====== Advanced configuration of the Mikrotik RB751 ======
===== Introduction =====
Although the instructions on this page makes use of the RB751, the same principles should also apply to other Mikrotik Routerboards.\\
The following advanced configurations will be covered in this document:
  * Central Dynamic login pages

-------------------
===== Central Dynamic Login pages =====
  * RADIUSdesk allows you to have one centrally managed location to serve a dynamic login page to many Mikrotik devices.
  * This allows you to
    * Group Mikrotik devices together and serve one common login page to them all.
    * Include company info and slideshows with the login page which are determined by the device from which a user connects.
    * Have a modern login page that makes use of AJAX techniques to connect and display session details.
  * To enjoy this enhancement you will need:
    * Ensure the Hotspot configuration on the Mikrotik includes PAP support.
    * Replace some static hotspot login pages located and served from the Mikrotik router.

==== Include PAP support on Hotspot ====
  * Connect to the Mikrotik router through the web interface.
  * Select **IP** -> **Hotspot**
  * Select the **Server Profiles** sub-tab.
  * A list of server profiles will be shown.
  * Select the one used by the current Hotspot. (Usually called **hsprof1**).
  * Ensure **Login by** includes **HTTP PAP**.
  * Apply the changes if there were any.

==== Fetch Replacement Login Pages ====
  * The latest RADIUSdesk GIT code on Source Forge contains a folder with the replacement login pages.
  * If you need a reminder to check out the code, or you want to check it out on another machine here is the command:
<WRAP center round tip 100%>
<code bash>
#From a Linux machine with git client installed
sudo git clone https://git.code.sf.net/p/radiusdesk/git rd_code
</code>
</WRAP>

  * The replacement files will be under the **rd_code/cake3/rd_cake/setup/mikrotik** folder
  

==== Add a dynamic key to a Dynamic login page entry  ====
<WRAP center round alert>
  * As of 2022 we recommend changing to serving the login pages over HTTPS.
  * This will require valid SSL certificates on the server as well as the Mikrotik
</WRAP>


  * On your local machine, change directory to the **rd_code/cake3/rd_cake/setup/mikrotik** folder and edit the **login.html** file to redirect to your RADIUSdesk server.
  * Also ensure there is an item which you can use as a dynamic key to specify the dynamic login page's info which should be displayed.
  * In the sample page we include the **nasid** item and give it a value of $(identity).
  * This will be automatically substituted with **za-gp-pta-001**.
  * We will subsequently have to add a **Dynamic key** to one of the items in the **Dynamic login pages** applet that will tie this a item in the query string to an item in the **Dynamic login pages** applet.
  * If we have deployed 15 of these Mikrotik devices in Gauteng; we can simply include an item like **ssid=Gauteng** with the login.html's redirect instruction and use **ssid** as a **Dynamic key**. In this way we group these 15 devices to all show the **Gauteng** dynamic login page.

<code html>
$(if error == '')
<html>
    <head><title>...</title></head>
    <body>
        $(if chap-id)
        <noscript>
            <center><b>JavaScript required. Enable JavaScript to continue.</b></center>
        </noscript>
        $(endif)
        <center>If you are not redirected in a few seconds, click 'continue' below<br>
        <form name="redirect" action="https://YOUR_RADIUSDESK_SERVER_IP/cake3/rd_cake/dynamic-details/mikrotik-browser-detect" method="post">
            <input type="hidden" name="loginlink" value="$(link-login-only)">
            <input type="hidden" name="nasid" value="$(identity)">
            <input type="hidden" name="link_status" value="$(link-status)">
            <input type="hidden" name="link_login_only" value="$(link-login-only)">
            <input type="hidden" name="link_logout" value="$(link-logout)">
            <input type="hidden" name="mac" value="$(mac-esc)">
            <input type="hidden" name="type" value="mikrotik">
            <input type="hidden" name="ssid" value="Gauteng">
            <input type="submit" value="continue">
        </form>
        <script language="JavaScript">
        <!--
           document.redirect.submit();
        //-->
        </script>
        </center>
    </body>
</html>
$(else)
$(var)({
	'logged_in' 	    : '$(logged-in)', 	
	'link_login_only' 	: '$(link-login-only)',
	'error_orig'		: '$(error-orig)',
	'error'			: '$(error)'
})
$(endif)
</code>

When you are done editing the login.html page and also added the **Dynamic key** to the **Dynamic login page** which you want to serve on the Mikrotik; you can copy the replacement pages to the Mikrotik router.

==== Enable HTTPs support on Mikrotik  ====
  * To Enable HTTPS support on the Mikrotik you need to configure the following:
        * Install a valid SSL certificate onto the Mikrotik.
        * Specify a DNS name in the Hotspot setup that matches the certificate
        * Enable **Login By** option **HTTPS**.

=== Install a valid SSL Certificate ===


==== Add an entry to the Mikrotik Walled Garden  ====
  * You need to open the Mikrotik to serve the central login page from a server that is usually outside your network.
  * Connect to the web interface of the Mikrotik router.
  * Select **IP** -> **Hotspot**
  * Select the **Walled garden IP List** sub-tab to add an entry. 
  * The destination IP Address will be the IP Address of the RADIUSdesk server.
  * The screenshot below assume the RADIUSdesk server has an IP Address of 178.32.59.137

{{ :user_guide:mikrotik:mikrotik_walled_garden_ip_list.png?nolink |}}
==== Replace the existing pages on the Mikrotik ====
  * Copy these files over to the Mikrotik router's **hotspot** folder. (You may want to back-up the old files first).
  * Everything should now be in place.
  * Try to connect to the Mikrotik hotspot.
  * You should be redirected to the server serving the Central login pages.