To configure a device-based captive web portal (CWP), you must first create a
wireless network SSID with Enterprise 802.1X access security.
To join the SSID, users enter a user name and password, which are checked against a
RADIUS server. When they open a web browser, the captive web portal opens to the
Use Policy Acceptance (UPA) page. After the user agrees to
the UPA, the AP allows them to access the rest of the network as determined by
settings in the user profile applied to them.
This task is part of the network policy configuration
workflow. Use this task to configure a device-based captive web portal.
-
Go to .
-
Select an existing policy with
open access security, and then select
, or select
.
-
On the Wireless tab,
select an existing SSID, and then select
, or select
.
-
In the SSID
Usage section, toggle the Enable Captive Web
Portal setting ON.
-
Select Captive Web
Portal.
-
Select SELECT to use an existing CWP, or select
ADD.
-
Enter a
Name for the CWP.
-
Select Customize and Preview to see a preview of the
captive web portal profile.
-
Select Customize
to modify the landing page colors, logo, language, and message text.
-
Select SAVE CONFIGURATION.
-
Enable or disable the Success Page.
-
Select Customization and
Preview to view the enabled Success Page.
-
Select Customize
to modify the landing page colors, logo, language, and message text.
-
Select SAVE
CONFIGURATION.
-
Enable or disable Success Page > Redirect clients after a successful
login attempt.
When enabled, successful clients are sent to either the initial page or to a
specified URL.
-
Enter the Default Language.
-
Select any additional languages you intend to support.
-
Select the check box for Display session timer alert before session
expires to display the session timer in the client's
browser.
The timer shows the login status for the registered client, the time
remaining in the session, and the elapsed time. You can choose to display
the timer alert 5, 15, or 30 minutes before the session expires.
-
Enable Network Settings Use default settings to use the
default IP address and netmask for the interface hosting the SSID with the
captive web portal, or an admin-defined IP address and netmask.
-
Select Customize to enter an IP address and
netmask for each of the interfaces.
You can use IPv4 or IPv6 addresses.
-
Enable Use external servers to forward DHCP and DNS
traffic from unregistered clients to external servers on the network.
When enabled, unregistered and
registered clients must be assigned to the same VLAN.
-
Select Override the VLAN ID used during
registration and choose a previously defined VLAN ID
from the drop-down list to assign to clients before and during the
registration process.
-
You can also select the plus sign to add a new VLAN ID.
-
Enter the name and VLAN ID.
-
Select SAVE VLAN.
-
Select Use Extreme Network Devices to forward DHCP and
DNS traffic from unregistered clients to internal servers on the AP hosting the
CWP.
When enabled, unregistered and registered clients can be assigned to the same
VLAN or to different VLANs because unregistered clients use DHCP and DNS
servers on the AP, and registered clients use servers on the network.

Note
When the client of a
previously unregistered guest first associates with the Guest Access
SSID, the AP acts as a DHCP server, DNS server, and web server. The
client‘s network access is limited to only the AP with which it
associated and the client browser is redirected to a registration page.
After the guest registers, the AP stores the client‘s MAC address as a
registered client and allows the guest to access external
servers.
-
Set the length of the DHCP lease assigned to the quarantined client of
an unregistered guest.
DHCP clients typically
renew at the midpoint of the lease. After the client successfully
registers, the AP allows the next DHCP lease request to pass to an
external DHCP server. Keeping the lease short allows the client to
obtain new network settings very soon after registering.
-
From the drop-down list, choose how you want the AP to respond to a
DHCP lease renewal request for a nonexistent lease.
- Renew-NAK-Broadcast: By default, the AP
responds by broadcasting DHCPNAK messages. Choosing either this
option or the unicast DHCPNAK option can accelerate the
transition to an external DHCP server on the network, or back to
a quarantined address after the client logs out or the session
times out.
- Renew-NAK-Unicast: Choose to have the AP
respond by sending unicast DHCPNAK messages. Sending unicast
messages can reduce traffic on the network; however,
broadcasting the DHCPNAK is safer in environments where there is
a large and uncontrollable variety of clients.
- Keep Silent: Choose to have the AP ignore
the renewal request completely and enable the external DHCP
server to respond. With this approach, the transition between
DHCP servers can be slightly longer.
-
For Web Servers Registration Period, set the length of
time that a registered client with an active session remains registered.
If the client closes one session and later starts a new one while the AP
still has a roaming cache entry for that client (one hour by default), the
client does not have to register with the captive web portal again. If the
client closes a session and starts a new session after the roaming cache
entry has been removed, the client must complete the registration process
again, even if the new session begins within the registration period.
-
For Web Servers Domain Name, enter the same domain name
as the CN (common name) value in the server certificate that the CWP uses for
HTTPS.
The domain name must be a valid domain name that a DNS server can resolve to
the IP address of the interface hosting the CWP. This option allows you to
use a server certificate from a CA that supports domain names as CNs, but
not IP addresses.

Note
If the CN has a
wildcard domain name that can match multiple valid domain names, enter
one of the valid domain names instead of selecting
Override Web server
domain name with CN value in the certificate. For
example, if the CN is *.aerohive.com, then you can enter something like
cwp.aerohive.com in the Web Server Domain Name field,
and the clients' browsers will not show a security warning when they
make an HTTPS connection to the captive web portal.
-
Select Enable HTTP to enable HTTPS on the CWP
-
Select Default-CWPCert.pem for preloaded CWPs.
The AP hosting the CWP then uses HTTPS to secure traffic between the client
and its CWP server. The certificate file must have the following
properties:
- The file format must be
PEM (Privacy Enhanced Mail).
- It must contain a server
private key stored in an unencrypted format.
- It must contain a server
certificate concatenated to the private key.
-
For Client Redirection, select Use HTTP
302 to redirect code as the redirection method instead of
JavaScript.
This option is useful for clients accessing the network with mobile
browsers.
-
Select Introduce a delay before redirecting after a successful login
attempt to determine how long the CWP displays the Success page
before initiating the redirection.
-
Select Introduce a delay before redirecting after a failed login
attempt to determine how long the CWP displays the failure page
before initiating the redirection.

Note
This redirection
differs from that in the
Captive Web Portal
Failure Page Settings section, which the AP applies
after a failed log in attempt.
-
Select Prevent the Apple CNA (Captive Network Assistant) application
from requesting credentials to bypass the Apple CNA application
for redirect actions.
-
To create a walled garden, select the plus sign.
-
In the Service Type box, select one of the
following:
- Web: Permit client access only to the World
Wide Web.
- All: Permit client access to the World Wide Web
and all other servers.
- Advanced: Permit client access only to the
admin-defined IP object or host name.
-
If you selected
Web or All, then
paste IP addresses or host names separated by commas into the Service
Type text box.
-
If you selected Advanced, then enter or select
the following:
- IP Object/Host Name: Enter an IP object
or host name of the external web server. Choose a
previously-defined IP address or host name from the drop-down
list, enter a new IP address or domain name, or select the plus
sign and define a new one.
- Service: Choose
Web to permit HTTP and HTTPS traffic
from unregistered clients to the external web server, choose
All to permit all types of traffic,
or choose Protocol, enter a protocol
number (from 0 to 255), and a port number to define the type of
service you want to permit.
-
Select Add.
Your changes appear in the Walled Garden table.
-
To remove a rule, select the check box next to the rule ID and select
Remove.
-
Select SAVE CWP.
Return to the Wireless Network page to complete the network
policy configuration.