2024-01-18 09:04:24 +00:00
|
|
|
|
Use WPA network with hotspot credentials
|
|
|
|
|
|
========================================
|
2020-03-27 20:46:08 +00:00
|
|
|
|
|
2023-01-10 13:45:27 +00:00
|
|
|
|
[⬅️ Go back to main README](../README.md)
|
2020-03-27 20:46:08 +00:00
|
|
|
|
|
2022-02-12 12:05:56 +00:00
|
|
|
|
> ℹ️ **Info**: This script can not be used on its own but requires the base
|
2022-02-11 22:34:39 +00:00
|
|
|
|
> installation. See [main README](../README.md) for details.
|
2021-05-03 13:07:50 +00:00
|
|
|
|
|
2020-03-27 20:46:08 +00:00
|
|
|
|
Description
|
|
|
|
|
|
-----------
|
|
|
|
|
|
|
|
|
|
|
|
RouterOS supports an unlimited number of MAC address specific passphrases
|
2024-01-18 09:04:24 +00:00
|
|
|
|
for WPA encrypted wifi networks via access list. The idea of this script
|
|
|
|
|
|
is to transfer hotspot credentials to MAC address specific WPA passphrase.
|
2020-03-27 20:46:08 +00:00
|
|
|
|
|
|
|
|
|
|
Requirements and installation
|
|
|
|
|
|
-----------------------------
|
|
|
|
|
|
|
2024-01-18 09:04:24 +00:00
|
|
|
|
You need a properly configured hotspot on one (open) SSID and a WPA enabled
|
2020-03-27 20:46:08 +00:00
|
|
|
|
SSID with suffix "`-wpa`".
|
|
|
|
|
|
|
2023-11-14 09:36:22 +00:00
|
|
|
|
Then install the script.
|
|
|
|
|
|
Depending on whether you use `wifi` package (`/interface/wifi`), `wifiwave2`
|
|
|
|
|
|
package (`/interface/wifiwave2`) or legacy wifi with CAPsMAN (`/caps-man`)
|
|
|
|
|
|
you need to install a different script and set it as `on-login` script in
|
|
|
|
|
|
hotspot.
|
2020-03-27 20:46:08 +00:00
|
|
|
|
|
2023-11-14 09:36:22 +00:00
|
|
|
|
For `wifi` (RouterOS 7.13 and later):
|
|
|
|
|
|
|
|
|
|
|
|
$ScriptInstallUpdate hotspot-to-wpa.wifi;
|
|
|
|
|
|
/ip/hotspot/user/profile/set on-login="hotspot-to-wpa.wifi" [ find ];
|
|
|
|
|
|
|
|
|
|
|
|
For `wifiwave2` (up to RouterOS 7.12):
|
2020-03-27 20:46:08 +00:00
|
|
|
|
|
2023-08-08 22:55:30 +00:00
|
|
|
|
$ScriptInstallUpdate hotspot-to-wpa.wifiwave2;
|
|
|
|
|
|
/ip/hotspot/user/profile/set on-login="hotspot-to-wpa.wifiwave2" [ find ];
|
2020-03-27 20:46:08 +00:00
|
|
|
|
|
2023-08-08 22:55:30 +00:00
|
|
|
|
For legacy CAPsMAN:
|
|
|
|
|
|
|
|
|
|
|
|
$ScriptInstallUpdate hotspot-to-wpa.capsman;
|
|
|
|
|
|
/ip/hotspot/user/profile/set on-login="hotspot-to-wpa.capsman" [ find ];
|
2020-03-27 20:46:08 +00:00
|
|
|
|
|
2021-06-22 13:58:03 +00:00
|
|
|
|
### Automatic cleanup
|
|
|
|
|
|
|
|
|
|
|
|
With just `hotspot-to-wpa` installed the mac addresses will last in the
|
2023-08-08 22:55:30 +00:00
|
|
|
|
access list forever. Install the optional script for automatic cleanup
|
|
|
|
|
|
and add a scheduler.
