to enable HTTP CHAP login method and click Apply and OK button.




Enabling HTTP CHAP in Mikrotik Hotspot
Enabling HTTP CHAP in MikroTik Hotspot




MikroTik Hotspot Login by HTTP PAP




HTTP PAP sends plain text user name and password over network. So, HTTP PAP is not a secure and suitable for public network. But HTTP PAP is faster and can be used in private network where security is not so much concern.




How to Enable/Disable HTTP PAP Login Method




As there is always possibility to leak username and password using HTTP PAP login method, it is not recommended to use HTTP PAP in public hotspot network. But in private network, we may consider HTTP PAP as a faster login method. The following steps will show how to enable or disable HTTP PAP in Hotspot network.




  • Go to IP > Hotspot menu item. Hotspot window will appear.
  • Click on Server Profiles tab and then double click on active server profile. Active server profile property window will appear.
  • Click on Login tab and make sure HTTP PAP checkbox is not selected if you wish to disable HTTP PAP from Login By panel. By default HTTP PAP is kept disabled.
  • If you wish to keep HTTP PAP in Hotspot network, click on HTTP PAP checkbox to enable HTTP PAP login method and click Apply and OK button.




Disabling HTTP PAP in Hotspot Network
Disabling HTTP PAP in Hotspot Network




MikroTik Hotspot Login by HTTPS




HTTPS sends plain text username and password to Hotspot Server but it uses SSL protocol to encrypt transmission. So, although username and password are sent plain text, there is no need worry because transmission is always encrypted in HTTPS communication and there is no chance to leak username and password in public Hotspot network.




HTTPS is one of most secure Hotspot login methods and today there is no alternative of HTTPS login because most of the websites are now using https and without HTTPS login, HTTPS Redirect is not possible. So, HTTPS is now a strongly recommended Hotspot login method.






How to Enable HTTPS Login 




HTTPS Login requires enabling HTTPS Server and HTTPS Server requires SSL certificate either self-signed certificate or public SSL certificate. I have another separate article where I discussed how to enable HTTPS Login and HTTPS Redirect with self-signed SSL certificate or public SSL certificate. So, follow that article to configure complete HTTPS Login and HTTPS Redirect.




MikroTik Hotspot Login by HTTP Cookie and MAC Cookie  




HTTP Cookie and MAC Cookie are two extended login methods in MikroTik Hotspot. HTTP Cookie and MAC Cookie cannot be used as an individual login method rather we need to use HTTP Cookie and MAC Cookie with HTTP CHAP, HTTP PAP or HTTPS basic login method. By default user must provide username and password in login prompt every time he/she want to get internet access from Hotspot Server. But sometimes user gets annoyed putting username and password frequently. Considering this situation MikroTik introduces HTTP Cookie and MAC Cookie which keep user credential in cookie at first successful login and when the same use appears at second time, the user is verified against this saved cookie and allowed for internet access without asking login prompt.




How HTTP Cookie Works  




After each successful login, a cookie is sent to the web browser and the same cookie is added to active HTTP cookie list. Next time the same user will try to log in, web browser will send the saved HTTP cookie. This cookie will be compared with the one stored on the Hotspot Server and only if source MAC address and randomly generated ID matches the ones stored on the Hotspot Server, user will be automatically logged in using the login information (username and password pair) that was used when the cookie was first generated. Otherwise, the user will be prompted to log in, and in the case authentication is successful, old cookie will be removed from the local Hotspot active cookie list and the new one with different random ID and expiration time will be added to the list and sent to the web browser.




How to Enable HTTP Cookie




HTTP Cookie is enabled by default with Hotspot default configuration. But you can check whether HTTP Cookie is enabled or not following the below steps.




  • Go to IP > Hotspot menu item. Hotspot window will appear.
  • Click on Server Profiles tab and then double click on active server profile. Active server profile property window will appear.
  • Click on Login tab and make sure Cookie checkbox is checked if you wish to enable HTTP Cookie.
  • We can also set HTTP Cookie expiration time from HTTP Cookie Lifetime input box. By default Cookie lifetime is set to 3 days.




Enabling HTTP Cookie in Hotspot Server
Enabling HTTP Cookie in Hotspot Server




How MAC Cookie Works




MAC Cookie is a newly introduced login method in MikroTik Hotspot. MAC Cookie improves accessibility for smartphones, laptops and other mobile devices. MAC Cookie keeps record of username and password for the MAC address if there is only one host with such MAC address. Unlike HTTP Cookie, Cookie is only saved in Hotspot Server at first successful login with MAC Cookie login method. When a new host appears, Hotspot checks if there is a MAC Cookie record for the MAC address and logs in host using recorded username and password.






How to Enable MAC Cookie




MAC Cookie should be enabled both Hotspot Server profile and Hotspot user profile otherwise MAC Cookie will not work. How to enable MAC Cookie has been discussed elaborately in another article. So, follow that article to enable MAC Cookie in Hotspot network properly.




How to enable and configure MikroTik Hotspot basic login methods (HTTP CHAP, HTTP PAP and HTTPS with HTTP Cookie and MAC Cookie) has been discussed in this article. I hope you will now be able to tune Hotspot network with proper login method. However, if you face any confusion to tune Hotspot login methods properly, feel free to discuss in comment or contact me from Contact page. I will try my best stay with you.



