Setup guide
amount of traffic each of its clients have used, and also can send this information to a RADIUS
server. The HotSpot system may limit each particular user's bitrate, total amount of traffic, uptime
and some other parameters mentioned further in this document.
The HotSpot system is targeted to provide authentication within a local network, but may as well be
used to authorize access from outer networks to local networks. Configuring firewall rules, it is
possible to exclude some IP networks and protocols from authentication and/or accounting. The
walled garden feature allows users to access some web pages without the need of prior
authentication.
HotSpot system is rather simple by itself, but it must be used in conjunction with other features of
RouterOS. Using many RouterOS features together it is possible to make a Plug-and-Play access
system.
There are two login methods for HotSpot users - dhcp-pool and enabled-address. The
enabled-address is the preferred one in most cases, but if you want to bind together usernames and
IP addresses (i.e. if you want a user to get the same IP address no matter which computer is he/she
using), then the dhcp-pool method is the only possibility.
The Initial Contact
First, a client gets an IP address. It may be set statically or be given out by a DHCP server. If the
client tries to access network resources using a web browser, the destination NAT rule redirects that
TCP connection request to the HotSpot servlet (TCP port 8088 for HTTP by default; HTTPS may
also be used on its default TCP port 443). This brings up the HotSpot Welcome/Login where
the user should input his/her username and password (the may be customized as described
later on).
It is very important to understand that login method for a particular user is determined only after the
user is authenticated and no assumptions are made by the router before.
Walled Garden
It is possilbe to specify a number of domains which can be accessed without prior registration. This
feature is called Walled Garden. When a not logged-in user sends a HTTP request to an allowed
web page, the HotSpot gateway redirects the request to the original destination (or to a specified
parent proxy). When a user is logged in, there is no effect of this table for him/her.
To implement the Walled Garden feature an embedded web proxy server has been designed, so all
the requests from not authorized users are really going through this proxy. Note that the embedded
proxy server does not have caching function yet. Also note that this embedded proxy server is in the
hotspot software package and does not require web-proxy package.
Authentication
In case of HTTP protocol, HotSpot servlet generates an MD5 hash challenge to be used together
with the user's password for computing the string which will be sent to the HotSpot gateway. The
hash result together with username is sent over network to HotSpot service (so, password is never
sent in plain text over IP network). On the client side, MD5 algorithm is implemented in JavaScript
applet, so if a browser does not support JavaScript (like, for example, Internet Explorer 2.0), it will
not be able to authenticate users. It is possible to allow unencrypted passwords to be accepted, but it
is not recommended to use this feature.
If HTTPS protocol is used, HotSpot user just send his/her password without additional hashing. In