Hello!

I am looking to create my own web based radius server and user management application (I'm a web developer not a network person) for a wifi network. I think I've figured out most of this but mainly am confused re: session management between the router, radius server and / or user management application. Let's call the external application 'mangoapp'.

Here is what I've come up with so far:

1. User attempts to access the wifi network. They are not authenticated. The mikrotik router is set up with hotspot and external, web based radius server. The 'login.html' file on the router is a redirect to a web page hosted by mangoapp.
2. The user creates an account / logs in through mangoapp. This creates an entry for them in the mangoapp db. This db is accessible to the radius server.

** This is where things get hazy **

3. The user now tries to access another url, e.g. google.com
4. To the router the user is still not authenticated. This triggers a request from the router to the radius server.
5. The radius server looks up the user's info which is now correct. The radius server replies with 'Access-Accept' and the user is free to use the wifi.

What I'm struggling with is how, in step 3 and 4, the router maps the user making the request to google.com with the user who is authenticated to mangoapp? When the router makes the request to the radius server for authentication how does it know which user it's talking about?

As I understand there are a few alternatives:

1. The router has a network resolvable DNS name, e.g. 'login.mangoapp.com'. When the user completes the authentication with Mangoapp they are redirected to this url with queryparams / payload of username and some sort of token / shared key that the router can read?
2. Router and mangoapp share a cookie? I have been looking at mac cookie, is there an identifier in the mac cookie that is accessible to mangoapp?
3. When the user logs in through mangoapp / the captive portal , somehow the router is aware of the username and password?

Any help is greatly appreciated!

I don't know mangoapp, but I tried to get my hands on a mikrotik hotspot by dismantling the various HTML files and trying to understand how they work. Meanwhile, if there is any site/address that you need to reach before logging in, you must enter it in /ip Hotspot wallet-garden. Also I assume that the Radius whether internal or external sends the credentials via a curl API POST. If you look at the default page, the post request for sending credentials is indicated. Unfortunately, the documentation relating to the Mikrotik hotspot is a bit sparse. The redirect to another page can be done in many ways. you can also do this by using meta http redirects in the html page

Hi @abbio90 , thanks for your reply. Sorry I only just saw this.

Yes even one of the blogs I saw from a Mikrotik person said that the documentation is sparse on this.

I *think* I figured it out. So the router sets a cookie - that is how the user's identity is shared between the three different services. I am still in the early stages of investigating this, I will post here if this works!

I look forward to your feedback. I finally managed to disassemble the HTML files and do the self registrations with a script. If you want to take a look I posted a video of the result here:

https://foisfabio.it/index.php/2024/04/ ... ik-hotspot