1. Get Cloudi-Fi required information

  2. Verify SNTP Client

  3. Configure the bridge

  4. Create your Guest netzork and DHCP Pool

  5. Add the SSL certificates

  6. Create Cloudi-Fi Radius Server

  7. Configure the Hotspot service

  8. Add log server

Testing environment:

This configuration has been tested with RouterOS 6.43.2 and v6.45.9 on HAP AC^2 using Winbox.

1) Get Cloudi-Fi required URL and Radius Secret

Go to your Cloudi-Fi administration interface and get the URL for external authentication

Go to Locations Menu

Click on the menu button of the location and select "Copy Splash page URI"

  • Copy the URI.
    Note: Make sure that the URL contains the following attribute:

Go to the chat interface and ask for your Radius secret

  • Copy the secret as well

2) Verify SNTP Client

After connecting to your Mikrotik, first lets make sure your SNTP client is configured:

Go to System > SNTP Client:

  • Set Enabled

  • Primary NTP Server: xxxxxx

  • Secondary NTP Server: xxxxxx

The NTP Servers can be find here, make sure to select the nearest ones to your location.

Click on Apply, Mode should now be Uni-cast and some others information appeared

Next, let's check the system time.

Go to System > Clock:

  • Time Zone Name: select your location time zone

3) Configure your Guest SSID

Go to Wireless > Security Profiles > Add New

  • Name: Guest-Open

  • Mode: None

  • Interim Update: 00:10:00. (10 minutes)

  • Save

Go to Wireless > WiFi Interface tab > Add New > Virtual

  • Name : Cloudi-Fi Guest WiFi

  • SSID: Cloudi-Fi Guest WiFi

  • Mode: ap bridge

  • Master Interface : Your WLAN interface

  • Security Profile : Guest-Open

For V6.45.9

Go to Wireless > Wifi Interface Tab > Add new Virtual

  • General
    - Name: Your SSID

  • Wireless
    - Mode: AP Bridge
    - Master Interface : Your WLAN Interface
    - Security profile: Guest-Open
    - WPS Mode: Disabled

4) Add the SSL certificates

We strongly recommend to use the HTTPS redirection during authentication workflow (instead of HTTP redirection).

Cloudi-Fi team can provide you our dedicated public certificate for HTTPS Redirection.

You can also manage your own public certificate.

To import the certifcate : Go to Files:

  • Drag and drop certificates and public keys from your computer.

Go to System > Certificates > Certificates tab:

  • Click on Import:
    Select the Certificate and add a passphrase
    Select the Public key and add a passphrase

Make sure to have KLT Label next to your certificate Name

5) Create Cloudi-Fi Radius Server

Go to Radius and add new server:

  • Service: hotspot

  • Address:

  • Secret: Provided by Cloudi-Fi Support team

  • Authentication Port: 1812

  • Accounting Port: 1813

  • Src Address:

For V6.45.9
  • Called Id: The Mikrotik MAC Address

Go to IP > Hotspot > Server Profiles

  • Radius Tab
    - Location ID: The Mikrotik MAC Address

6) Create Cloudi-Fi Hotspot

Go to IP > Hotspot > Servers > Hotspot Setup

The Hotspot Setup will run a wizard which will automatically create according firewalls rules.

  • Hotspot Interface: Your Guest WLAN interface

  • Address Pool: Whatever you wish

  • Select Certificate: Select the imported certificate

  • IP Address of SMTP Server:

  • DNS Server: and (or any other DNS like yours or Umbrella)

  • DNS Name: Domain name related to the SSL certificate imported previously

  • Name if Local Hotspot User: user

  • Password of the User: Enter a complexe password (it will not be used)

  • Finish

Now Double click on the server you created and modify:

  • Name: Paste your Mikrotik MAC Address (Quick set > Wireless Mac Address)

  • Addresses Per MAC: 1

Note the selected profile for the next step

Go to IP > Hotspot > Server Profiles:

  • Double click on the hsprofX (The one selected on the previous step)
    Login Tab:
    - Check only HTTPS and select the SSL Certificate
    Radius Tab:
    - Check Use Radius
    - Select Mac format: xx:xx:xx:xx:xx
    - Interim Update: 00:10:00

Go to IP > Hotspot > User Profiles > Select default

  • Keepalive Timeout : Equal to Cloudi-Fi Session Lifetime

  • Shared Users: clear

Now we are going to setup the Walled-Garden

Note: if you have social media connectors in your captive portal, additionnal domain must be added to the walledgarden.

Cloudi-Fi Support team will provide you the needed URLs.

Go to System > Scripts and add new Script:

  • Name: Cloudifi_Walledgarden

  • Copy paste the following in the Source field:

/ip hotspot walled-garden
add dst-host=*
add dst-host=*
add dst-host=*

Note: If you have imported your own SSL certificate for HTTPS redirection, add also your domain to the list above.

  • Click on Apply then Run script

  • Check if the list appeared in IP > Hotspot > Walled Garden

Now we need to make sure your guests are redirected properly. Copy and paste the following text into a text editor and save it as login.html

<meta http-equiv="refresh" content="0; url=<!-- Location URL-->res=notyet&host=$(server-name)&client_mac=$(mac)&client_ip=$(ip)&userurl=$(link-orig)&login_url=$(link-login-only)&error=$(error)&user=$(username)" />
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="expires" content="-1">

Go to Cloudi-Fi administration interface: Cloudi-Fi administration > Locations > Click on the menu button of the location and select Copy Splash page URI.

Replace <!-- Location URL--> by this URI in the HTML Code.

Note: Make sure that the Cloudi-Fi location URL contains the following attribute :

Next copy and past the following text into a text editor and save as alogin.html, the redirect URI can be your company website or any other service you want:

<!-- Redirection page -->
<meta http-equiv="refresh" content="0; url=" />
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="expires" content="-1">

Back in Mikrotik winbox, Files > drag and drop those two files into the hotspot folder.

8) Add log server

Go to System > Logging

  • Click on Actions tab and add new
    - Name: Cloudifi_syslog
    - Type : Remote
    - Remote Address : Provided by Cloudi-fi
    - Remote Port: 514
    - Src. Addresses:

  • Rules tab and add new
    - Topics: Firewall
    - Prefix: Empty
    - Action : Select the server you've created

Go to IP > Firewall > Filter rules

  • General tab
    - Chain: Forward
    - Protocol: TCP
    - Dst. Port: 80,443 (Others if needed)
    - In Interface: Your SSID Interface

  • Action tab
    - Action: Accept
    - Check log
    - Log prefix: Your Company name-Your Mikrotik MAC Addr

Did this answer your question?