MikroTik RouterOS v2.9 Reference Manual page 520

To implement the Walled Garden feature for HTTP requests, an embedded web proxy server has
been designed, so all the requests from not authorized users are really going through this proxy.
Note that the embedded proxy server does not have caching function yet. Also note that this
embedded proxy server is in the system software package and does not require web-proxy package.
It is configurable under /ip proxy
Authentication
• HTTP PAP - simplest method, which shows the HotSpot login page and expect to get the
authentication info (i.e. username and password) in plain text. Note that passwords are not
being encrypted when transferred over the network. An another use of this method is the
possibility of hard-coded authentication information in the servlet's login page simply creating
the appropriate link.
• HTTP CHAP - standard method, which includes CHAP challenge in the login page. The
CHAP MD5 hash challenge is to be used together with the user's password for computing the
string which will be sent to the HotSpot gateway. The hash result (as a password) together with
username is sent over network to HotSpot service (so, password is never sent in plain text over
IP network). On the client side, MD5 algorithm is implemented in JavaScript applet, so if a
browser does not support JavaScript (like, for example, Internet Explorer 2.0 or some PDA
browsers), it will not be able to authenticate users. It is possible to allow unencrypted
passwords to be accepted by turning on HTTP PAP authentication method, but it is not
recommended (because of security considerations) to use that feature.
• HTTPS - the same as HTTP PAP, but using SSL protocol for encrypting transmissions.
HotSpot user just send his/her password without additional hashing (note that there is no need
to worry about plain-text password exposure over the network, as the transmission itself is
encrypted). In either case, HTTP POST method (if not possible, then - HTTP GET method) is
used to send data to the HotSpot gateway.
• HTTP cookie - after each successful login, a cookie is sent to web browser and the same
cookie is added to active HTTP cookie list. Next time the same user will try to log in, web
browser will send http cookie. This cookie will be compared with the one stored on the HotSpot
gateway and only if source MAC address and randomly generated ID match the ones stored on
the gateway, user will be automatically logged in using the login information (username and
password pair) was used when the cookie was first generated. Otherwise, the user will be
prompted to log in, and in the case authentication is successful, old cookie will be removed
from the local HotSpot active cookie list and the new one with different random ID and
expiration time will be added to the list and sent to the web browser. It is also possible to erase
cookie on user manual logoff (not in the default server pages). This method may only be used
together with HTTP PAP, HTTP CHAP or HTTPS methods as there would be nothing to
generate cookies in the first place otherwise.
• MAC address - try to authenticate clients as soon as they appear in the hosts list (i.e., as soon
as they have sent any packet to the HotSpot server), using client's MAC address as username
There are currently 5 different authentication methods. You can use one or more of them
simultaneously:
HotSpot can authenticate users consulting the local user database or a RADIUS server (local
database is consulted first, then - a RADIUS server). In case of HTTP cookie authentication via
RADIUS server, the router will send the same information to the server as was used when the
cookie was first generated. If authentication is done locally, profile corresponding to that user is
Page 506 of 695
Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.