RADIUS Setup and Configuration

Navigation: Help / RADIUS Setup and Configuration

Pre-Configuration Notes and RemindersHotspot ConfigurationPPPoE ConfigurationDHCP ConfigurationPost-Configuration Resources
Introduction
  • Congratulations! Automated authentication is a powerful way to streamline for rapid growth and easy management.
  • On the left-side menu, select whether you want to configure Hotspot, PPPoE, or DHCP to authenticate your customers.
  • For the setup, our tool-of-choice is Winbox. Click the button below to download Winbox from the Mikrotik website.


Initial Setup
  • If you’re using a new Mikrotik router, we recommend resetting the device to remove the preinstalled configuration as it contains settings you will probably not need.
  • To have your MikroTik assign an IP from an upstream DHCP server, go to IP > DHCP Client > add > select wan-facing interface (e.g. eth1)
  • To setup your MikroTik’s static IP, go to IP > addresses > add a static ip address to wan-facing interface (e.g. eth1)
  • To add a default route if you have a static IP on eth1 rather than dhcp, go to IP > Routes > add
  • You may want to  upgrade your RouterOS  to the latest version, from mikrotik.com (Optional)
Making a Backup

Making a backup. We suggest that you make a backup of your current configuration. Go to Files > Backup, then click to backup your current configs to file. Optionally drag-and-drop the new backup file to your desktop to save it locally.

Hotspot

To setup your Hotspot, go to (1) IP > (2) Hotspot > (3) Servers > (4) Hotspot Setup

    • Interface: choose the (LAN) interface that faces your subscribers (Eg. Eth6).


    • Local Address of Network – accept default or modify (if you use public IPs, see Variation 1 below)


    • Address pool of Network – accept default or modify (if you use public IPs, see Variation 1 below)


    • Select Certificate – select ‘none’


    • IP Address of SMTP Server – accept default (usually 0.0.0.0)


    • DNS Servers – set 2 available dns servers (if unknown, enter: 8.8.8.8 and 8.8.4.4)


    • DNS Name – leave it blank


    • Local Hotspot User – Change this username and password to something unique and secure


    • Hotspot Server – Double-click on the new hotspot server that is created (usually named ‘hotspot1’) and perform the following steps:

a. Double-click on the new hotspot profile that is created (usually named ‘hotspot1’) and perform the following steps:
b. On the Address Pool option, select ‘none’ from the drop down (reason: addresses are assigned by DHCP, so this is redundant and can cause issues).
c. Set the login-timeout into five minutes (00:05:00), It’s a period after which if the device hasn’t been authorized itself with the server, the host entry gets deleted from host table. Loop repeats until the device is authenticated.
d. Click the Reset HTML button on the right, confirm by clicking Yes.

Server Profiles
Go to IP > Hotspot > Server Profiles tab. Edit the server profile created in the last step (by default named hsprof1) by double clicking on it:
1. Click RADIUS
2. Select ‘Use Radius’
3. Ensure ‘Accounting’ is checked
4. NAS Port Type = 19 Wireless.
5. Click the Login tab.
6. Check MAC, HTTP CHAP, HTTP PAP, uncheck Cookie
7. Enter ‘visp’ (no quotes) as MAC Auth Password


User Profiles
Go to IP > Hotspot > User Profiles
1. Double-click the default user profile

2. If the ‘Keepalive Timeout’ option has a value in it, click the up-arrow to the right of it to disable the Keep alive timeout.

