MikroTik Hotspot uses various types of login methods. Among these login methods HTTP CHAP, HTTP PAP and HTTPS are basic and important login methods. So, a MikroTik system administrator should have proper understanding on Hotspot HTTP CHAP, HTTP PAP and HTTPS login methods. In my previous article I discussed how to configure MikroTik Hotspot using Winbox. In this article I will discuss how to use HTTP CHAP, HTTP PAP and HTTPS login methods properly in MikroTik Hotspot Server.
MikroTik Hotspot Login by HTTP CHAP
HTTP CHAP is a basic and default MikroTik Hotspot login method. So, when Hotspot will be configured in MikroTik Router, HTTP CHAP login method will be enabled automatically. HTTP CHAP includes CHAP challenge in the login page. The CHAP MD5 hash challenge is used together with the user’s password for computing the string which will be sent to the Hotspot gateway. The password hash result together with username is sent over network to Hotspot service. So, password is never sent in plain text over IP network with HTTP CHAP method. The downside of HTTP CHAP is that JavaScript applet is used to implement MD5 algorithm on the client side browser. So if a browser does not support JavaScript or it has JavaScript disabled, it will not be able to authenticate users.
How to Enable HTTP CHAP Login Method
HTTP CHAP is a secure Hotspot login method. So, we should use HTTP CHAP login method in Hotspot network. As HTTP CHAP is a default login method in MikroTik Hotspot, no action require to enable HTTP CHAP but make sure HTTP CHAP is enabled and working normally following the below steps.
- Login MikroTik Router using Winbox with full permission user.
- Go to IP > Hotspot menu item. Hotspot window will appear.
- Click on Server Profiles tab and then double click on active server profile. Active server profile property window will appear.
- Click on Login tab and make sure HTTP CHAP checkbox is selected from Login By panel. If not selected, click on HTTP CHAP checkbox to enable HTTP CHAP login method and click Apply and OK button.
MikroTik Hotspot Login by HTTP PAP
HTTP PAP sends plain text user name and password over network. So, HTTP PAP is not a secure and suitable for public network. But HTTP PAP is faster and can be used in private network where security is not so much concern.
How to Enable/Disable HTTP PAP Login Method
As there is always possibility to leak username and password using HTTP PAP login method, it is not recommended to use HTTP PAP in public hotspot network. But in private network, we may consider HTTP PAP as a faster login method. The following steps will show how to enable or disable HTTP PAP in Hotspot network.
- Go to IP > Hotspot menu item. Hotspot window will appear.
- Click on Server Profiles tab and then double click on active server profile. Active server profile property window will appear.
- Click on Login tab and make sure HTTP PAP checkbox is not selected if you wish to disable HTTP PAP from Login By panel. By default HTTP PAP is kept disabled.
- If you wish to keep HTTP PAP in Hotspot network, click on HTTP PAP checkbox to enable HTTP PAP login method and click Apply and OK button.
MikroTik Hotspot Login by HTTPS
HTTPS sends plain text username and password to Hotspot Server but it uses SSL protocol to encrypt transmission. So, although username and password are sent plain text, there is no need worry because transmission is always encrypted in HTTPS communication and there is no chance to leak username and password in public Hotspot network.
HTTPS is one of most secure Hotspot login methods and today there is no alternative of HTTPS login because most of the websites are now using https and without HTTPS login, HTTPS Redirect is not possible. So, HTTPS is now a strongly recommended Hotspot login method.
How to Enable HTTPS Login
HTTPS Login requires enabling HTTPS Server and HTTPS Server requires SSL certificate either self-signed certificate or public SSL certificate. I have another separate article where I discussed how to enable HTTPS Login and HTTPS Redirect with self-signed SSL certificate or public SSL certificate. So, follow that article to configure complete HTTPS Login and HTTPS Redirect.
MikroTik Hotspot Login by HTTP Cookie and MAC Cookie
HTTP Cookie and MAC Cookie are two extended login methods in MikroTik Hotspot. HTTP Cookie and MAC Cookie cannot be used as an individual login method rather we need to use HTTP Cookie and MAC Cookie with HTTP CHAP, HTTP PAP or HTTPS basic login method. By default user must provide username and password in login prompt every time he/she want to get internet access from Hotspot Server. But sometimes user gets annoyed putting username and password frequently. Considering this situation MikroTik introduces HTTP Cookie and MAC Cookie which keep user credential in cookie at first successful login and when the same use appears at second time, the user is verified against this saved cookie and allowed for internet access without asking login prompt.
How HTTP Cookie Works
After each successful login, a cookie is sent to the web browser and the same cookie is added to active HTTP cookie list. Next time the same user will try to log in, web browser will send the saved HTTP cookie. This cookie will be compared with the one stored on the Hotspot Server and only if source MAC address and randomly generated ID matches the ones stored on the Hotspot Server, user will be automatically logged in using the login information (username and password pair) that was used when the cookie was first generated. Otherwise, the user will be prompted to log in, and in the case authentication is successful, old cookie will be removed from the local Hotspot active cookie list and the new one with different random ID and expiration time will be added to the list and sent to the web browser.
How to Enable HTTP Cookie
HTTP Cookie is enabled by default with Hotspot default configuration. But you can check whether HTTP Cookie is enabled or not following the below steps.
- Go to IP > Hotspot menu item. Hotspot window will appear.
- Click on Server Profiles tab and then double click on active server profile. Active server profile property window will appear.
- Click on Login tab and make sure Cookie checkbox is checked if you wish to enable HTTP Cookie.
- We can also set HTTP Cookie expiration time from HTTP Cookie Lifetime input box. By default Cookie lifetime is set to 3 days.
How MAC Cookie Works
MAC Cookie is a newly introduced login method in MikroTik Hotspot. MAC Cookie improves accessibility for smartphones, laptops and other mobile devices. MAC Cookie keeps record of username and password for the MAC address if there is only one host with such MAC address. Unlike HTTP Cookie, Cookie is only saved in Hotspot Server at first successful login with MAC Cookie login method. When a new host appears, Hotspot checks if there is a MAC Cookie record for the MAC address and logs in host using recorded username and password.
How to Enable MAC Cookie
MAC Cookie should be enabled both Hotspot Server profile and Hotspot user profile otherwise MAC Cookie will not work. How to enable MAC Cookie has been discussed elaborately in another article. So, follow that article to enable MAC Cookie in Hotspot network properly.
How to enable and configure MikroTik Hotspot basic login methods (HTTP CHAP, HTTP PAP and HTTPS with HTTP Cookie and MAC Cookie) has been discussed in this article. I hope you will now be able to tune Hotspot network with proper login method. However, if you face any confusion to tune Hotspot login methods properly, feel free to discuss in comment or contact me from Contact page. I will try my best stay with you.