2020-07-25T15:43:09
MikroTik Hotspot Tutorials & Guides

MikroTik Hotspot Login by MAC Cookie Configuration

MAC Cookie is a newly introduced Hotspot feature in MikroTik Router. MAC Cookie is specially designed to improve accessibility for smartphones, laptop and other mobile devices. MAC Cookie is not a basic login method rather it is an extension of basic Hotspot login method such as HTTP CHAP, HTTP PAP and HTTPS. So, when MAC Cookie is used with these basic Hotspot login methods, it improves the Hotspot user accessibility. In my previous article, I discussed MikroTik Hotspot basic configuration using Winbox with default HTTP CHAP login method. In this article I will discuss how to configure MAC Cookie login in MikroTik Hotspot to improve Hotspot accessibility.




MAC Cookie MikroTik Hotspot
MAC Cookie MikroTik Hotspot




MikroTik Hotspot MAC Cookie




As MAC Cookie is not a basic login method, it should be used with other basic login methods (with HTTP CHAP, HTTP PAP and HTTPS). So, when MAC is enabled with other login methods, the following activities happen in MikroTik Hotspot.




MAC Cookie Keeps Cookie after First Successful Login




If MAC Cookie is used with basic login methods, it keeps the record of username and password for the MAC address after first successful login but username and password must be used from only one MAC address. Cookie will be kept in MikroTik Router until the cookie timeout period is expired.




Hotspot Checks MAC Cookie Record When New Host Appears




When a new Host appears in Hotspot, it checks MAC Cookie record for the MAC Address and logs the host using recorded username name and password if record is found for that MAC Address. If there is more than one host with the same MAC address, user will not be logged in and MAC cookie record for this MAC address will be deleted.

Cookie is removed with MAC Cookie Removal Activities


Cookie is kept in MikroTik Router until MAC Cookie timeout period is expired. But cookie can also be removed with the following activities.




  • After successful login, if user clicks on logout button, cookie will be removed from MikroTik Router.
  • If admin disconnects user manually from RADIUS Server or from Hotspot active menu.
  • If user limit reaches the maximum, cookie will be removed by the NAS-Request.




MAC Cookie Configuration in MikroTik Hotspot




Till now we know how MAC Cookie works in MikroTik Router. Now we will know how to configure MAC Cookie in MikroTik Hotspot. MAC Cookie has to be enabled in two places. So, MAC Cookie configuration can be divided into the following two parts.




  • Enabling MAC Cookie in Hotspot Server Profile.
  • Enabling MAC Cookie in User Profile.




Part 1: Enabling MAC Cookie in Hotspot Server Profile




To use MAC Cookie feature in MikroTik Hotspot, we have to first enable MAC Cookie in Hotspot Server Profile. The following steps will show how to enable MAC Cookie in MikroTik Hotspot Server Profile.




  • Login MikroTik Router with Winbox using full permission user login credentials.
  • Go to IP > Hotspot menu item. Hotspot window will appear.
  • Click on Server Profiles tab and then double click on active server profile.
  • From active server profile windows, click on Login tab and then click on MAC Cookie checkbox.
  • Click Apply and OK button.




Enabling MAC Cookie in Hotspot Server
Enabling MAC Cookie in Hotspot Server




MAC Cookie is now enabled in Hotspot Server. Now we need to enable MAC Cookie in Hotspot User Profile, for those we want to enable MAC Cookie feature.




Part 2: Enabling MAC Cookie in Hotspot User Profile




MAC Cookie will not be enabled to user level (although we enable it in Hotspot Server) until we enable MAC Cookie in Hotspot User profile. The following steps will show how to enable MAC Cookie in Hotspot User Profile.




  • From Hotspot window, click on User Profiles tab and then double click on desired user profile for whose we want to enable MAC Cookie feature. Hotspot User Profile window will now appear.
  • From General tab, click on Add MAC Cookie checkbox.
  • Default MAC Cookie Timeout period is 3 days. If we want to change MAC Cookie Timeout period, put the timeout period in MAC Cookie Timeout input box.
  • Click Apply and OK button.




Enabling MAC Cookie in Hotspot User Profile
Enabling MAC Cookie in Hotspot User Profile




MAC Cookie feature is now enabled for this profile user. If we wish to enable MAC Cookie for more users, we can do that following the above steps.




Difference between MAC Cookie and HTTP Cookie in MikroTik Hotspot




Sometimes we may be confused about Hotspot MAC Cookie and HTTP Cookie method and we may think these are the same things. But MAC Cookie and HTTP Cookie are not some and they are two different Hotspot login mechanism. The following lists are their mechanistic differences.




  • HTTP Cookie is saved both in user browser and MikroTik Router after first successful login whereas MAC Cookie is only saved in MikroTik Router.
  • Cookie is sent by the user browser and matched with the local Cookie. If match, user can automatically login otherwise login window is prompted. In MAC Cookie, new host MAC address is matched with the local MAC Cookie record.
  • In HTTP Cookie, user browser must be involved but in MAC Cookie browser has no role.




So, HTTP Cookie and MAC Cookie are different in nature and should be enabled separately in MikroTik Hotspot.




If you face any confusion to follow the above steps, watch the following video on MikroTik Hotspot Login By MAC Cookie Configuration. I hope it will reduce your any confusion.