|
|
|
|
|
|
|
2023-11-14 09:36:22 +00:00
|
|
|
|
For `wifi` (RouterOS 7.13 and later):
|
|
|
|
|
|
|
|
|
|
|
|
$ScriptInstallUpdate hotspot-to-wpa-cleanup.wifi,lease-script;
|
|
|
|
|
|
/system/scheduler/add interval=1d name=hotspot-to-wpa-cleanup on-event="/system/script/run hotspot-to-wpa-cleanup.wifi;" start-time=startup;
|
|
|
|
|
|
|
|
|
|
|
|
For `wifiwave2` (up to RouterOS 7.12):
|
2021-06-22 13:58:03 +00:00
|
|
|
|
|
2023-08-08 22:55:30 +00:00
|
|
|
|
$ScriptInstallUpdate hotspot-to-wpa-cleanup.wifiwave2,lease-script;
|
|
|
|
|
|
/system/scheduler/add interval=1d name=hotspot-to-wpa-cleanup on-event="/system/script/run hotspot-to-wpa-cleanup.wifiwave2;" start-time=startup;
|
2021-06-22 13:58:03 +00:00
|
|
|
|
|
2023-08-08 22:55:30 +00:00
|
|
|
|
For legacy CAPsMAN:
|
2021-06-22 13:58:03 +00:00
|
|
|
|
|
2023-08-08 22:55:30 +00:00
|
|
|
|
$ScriptInstallUpdate hotspot-to-wpa-cleanup.capsman,lease-script;
|
|
|
|
|
|
/system/scheduler/add interval=1d name=hotspot-to-wpa-cleanup on-event="/system/script/run hotspot-to-wpa-cleanup.capsman;" start-time=startup;
|
2021-06-22 13:58:03 +00:00
|
|
|
|
|
2023-06-23 20:30:34 +00:00
|
|
|
|
And add the lease script and matcher comment to your wpa interfaces' dhcp
|
|
|
|
|
|
server. You can add more information to the comment, separated by comma. In
|
|
|
|
|
|
this example the server is called `hotspot-to-wpa`.
|
2021-06-22 13:58:03 +00:00
|
|
|
|
|
2023-06-23 20:30:34 +00:00
|
|
|
|
/ip/dhcp-server/set lease-script=lease-script comment="hotspot-to-wpa=wpa" hotspot-to-wpa;
|
2021-06-22 13:58:03 +00:00
|
|
|
|
|
2023-06-27 19:59:18 +00:00
|
|
|
|
You can specify the timeout after which a device is removed from leases and
|
|
|
|
|
|
access-list. The default is four weeks.
|
|
|
|
|
|
|
|
|
|
|
|
/ip/dhcp-server/set lease-script=lease-script comment="hotspot-to-wpa=wpa, timeout=2w" hotspot-to-wpa;
|
|
|
|
|
|
|
2020-03-27 20:46:08 +00:00
|
|
|
|
Configuration
|
|
|
|
|
|
-------------
|
|
|
|
|
|
|
|
|
|
|
|
On first run a disabled access list entry acting as marker (with comment
|
|
|
|
|
|
"`--- hotspot-to-wpa above ---`") is added. Move this entry to define where new
|
|
|
|
|
|
entries are to be added.
|
|
|
|
|
|
|
|
|
|
|
|
Create hotspot login credentials:
|
|
|
|
|
|
|
2022-05-11 08:05:47 +00:00
|
|
|
|
/ip/hotspot/user/add comment="Test User 1" name=user1 password=v3ry;
|
|
|
|
|
|
/ip/hotspot/user/add comment="Test User 2" name=user2 password=s3cr3t;
|
2020-03-27 20:46:08 +00:00
|
|
|
|
|
2023-06-23 15:33:51 +00:00
|
|
|
|
This also works with authentication via radius, but is limited then:
|
|
|
|
|
|
Additional information is not available, including the password.
