Customize and Preview Device-based Captive Web Portal Settings

To configure a device-based captive web portal (CWP), you must first create a wireless network SSID with Enterprise 802.1X access security.

To join the SSID, users enter a user name and password, which are checked against a RADIUS server. When they open a web browser, the captive web portal opens to the Use Policy Acceptance (UPA) page. After the user agrees to the UPA, the AP allows them to access the rest of the network as determined by settings in the user profile applied to them.

This task is part of the network policy configuration workflow. Use this task to configure a device-based captive web portal.

  1. Go to Configure > Network Policies.
  2. Select an existing policy with open access security, and then select Edit, or select Add.
  3. On the Wireless tab, select an existing SSID, and then select Edit, or select Add.
  4. In the SSID Usage section, toggle the Enable Captive Web Portal setting ON.
  5. Select Captive Web Portal, and then select the features.
    Table 1. CWP features
    Feature Description
    User Auth on Captive Web Portal Authenticates users on the splash page.
    Enable Self-Registration Enables user registration on the splash page.
    Note: The First Name and Last Name fields cannot contain the following characters: $,`,<,>,+, and #.
    Return Aerohive Private PSK Issues a Private PSK for the user.
    Enable UPA Enables the display of the Use Policy Acceptance page.
    Choose Authentication Type: (This setting is not available if Self-Registration is enabled.)

    Authenticate using either a Radius Server, or redirect to an external URL.
  6. Select SELECT to use an existing CWP, or select ADD.
  7. Enter a Name for the CWP.
  8. If you selected Return Aerohive Private PSK, configure the PPSK Settings.
    Table 2. PPSK settings
    Setting Description
    Choose Access SSID (Private PSK) Select an access SSID from the menu.
    Choose a PPSK Server Select a PPSK server from the menu.
  9. Select CUSTOMIZE AND PREVIEW > CUSTOMIZATION AND PREVIEW.
    Alternately, you can import HTML files. See Import Captive Web Portal HTML Files.
  10. Preview and Customize the Landing Page.
  11. Preview and Customize the Use Policy Acceptance Page.
  12. Preview and Customize the Success Page.
  13. Preview and Customize the Error Page.
  14. Enable or disable the Success Page.
  15. Enable or disable Redirect clients after a successful login attempt.

    When enabled, ExtremeCloud‌ IQ sends successful clients to either the login page or to a specified URL.

  16. Enable or disable the Failure Page, and choose the page to display the failure message.

    When enabled, ExtremeCloud‌ IQ displays the failure message on either the login page or the standard failure page. See Preview and Customize the Error Page.

  17. Enable or disable Redirect clients after a failed login attempt.

    When enabled, ExtremeCloud‌ IQ sends unsuccessful clients to either the login page or to a specified URL.

  18. Configure the default language, and additional languages.
    Table 3. Supported languages
    Setting Description
    Default Language Select the Default Language from the menu.
    Support Additional Languages Select the additional languages you intend to support.
  19. Expand the Advanced Configuration section, and configure the settings.
    Table 4. Advanced configuration settings
    Setting Description
    Session Timer Select Display session timer alert before session expires to display the session timer in the client browser.

    The timer shows the login status for the registered client, the time remaining in the session, and the elapsed time. You can choose to display the timer alert 5, 15, or 30 minutes before the session expires.
    Network Settings Select Use default settings to use the default IP address and netmask for the interface hosting the SSID with the captive web portal, or an admin-defined IP address and netmask.

    Select Customize to enter an IP address and netmask for each of the interfaces. You can use IPv4 or IPv6 addresses.
    DHCP and DNS servers > Use external servers
    Use external servers Select Use external servers to forward DHCP and DNS traffic from unregistered clients to external servers on the network. When enabled, unregistered and registered clients must be assigned to the same VLAN.
    Override the VLAN ID used during registration Select Override the VLAN ID used during registration and choose a previously defined VLAN ID from the drop-down list to assign to clients before and during the registration process.

    Select Add to add a new VLAN ID.
    DHCP and DNS servers > Use Extreme Network Devices

    Use Extreme Networks Devices

    Select Use Extreme Network Devices to forward DHCP and DNS traffic from unregistered clients to internal servers on the AP hosting the CWP. When enabled, unregistered and registered clients can be assigned to the same VLAN or to different VLANs, because unregistered clients use DHCP and DNS servers on the AP, and registered clients use servers on the network.

    Note: When the client of a previously unregistered guest first associates with the Guest Access SSID, the AP acts as a DHCP server, DNS server, and web server. Client network access is limited to the AP with which it is associated, and the client browser redirects to a registration page. After the guest registers, the AP stores the client MAC address as a registered client and allows the guest to access external servers.
    Lease Time Type the length of the DHCP lease assigned to the quarantined client of an unregistered guest, and choose the unit of time measure from the menu.