3. BE SURE THAT THE ADD MAC COOKIE OPTION IS UNCHECKED

4. Choose the Scripts tab and paste the following line into the On Logout section:  /ip hotspot host remove [find where address=”$address” and !authorized and !bypassed] 

IP Bindings (Optional)
Go to IP > Hotspot > IP Bindings.
IP-Binding allows to setup static One-to-One NAT translations, allows to bypass specific HotSpot clients without any authentication, and also allows to block particular hosts and subnets from HotSpot network.
To authenticate Subscribers only within the Hotspot network
1. MAC Address should be default
2. Add the Hotspot network address on the address box
3. Set server = all
4. Set type = regular

To bypass specific subnet (Management IPs)
1. MAC Address should be default
2. Add the network address on the address box
3. Set server = all
4. Set type = bypassed

To block unwanted hosts/subnets from HotSpot network (Eliminating Unwanted Traffic)
1. Add the MAC address of device (optional)
2. Add a quad-zero route with a /0 subnet in the Address line
3. Set server = all
4. Set type = blocked

5. Note: Make sure that the drop rule is added last on the list. It will block all traffic if added to the top.
Walled Garden IP List
Go to IP > Hotspot > Walled Garden IP List tab. This section configures the Mikrotik to allow the subscriber to signup, pay their bills, and login to the service.
1. Add (+ symbol)
2. Action > accept
3. Set Dst. Host: ocsp.godaddy.com
4. Add another the same way with Dst Host: vportal.visp.net
5. Add another the same way with Dst Host: wlogin.userservices.net


Click on image to enlarge
Queues
Go to Queues (left menu)
1. Select the Queue Types tab, and then double-click the default-small queue to open it.

2. Change the default-small queue Kind value to ‘red’ and leave the default settings. The “best” queue type is sometimes subjective, but the general rule is that RED is better due to its design and algorithm that works better with a smaller set of aggregate flows. Yet, sfq works extremely well when you have a scenario where you have lots of “flows” that all aggregate into a single queue. With that, we also recommend sfq as the default small queue type if you are seeing issues with red, this all depends on your setup.

Files
Go to Files (left menu).
1. Populate the fields below for your ISP domain eg. visp.net and optionally the Location ID (which can be left blank). Use the “Generate Login.html File” to download a customized login.html which will be placed in your router.
2. Drag the login.html file from your desktop into the hotspot folder on the file listing. Refer to the video below for instructions:


DNS Settings
Go to IP > DNS > Settings.

  • Enter two available DNS servers such as Google’s public DNS at 8.8.8.8 and 8.8.4.4.
Instructions for RADIUS Setup
Primary RADIUS
This section configures your Primary Radius client on the Mikrotik to communicate with the VISP radius servers. Click Radius (left) and click (+) symbol to add a radius server.
  1. Under General tab, select Hotspot for Service (you may select PPP, for PPPoE service)
  2. Address: 52.89.100.186
  3. Secret field: Click here to securely access the RADIUS shared Secret at support.visp.net or from UBO, click the Support Site icon , third from the right in the UBO button bar.
  4. Auth port: 1645
  5. Acct port: 1646
  6. Timeout: 5000ms
  7. Realm: yourdomain.ext (e.g. ubodemo.com)


Secondary RADIUS
  • The following are the steps to add your Secondary Radius server:
  1. Click Radius – then click the plus sign (+) to add.
  2. Select the General tab
  3. su_spoiler Hotspot for Service (you may select PPP, for PPPoE service)
  4. Enter radius address: 52.33.139.28
  5. Secret field: Click here to securely access the RADIUS shared Secret at support.visp.net or from UBO, click the Support Site icon , third from the right in the UBO button bar.
  6. Auth port: 1645
  7. Acct port: 1646
  8. Modify the timeout value to 5000ms
  9. Realm should display your account domain
  10. Click OK to save settings.