|
|
|
|
|
|
|
2021-12-21 12:15:35 +00:00
|
|
|
|
Additionally templates can be created to give more options for access list:
|
|
|
|
|
|
|
2022-03-07 21:26:41 +00:00
|
|
|
|
* `action`: set to `reject` to ignore logins on that hotspot
|
2024-01-17 13:54:03 +00:00
|
|
|
|
* `passphrase` or `private-passphrase`: do **not** use passphrase from
|
|
|
|
|
|
hotspot's user credentials, but given one - or unset (use default
|
|
|
|
|
|
passphrase) with special word `ignore`
|
2021-12-21 12:15:35 +00:00
|
|
|
|
* `ssid-regexp`: set a different SSID regular expression to match
|
|
|
|
|
|
* `vlan-id`: connect device to specific VLAN
|
|
|
|
|
|
* `vlan-mode`: set the VLAN mode for device
|
|
|
|
|
|
|
2023-08-08 22:55:30 +00:00
|
|
|
|
For a hotspot called `example` the template could look like this. For
|
2023-11-14 09:36:22 +00:00
|
|
|
|
`wifi` (RouterOS 7.13 and later):
|
|
|
|
|
|
|
2024-01-17 13:54:03 +00:00
|
|
|
|
/interface/wifi/access-list/add comment="hotspot-to-wpa template example" disabled=yes passphrase="ignore" ssid-regexp="^example\$" vlan-id=10;
|
2023-11-14 09:36:22 +00:00
|
|
|
|
|
|
|
|
|
|
For `wifiwave2` (up to RouterOS 7.12):
|
2023-08-08 22:55:30 +00:00
|
|
|
|
|
2024-01-17 13:54:03 +00:00
|
|
|
|
/interface/wifiwave2/access-list/add comment="hotspot-to-wpa template example" disabled=yes passphrase="ignore" ssid-regexp="^example\$" vlan-id=10;
|
2023-08-08 22:55:30 +00:00
|
|
|
|
|
|
|
|
|
|
For legacy CAPsMAN:
|
2021-12-21 12:15:35 +00:00
|
|
|
|
|
2022-05-11 08:05:47 +00:00
|
|
|
|
/caps-man/access-list/add comment="hotspot-to-wpa template example" disabled=yes private-passphrase="ignore" ssid-regexp="^example\$" vlan-id=10 vlan-mode=use-tag;
|
2021-12-21 12:15:35 +00:00
|
|
|
|
|
|
|
|
|
|
The same settings are available in hotspot user's comment and take precedence
|
|
|
|
|
|
over the template settings:
|
|
|
|
|
|
|
2022-05-11 08:05:47 +00:00
|
|
|
|
/ip/hotspot/user/add comment="private-passphrase=ignore, ssid-regexp=^example\\\$, vlan-id=10, vlan-mode=use-tag" name=user password=v3ry-s3cr3t;
|
2021-12-21 12:15:35 +00:00
|
|
|
|
|
|
|
|
|
|
Usage and invocation
|
|
|
|
|
|
--------------------
|
|
|
|
|
|
|
2020-03-27 20:46:08 +00:00
|
|
|
|
Now let the users connect and login to the hotspot. After that the devices
|
2024-01-18 09:04:24 +00:00
|
|
|
|
(identified by MAC address) can connect to the WPA network, using the
|
2020-03-27 20:46:08 +00:00
|
|
|
|
passphrase from hotspot credentials.
|
|
|
|
|
|
|
2021-06-22 13:58:03 +00:00
|
|
|
|
See also
|
|
|
|
|
|
--------
|
|
|
|
|
|
|
|
|
|
|
|
* [Run other scripts on DHCP lease](lease-script.md)
|
|
|
|
|
|
|
2020-03-27 20:46:08 +00:00
|
|
|
|
---
|
2023-01-10 13:45:27 +00:00
|
|
|
|
[⬅️ Go back to main README](../README.md)
|
|
|
|
|
|
[⬆️ Go back to top](#top)
|
