Hello again! Emmanuel Corels here, from Emmanuel Corels Creatives. If you’ve been following along with our MikroTik Hotspot journey, you already know how to set up a basic captive portal, customize login pages, and manage user accounts. But that’s just the tip of the iceberg. Let’s roll up our sleeves and explore advanced Hotspot features—like integrating RADIUS, creating voucher systems, and fine-tuning your captive portal for the ultimate user experience.
RADIUS and Why It Matters
RADIUS (Remote Authentication Dial-In User Service) is a protocol for centralizing authentication, authorization, and accounting. In simpler terms, it’s like a traffic cop for user logins:
- Authentication: “Who are you?”
- Authorization: “What are you allowed to do?”
- Accounting: “How much time/bandwidth have you used?”
When you integrate RADIUS with your Hotspot, all the user details live on a RADIUS server rather than inside the MikroTik router. This makes life easier if you run multiple Hotspot routers, or if you want a single database of users, time/bandwidth limits, and usage logs.
RADIUS Server Options
- MikroTik User Manager: A built-in MikroTik package that provides a simple RADIUS server.
- FreeRADIUS: An open-source option you can host on Linux.
- Third-Party Services: Commercial solutions offering advanced billing, payment gateways, etc.
Integrating RADIUS with MikroTik Hotspot
Let’s assume you have a RADIUS server up and running (User Manager or otherwise). Here’s how to tie it into your Hotspot:
Under IP → Hotspot, head to the Server Profiles tab.
- Look for your Hotspot server profile (likely “hsprof1” if you used the default wizard).
- Edit that profile and check “Use RADIUS.”
- Also enable “Accounting” if you want to track usage data on the RADIUS server.
Next, go to RADIUS in WinBox (that’s under “IP” in older RouterOS versions, or directly “RADIUS” in newer). Add a new entry for your RADIUS server:
- Specify the Address (IP or DNS name) of the RADIUS server.
- Enter the Secret that matches what you set on your RADIUS side.
- For Service, select “hotspot.”
Save it, and your MikroTik Hotspot will now query the RADIUS server whenever a user tries to log in.
User Manager Basics (MikroTik’s RADIUS Server)
If you don’t have an external RADIUS, consider User Manager. It’s a MikroTik package that you install on your router (or CHR). Once installed, you can access its web interface (usually http://<router-ip>/userman) and create your user accounts, profiles, and more.
Inside User Manager, you’d add a Router entry to let it know about your Hotspot device. Then you can create Users and Profiles, specifying time or traffic limits, speed caps, etc. Whenever someone logs in through the Hotspot, the User Manager database handles their authentication and tracks how long or how much data they use.
Voucher Systems with RADIUS
If you want to hand out vouchers (like “scratch cards” with codes), RADIUS integration can help. The general idea:
- Generate a batch of temporary usernames and passwords or codes in your RADIUS server (User Manager can do this automatically).
- Print them out or distribute them in whichever way suits you (e.g., handing them to café customers or hotel guests).
- When users connect to the Hotspot, they enter the voucher code as their username/password.
- Once the time or data limit is reached, the account is deactivated or requires renewal.
In MikroTik User Manager, you can create custom Profiles (like a 1-hour voucher, 24-hour voucher, etc.), set the price or just track usage, and generate random user credentials in bulk. The system can display how many remain valid, how many are used up, and you can see usage logs for each.
Fine-Tuning Your Captive Portal
MikroTik’s Hotspot can be far more than a plain login box. You might:
- Add disclaimers: Put your terms of service or usage policy in big letters.
- Offer multiple login methods: For example, password-based logins for premium access, and a “free trial” button for short, limited sessions.
- Include a promotional banner: Maybe a rotating image or ad in the login.html.
- Insert a social media login (with external scripting): Some businesses integrate Facebook or Google sign-in, though that requires more custom coding and external APIs.
If you open the hotspot folder in Files on your MikroTik, you’ll see all the HTML files. The main ones are:
- login.html: The login page.
- status.html: The page shown to authenticated users or the “logout” page.
- redirect.html: Where users might be sent after a successful login.
You can embed CSS, images, or scripts in these pages as needed. Just remember, the browser sees your router as the web server in this scenario.
Walled Garden Revisited
By default, the Hotspot blocks all requests until the user authenticates. But sometimes you need certain sites to bypass the login. The Walled Garden is your friend:
Under IP → Hotspot → Walled Garden, you can allow certain domains or IPs. For example, if you want your customers to see your restaurant’s online menu before logging in, you might do something like:
/ip hotspot walled-garden add dst-host=www.myrestaurantmenu.com action=allow
That means traffic to www.myrestaurantmenu.com never gets trapped by the captive portal. You can also walled-garden the payment gateway so people can pay or renew without being forced offline first.
Advanced Firewall Considerations
When the Hotspot is active, it automatically adds some NAT and filter rules. If you’re also using more advanced firewall setups or custom chains, you’ll want to be aware of how the Hotspot fits in:
- Hotspot NAT: Usually a rule that intercepts traffic and redirects it to the login page (something like
dst-natto10.5.50.1or your Hotspot gateway). - Bypassed Users: If certain devices or subnets shouldn’t see the Hotspot at all, you can create IP binding entries under IP → Hotspot → IP Bindings, marking them as “bypassed.”
- Security: If you’re dealing with credit card data or personal info, consider using an SSL certificate. That way, the Hotspot’s login page uses HTTPS and doesn’t throw browser warnings.
Performance and Scaling
A single MikroTik device can handle a pretty decent load of Hotspot users, but it depends on factors like CPU power, number of concurrent sessions, and any advanced firewall or QoS processing. If you expect hundreds or thousands of users, consider:
- Using a CHR (Cloud Hosted Router) instance on a powerful VM or cloud service.
- Offloading some tasks (like authentication and accounting) to external RADIUS.
- Balancing traffic across multiple Hotspot gateways and using some central manager (like a high-level orchestration with VLANs or bridging).
Troubleshooting Tips
- Users Don’t Get Login Page: Check DNS. Hotspot relies on DNS redirection to serve the captive portal. If the client has hardcoded DNS that bypasses the router, they might never see the login screen.
- Login Page SSL Errors: Without a valid certificate, browsers will warn about an insecure connection. Either switch to HTTP or import a signed certificate.
- RADIUS Timeouts: Verify the secret key, firewall rules allowing RADIUS traffic (UDP ports 1812, 1813, or 1645/1646 for older systems).
- Voucher Not Working: Double-check the user or voucher in your RADIUS database. Maybe the time limit or profile settings are incorrect.
Final Thoughts
Advanced Hotspot setups can transform your network into a professional-grade captive portal solution. Whether you’re running a small café or a large hospitality network, MikroTik’s built-in Hotspot system, coupled with RADIUS, offers flexibility and control. By customizing login pages, employing vouchers, and carefully managing user policies, you can deliver exactly the experience you want.
Remember, the journey doesn’t end here. The beauty of MikroTik is that you can integrate so many features—like VLAN segmentation, bandwidth shaping, and advanced firewalls—to create a seamless environment. Keep experimenting, keep learning, and don’t hesitate to reach out if you need any guidance. We’re all in this quest to master MikroTik together!
Brought to you with detail and care by
Emmanuel Corels – Admin, Emmanuel Corels Creatives