The Mikrotik will sometimes display the hotspot in red implying that it is not running after being added to the bridge. This is easily cured by going to IP / Hotspot / Servers tab, right-click the server and choose disable. Right-click again and choose enable.
Backup RADIUS
  • Here are the steps for adding your Backup Radius server. Select an available backup IP, based on the category below:
  1. Click Radius – then click the plus sign (+) to add.
  2. Select the General tab
  3. su_spoiler Hotspot for Service (you may select PPP, for PPPoE service)
  4. Enter radius address: 52.11.200.62 (AWS Radius. Or select one below)
    • Google Cloud RADIUS
      • 104.197.99.33 – 15MB/10MB
      • 23.236.57.151 – 10MB/5MB
      • 104.197.22.129 – 5MB/3MB
      • 104.197.14.68 – Unlimited
  5. Secret: (to be provided via Secure Note. For those who are upgrading to the new RADIUS setup, please coordinate with the Sys Admins for your new secret key)
  6. Auth port: 1645 or port assigned by visp.net
  7. Acct port: 1646 or port assigned by visp.net
  8. Modify the timeout value to 5000ms
  9. You may leave the realm blank
  10. Click OK to save settings.


Optional Configuration
Tower Location ID
  • To support specific packages unique to certain locations, you can use UBO’s Location ID feature.
  • First add the location ID to the login.html file on your mikrotik:
  • From UBO, click File > Settings (or ISP Settings in version 7.x) > Packages > then select or create a new internet package(s) as desired.
  • Select the wireless Package > Options (the gear icon): Check Signup Server and select Internet.


click on the image to enlarge view

  1. Login to the VISP software. Navigate to your Settings > Portals. Click on the Online Signup node.
    • Under Additional Information, put a check on Location ID
    • Now any package with the correct location ID, matching the ID’s stored in the Mikrotik router, gets to see the services for that location.


click on the image to enlarge view

These instructions assume that you have a new Mikrotik with little to no existing configuration.  These instructions specify certain IP ranges which are commonly used; however, you can replace the IP ranges referenced below with your own custom ranges if you wish.  Likewise, if you have a pre-existing PPPoE setup, you can skip all the steps that you have already completed.

Save a Backup
We suggest you make a backup of your current configuration

  • Go to Files > Backup, then click to backup your current configs to file.  Optionally drag-and-drop the new backup file to your desktop to save it locally.

Note that PPPoE does not allow for the optimal captive portal experience.