    DHCP clients typically renew at the midpoint of the lease. After the client successfully registers, the AP allows the next DHCP lease request to pass to an external DHCP server. Keeping the lease short allows the client to obtain new network settings soon after registering.
    Renewal Response From the menu, choose how you want the AP to respond to a DHCP lease renewal request for a nonexistent lease.
    • Renew-NAK-Broadcast: By default, the AP responds by broadcasting DHCPNAK messages. Choosing either this option or the unicast DHCPNAK option can accelerate the transition to an external DHCP server on the network, or back to a quarantined address after the client logs out or the session times out.
    • Renew-NAK-Unicast: Choose to have the AP respond by sending unicast DHCPNAK messages. Sending unicast messages can reduce traffic on the network; however, broadcasting the DHCPNAK is safer in environments where there is a large and uncontrollable variety of clients.
    • Keep Silent: Choose to have the AP ignore the renewal request completely and enable the external DHCP server to respond. With this approach, the transition between DHCP servers can be slightly longer.
    Web Servers
    Registration Period Set the length of time that a registered client with an active session remains registered. Type a value and choose the unit of time measure from the menu.

    If the client closes one session and later starts a new one while the AP still has a roaming cache entry for that client (one hour by default), the client does not have to register with the captive web portal again. If the client closes a session and starts a new session after the roaming cache entry has been removed, the client must complete the registration process again, even if the new session begins within the registration period.
    Domain Name Type the same domain name as the CN (common name) value in the server certificate that the CWP uses for HTTPS.

    The domain name must be a valid domain name that a DNS server can resolve to the IP address of the interface hosting the CWP. This option allows you to use a server certificate from a CA that supports domain names as CNs, but not IP addresses.

    Note: If the CN has a wildcard domain name that can match multiple valid domain names, enter one of the valid domain names instead of selecting Override Web server domain name with CN value in the certificate. For example, if the CN is *.aerohive.com, then you can enter something like cwp.aerohive.com in the Web Server Domain Name field, and the clients' browsers will not show a security warning when they make an HTTPS connection to the captive web portal.
    Security
    Enable HTTPs Select Enable HTTPs to enable HTTPS on the CWP.
    HTTPS certificate Select Default-CWPCert.pem for preloaded CWPs.

    The AP hosting the CWP then uses HTTPS to secure traffic between the client and its CWP server. The certificate file must have the following properties:

    • The file format must be PEM (Privacy Enhanced Mail).
    • It must contain a server private key stored in an unencrypted format.
    • It must contain a server certificate concatenated to the private key.
    Override Web server domain name with CN value in the certificate Select to replace the Web server domain name with the common name value in the certificate.
    Client Redirection
    Use HTTP 302 Select Use HTTP 302 to redirect code as the redirection method instead of JavaScript.

    This option is useful for clients accessing the network with mobile browsers.
    Introduce a delay before redirecting after a successful login attempt Specify how long the CWP displays the success page before initiating the redirection. Type a value in seconds.
    Introduce a delay before redirecting after a failed login attempt Specify how long the CWP displays the failure page before initiating the redirection. Type a value in seconds.
    Note: This redirection differs from that in the Captive Web Portal Failure Page Settings section, which the AP applies after a failed log in attempt.
    Prevent the Apple CNA (Captive Network Assistant) application from requesting credentials Select Prevent the Apple CNA (Captive Network Assistant) application from requesting credentials to bypass the Apple CNA application for redirect actions.
  20. To create a walled garden, select Add, and configure the settings.
    Table 5. Walled garden settings
    Setting Description
    Service Type Select one of the following options:
    • Web: Permit client access only to the World Wide Web.
    • All: Permit client access to the World Wide Web and all other servers.
    • Advanced: Permit client access only to the admin-defined IP object or host name.

    If you selected Web or All, paste IP addresses or host names separated by commas into the Service Type text box. Then select ADD.

    If you selected Advanced, configure the settings, and then select ADD.
    IP Object/Host Name Enter an IP object or host name of the external web server. Choose a previously-defined IP address or host name from the menu, enter a new IP address or domain name, or select and define a new one.
    Service Select the service from the menu: Web, All, or Protocol.
    Protocol Number (Protocol service only)

    Type a protocol number (from 0 to 255).
    Port (Protocol service only)

    Type a port number to define the type of service you want to permit.
  21. Select SAVE CWP.

Return to the Wireless Network page to complete the network policy configuration.

9038986-00 Rev AA