Configure IP / Addresses
  • Add ip address 10.5.50.1/24 on the customer facing interface.  This range will be used as the gateway IP for active subscribers.
  • Add ip address 10.254.254.1/24 on the customer facing interface.  This range will be used for routing suspended subscribers.
Configure IP Pools
  • Setup a pool containing IP addresses you wish to assign to subscribers.  Name the pool “pppoe-pool” and set the addresses to 10.5.50.2-10.5.50.254 (this will support up to 253 subscribers – expand the pool if you are servicing more subscribers from this PPPoE server).
  • Setup a second pool.  Name the pool “suspended”, with an address range of 10.254.254.2-10.254.254.254.
Configure PPP
  • Click the PPPoE Servers tab and add a new server with the following settings
    • Name: ppp-visp
    • Interface: select your subscriber facing interface
    • Default Profile: default-encryption
    • Authentication: check PAP & CHAP, un-check mschap1 & mschap2
  • Click the Secrets tab
  • Click the “PPP Authentication & Accounting” button, check Use Radius & Accounting, choose OK.
  • Click the Profiles tab and edit the default-encryption profile
    • Local address: 10.5.50.1
    • Remote Address: pppoe-pool
    • DNS Server: 8.8.8.8 & 8.8.4.4 (or use your own)
Configure IP / Firewall
  • On the Address Lists tab, create a new address list with the following settings:
    • Name: suspended
    • Address:  10.254.254.2-10.254.254.254
  • On the “Filter Rules” tab, add a new rule with the following settings:
    • General / Chain: forward
    • General / Protocol: 17 (udp)
    • General / Dst Port: 53
    • Advanced / Src Address List: suspended
    • Action / Action: accept
  • On the “Filter Rules” tab, add a new rule with the following settings:
    • General / Chain: forward
    • General / Dst Address: 52.32.157.119
    • General / Protocol: 6 (tcp)
    • General / Dst Port: 80,443
    • Advanced / Src Address List: suspended
    • Action / Action: accept
  • On the “Filter Rules” tab, add a new rule with the following settings:
    • General / Chain: forward
    • Advanced / Src Address List: suspended
    • Action / Action: drop
Configure IP / Firewall / NAT
  • On the “NAT” tab, add a new rule with the following settings:
    • General / Chain: srcnat
    • General / Src Address: 10.5.50.0/24
    • Action / Action: masquerade
  • On the “NAT” tab, add a new rule with the following settings:
    • General / Chain: srcnat
    • General / Src Address: 10.254.254.0/24
    • Action / Action: masquerade
  • On the “NAT” tab, add a new rule with the following settings:
    • General / Chain: dstnat
    • General / Protocol: 6(tcp)
    • General / Dst Port: 80
    • Advanced / Src Address List: suspended
    • Action / Action: redirect
    • Action / To Ports: 8080
Configure IP / Web Proxy
  • On the General tab, specify the following settings:
    • Check the enabled checkbox
    • Port: 8080
  • Click the “Access” button
  • Add a Web Proxy Access rule with the following settings:
    • Dst Address: 52.32.157.119
    • Action: allow
  • Add another access rule:
    • Action: deny
    • Redirect To: wlogin.userservices.net/redir.php?isp=yourispdomain.com
      (replace yourispdomain.com with your ISPs domain as registered with VISP.NET)
Configure Queues
  • Select the Queue Types tab, and then double-click the default-small queue to open it.
  • Change the default-small queue Kind value to ‘sfq’ and leave the default settings.
Instructions for RADIUS Setup
Primary RADIUS
This section configures your Primary Radius client on the Mikrotik to communicate with the VISP radius servers. Click Radius (left) and click (+) symbol to add a radius server.
  1. Under General tab, select Hotspot for Service (you may select PPP, for PPPoE service)
  2. Address: 52.89.100.186
  3. Secret field: Click here to securely access the RADIUS shared Secret at support.visp.net or from UBO, click the Support Site icon , third from the right in the UBO button bar.
  4. Acct port: 1646 or port assigned by visp.net
  5. Timeout: 5000ms
  6. Realm: yourdomain.ext (e.g. ubodemo.com)


Secondary RADIUS
  • The following are the steps to add your Secondary Radius server:
  1. Click Radius – then click the plus sign (+) to add.
  2. Select the General tab
  3. su_spoiler Hotspot for Service (you may select PPP, for PPPoE service)
  4. Enter radius address: 52.33.139.28
  5. Secret field: Click here to securely access the RADIUS shared Secret at support.visp.net or from UBO, click the Support Site icon , third from the right in the UBO button bar.
  6. Auth port: 1645 or port assigned by visp.net
  7. Acct port: 1646 or port assigned by visp.net
  8. Modify the timeout value to 5000ms
  9. Realm should display your account domain
  10. Click OK to save settings.


The Mikrotik will sometimes display the hotspot in red implying that it is not running after being added to the bridge. This is easily cured by going to IP / Hotspot / Servers tab, right-click the server and choose disable. Right-click again and choose enable.
Backup RADIUS
  • Here are the steps for adding your Backup Radius server. Select an available backup IP, based on the category below:
  1. Click Radius – then click the plus sign (+) to add.
  2. Select the General tab
  3. su_spoiler Hotspot for Service (you may select PPP, for PPPoE service)
  4. Enter radius address: 52.11.200.62 (AWS Radius. Or select one below)
    • Google Cloud RADIUS
      • 104.197.99.33 – 15MB/10MB
      • 23.236.57.151 – 10MB/5MB
      • 104.197.22.129 – 5MB/3MB
      • 104.197.14.68 – Unlimited
  5. Secret: (to be provided via Secure Note. For those who are upgrading to the new RADIUS setup, please coordinate with the Sys Admins for your new secret key)
  6. Auth port: 1645 or port assigned by visp.net
  7. Acct port: 1646 or port assigned by visp.net
  8. Modify the timeout value to 5000ms
  9. You may leave the realm blank
  10. Click OK to save settings.


These instructions assume that you have a new Mikrotik with little to no existing configuration.  These instructions specify certain IP ranges which are commonly used; however, you can replace the IP ranges referenced below with your own custom ranges if you wish.

Save a Backup
We suggest you make a backup of your current configuration

  • Go to Files > Backup, then click to backup your current configs to file.  Optionally drag-and-drop the new backup file to your desktop to save it locally.
Configure IP / Addresses
  • Add IP addresses on the customer-facing interface.  This range will be used as the gateway IP for active subscribers.
    • Address: Ex: 100.64.1.1/24, comment: “DHCP_Server_Name-accepted”. This is the IP range for active subscribers.
    • Address: Ex: 192.168.99.1/24, comment: “DHCP_Server_Name-rejected”. This is the IP range for unknown MAC addresses and the suspended subscribers.
  • Optional: Add  Subscriber Management IP addresses on the appropriate VLAN interface.
    • Address: Ex: 10.2.1.1/24, comment: “CPE mgmt Network”.
Create the necessary IP Pools
  • Add the following address pools.
    • Optional: MGMT-{DHCP_Server_Name} 
      • Used for CPE’s MGMT Network
        • Note: using the MGMT (case insensitive) prefix tells the system to never suspend the device.  This should not be used for customer access networks because it will keep the device connected.
    • {DHCP_Server_Name}-accepted
      • IP range for active subscribers. IE: “server1-accepted”
    • {DHCP_Server_Name}-rejected
      • IP range for suspended subscribers. IE: “server1-rejected”
  • With Customer Access, when a subscriber attempts to acquire or renew their IP lease, HyperRADIUS™ will answer with the DHCP Server name followed by an accepted/rejected suffix. For example, if your DHCP Server name is “server1” an accepted subscriber will be directed to get an IP from the “server1-accepted” pool and conversely a subscriber which needs to be redirected to the payment enforcement server will be directed to get an IP from the “server1-rejected” pool. It is therefore critical to keep an exact relationship between your DHCP Server name and the associated Pool names.
  • HyperRADIUS™ has a special use case for management subnets which avoid payment enforcement measures. To support management subnets you add a prefix of “MGMT-” to the pool name. If your DHCP Server name is “server1” than it’s management pool name would be “MGMT-serve1” or “mgmt-server1”. The “mgmt” prefix is case insensitive and tells the system to circumvent the payment enforcement measures.
Setup the DHCP Servers
  • Add a new DHCP server with the following settings: (without the setup button)
    • Name: CustomerAccess or MGMT (this is the {DHCP_Server_Name})
    • Interface: customer-facing-interface
    • Lease-Time: 10min
      • This setting is overruled by the Visp supplied session-timeout so its value is not critical
    • Address-Pool: static-only
    • Authoritative: yes
    • Use-RADIUS: yes
    • Optional: Add DHCP lease script for accounting.
  • Add a Network for each subnet you need to support on this router
    • Be sure to set at least the Address (which is the subnets network address) and the Gateway
    • If you exclude the DNS Servers the customers will inherit the DNS settings from the router’s DNS settings.
Optional: ARP Payment Enforcement Protection.
  • This will cause the router to only work with clients who have received their IP Address via HyperRADIUS™.  Without this setting, it may be possible for a subscriber to circumvent the payment enforcement system.
    • Set ARP to Reply-Only on a customer-facing interface (on the general tab of the bridge or physical interface)
    • Check the “Add ARP for Leases” checkbox on the customer access DHCP Server.
Configure IP / Firewall
  • On the “Filter Rules” tab, add a new rule with the following settings:
    • General / Chain: forward
    • General / Protocol: 17 (udp)
    • General / Dst Port: 53
    • General / Src Address: 192.168.99.0/24
    • Action / Action: accept
    • Comment: Accept DNS from Suspended Subscribers
  • On the “Filter Rules” tab, add a new rule with the following settings:
    • General / Chain: forward
    • General / Protocol: 6 (tcp)
    • General / Dst Port: 80
    • Action / Action: accept
    • Comment: Accept web traffic from Suspended Subscribers for redirection
  • On the “Filter Rules” tab, add a new rule with the following settings:
    • General / Chain: forward
    • General / Src Address: 192.168.99.0/24
    • Action / Action: drop
    • Comment: Drop any other traffic from Suspended Subscribers
Configure the Firewall > NAT rules for private IPs including payment redirection subnets
  • Assuming you are using private IP’s you will need to configure NAT either at the tower or at your core. The example below is to configure NAT at the tower.
  • On the “NAT” tab, add a new rule with the following settings (If using private IP’s):
    • General / Chain: srcnat
    • General / Src Address: 100.64.1.0/24 (adjust for customers Private IP pool)
    • Action / Action: masquerade (or src-nat with specified to-address)
      • Note: it is more router resource efficient to use src-nat action in place of masquerade if you are able to configure with a Public IP
  • On the “NAT” tab, add a new rule with the following settings:
    • General / Chain: srcnat
    • General / Src Address: 192.168.99.0/24
    • Action / Action: masquerade
  • On the “NAT” tab, add a new rule with the following settings:
    • General / Chain: dstnat
    • General / Src Address: 192.168.99.0/24
    • General / Protocol: 6(tcp)
    • General / Dst Port: 80
    • Action / Action: redirect
    • Action / To Ports: 8080
    • Comment: Redirect web traffic to web proxy for payment enforcement
Configure the web proxy settings
  • On the General tab, specify the following settings:
    • Check the enabled checkbox
    • Port: 8080
  • Click the “Access” button and add a Web Proxy Access rule with the following settings:
    • Dst Address: 52.32.157.119
    • Action: allow
  • Limit the web proxy to payment enforcement:
    • Action: deny
    • Redirect To: wlogin.userservices.net/dhcp.php?vispid=yourispdomain.com
      (replace yourispdomain.com with your ISPs domain as registered with VISP.NET)
    • Add a firewall rule to restrict the webproxy to suspended customers:
      • add action=drop chain=input comment=\
        “Drop traffic to webproxy except from suspended customers.” dst-port=8080 \
        protocol=tcp src-address=!192.168.99.0/24
      • Note, if your routers are set up for a default drop in the input chain than change this rule to an accept and invert the not on the src-address subnet
Configure Queues
  • Select the Queue Types tab, and then double-click the default-small queue to open it.
  • Change the default-small queue Kind value to ‘sfq’ and leave the default settings.
Critical Note: The DHCP Configuration requires that the Primary, Secondary, and Backup RADIUS configuration includes the DHCP checkbox as checked in addition to the instructions below.
Instructions for RADIUS Setup
Primary RADIUS
This section configures your Primary Radius client on the Mikrotik to communicate with the VISP radius servers. Click Radius (left) and click (+) symbol to add a radius server.
  1. Under General tab, select Hotspot for Service (you may select PPP, for PPPoE service)
  2. Address: 52.89.100.186
  3. Secret field: Click here to securely access the RADIUS shared Secret at support.visp.net or from UBO, click the Support Site icon , third from the right in the UBO button bar.
  4. Acct port: 1646 or port assigned by visp.net
  5. Timeout: 5000ms
  6. Realm: yourdomain.ext (e.g. ubodemo.com)


Secondary RADIUS
  • The following are the steps to add your Secondary Radius server:
  1. Click Radius – then click the plus sign (+) to add.
  2. Select the General tab
  3. su_spoiler Hotspot for Service (you may select PPP, for PPPoE service)
  4. Enter radius address: 52.33.139.28
  5. Secret field: Click here to securely access the RADIUS shared Secret at support.visp.net or from UBO, click the Support Site icon , third from the right in the UBO button bar.
  6. Auth port: 1645 or port assigned by visp.net
  7. Acct port: 1646 or port assigned by visp.net
  8. Modify the timeout value to 5000ms
  9. Realm should display your account domain
  10. Click OK to save settings.


The Mikrotik will sometimes display the hotspot in red implying that it is not running after being added to the bridge. This is easily cured by going to IP / Hotspot / Servers tab, right-click the server and choose disable. Right-click again and choose enable.
Backup RADIUS
  • Here are the steps for adding your Backup Radius server. Select an available backup IP, based on the category below:
  1. Click Radius – then click the plus sign (+) to add.
  2. Select the General tab
  3. su_spoiler Hotspot for Service (you may select PPP, for PPPoE service)
  4. Enter radius address: 52.11.200.62 (AWS Radius. Or select one below)
    • Google Cloud RADIUS
      • 104.197.99.33 – 15MB/10MB
      • 23.236.57.151 – 10MB/5MB
      • 104.197.22.129 – 5MB/3MB
      • 104.197.14.68 – Unlimited
  5. Secret: (to be provided via Secure Note. For those who are upgrading to the new RADIUS setup, please coordinate with the Sys Admins for your new secret key)
  6. Auth port: 1645 or port assigned by visp.net
  7. Acct port: 1646 or port assigned by visp.net
  8. Modify the timeout value to 5000ms
  9. You may leave the realm blank
  10. Click OK to save settings.


Important
  • We highly recommend starting a test bench first. Once the network has been configured and is running as you expect, you may gradually move into production, starting on the site with the least number of subscribers. Don’t have subscribers yet? You can start a test bench or setup the head-end routers on your live network.
  • In order for the System Administrators to assist you better, please provide a brief diagram or documentation about your network or your expected network setup. Send to sysadmin@visp.net.

images_icon_connection

You will need the following for your test bench

  • Head-end Router (Mikrotik, Peplink, Cisco)
  • Access Point (AP)
  • Customer Premises Equipment (CPE)
  • Desktop, laptop or mobile device
  • Home Router (Optional)

Note: The VISP RADIUS communicates with most head-end routers, however, Mikrotik allows you to use the Captive Portal functionality.

Splash Page
These are the possible reasons a subscriber would be unable to get the captive portal page, after you’ve installed and setup the CPE and then connected it to the AP or Tower:
  • The subscriber is trying to open an HTTPs version of a website. Ask the subscriber to open a Non-HTTPs website like CNN.com or Speedtest.net
  • wlogin.userservices.net is not added on the Walled Garded IP list
  • Subscriber’s IP address is blocked in the IP binding rule. On this same page, go to Configure Hotspot > IP Bindings (Optional)
Authentication Test
  • Let’s start by activating a service for your demo account in the UBO software. Proceed to the  Packages Tab .

add_package

  • Click on the  Add  button, and then  select a service or package  for your account.

select package

  • Add a  username and password  to the service. Click on the  Activate  button when you’re done.

activation

  • If you’re using PPPoE, then the next step may not apply to you. Connect a device (laptop or phone) to your network. Try connecting to the internet. If you see a  Captive Portal  page open requiring you to input a username and password, that means you have successfully connected to the RADIUS. You may now login using the  username and password  you added in the Wireless service.


Speed Testing
To determine that you are getting at least 80% of the speed that you have configured in the Wireless service of your (demo) account, you may take the average from any of the following speed test apps available below:

Reauthentication
  • The first time your subscribers authenticate through the network, their MAC address is automatically captured by the RADIUS and displayed in the software.

reauth

    • The same MAC address is used by the RADIUS to re-authenticate the device between  12AM to 3AM Pacific Time .
    • Changes to the account of the subscriber (upgrade, downgrade, suspensions, etc.) automatically happen during the reauthentication time.
    • You may manually re-authenticate a subscriber by removing their MAC address in the software, and then booting them off from the Mikrotik router.
    • To change an already authenticated device (replacing CPE’s, etc), all you need to do is remove the MAC address from the software and then boot them off from the MIkrotik.

hosts_tab