Customize and Preview Device-based Captive Web Portal Settings

To configure a device-based captive web portal (CWP), you must first create a wireless network SSID with Enterprise 802.1X access security.

To join the SSID, users enter a user name and password, which are checked against a RADIUS server. When they open a web browser, the captive web portal opens to the Use Policy Acceptance (UPA) page. After the user agrees to the UPA, the AP allows them to access the rest of the network as determined by settings in the user profile applied to them.

This task is part of the network policy configuration workflow. Use this task to configure a device-based captive web portal.

  1. Go to Configure > Network Policies.
  2. Select an existing policy with open access security, and then select Edit, or select Add.
  3. On the Wireless tab, select an existing SSID, and then select Edit, or select Add.
  4. In the SSID Usage section, toggle the Enable Captive Web Portal setting ON.
  5. Select Captive Web Portal.
  6. Select SELECT to use an existing CWP, or select ADD.
  7. Enter a Name for the CWP.
  8. Select Customize and Preview to see a preview of the captive web portal profile.
    1. Select Customize to modify the landing page colors, logo, language, and message text.
    2. Select SAVE CONFIGURATION.
    Alternately, you can import HTML files. See Import Captive Web Portal HTML Files.
  9. Enable or disable the Success Page.
  10. Select Customization and Preview to view the enabled Success Page.
    1. Select Customize to modify the landing page colors, logo, language, and message text.
    2. Select SAVE CONFIGURATION.
  11. Enable or disable Success Page > Redirect clients after a successful login attempt.

    When enabled, successful clients are sent to either the initial page or to a specified URL.

  12. Enter the Default Language.
  13. Select any additional languages you intend to support.
  14. Select the check box for Display session timer alert before session expires to display the session timer in the client's browser.

    The timer shows the login status for the registered client, the time remaining in the session, and the elapsed time. You can choose to display the timer alert 5, 15, or 30 minutes before the session expires.

  15. Enable Network Settings Use default settings to use the default IP address and netmask for the interface hosting the SSID with the captive web portal, or an admin-defined IP address and netmask.
    1. Select Customize to enter an IP address and netmask for each of the interfaces.
      You can use IPv4 or IPv6 addresses.
  16. Enable Use external servers to forward DHCP and DNS traffic from unregistered clients to external servers on the network.
    When enabled, unregistered and registered clients must be assigned to the same VLAN.
    1. Select Override the VLAN ID used during registration and choose a previously defined VLAN ID from the drop-down list to assign to clients before and during the registration process.
    2. You can also select the plus sign to add a new VLAN ID.
    3. Enter the name and VLAN ID.
    4. Select SAVE VLAN.
  17. Select Use Extreme Network Devices to forward DHCP and DNS traffic from unregistered clients to internal servers on the AP hosting the CWP.

    When enabled, unregistered and registered clients can be assigned to the same VLAN or to different VLANs because unregistered clients use DHCP and DNS servers on the AP, and registered clients use servers on the network.

    Note

    Note

    When the client of a previously unregistered guest first associates with the Guest Access SSID, the AP acts as a DHCP server, DNS server, and web server. The client‘s network access is limited to only the AP with which it associated and the client browser is redirected to a registration page. After the guest registers, the AP stores the client‘s MAC address as a registered client and allows the guest to access external servers.
    1. Set the length of the DHCP lease assigned to the quarantined client of an unregistered guest.
      DHCP clients typically renew at the midpoint of the lease. After the client successfully registers, the AP allows the next DHCP lease request to pass to an external DHCP server. Keeping the lease short allows the client to obtain new network settings very soon after registering.
    2. From the drop-down list, choose how you want the AP to respond to a DHCP lease renewal request for a nonexistent lease.
      • Renew-NAK-Broadcast: By default, the AP responds by broadcasting DHCPNAK messages. Choosing either this option or the unicast DHCPNAK option can accelerate the transition to an external DHCP server on the network, or back to a quarantined address after the client logs out or the session times out.
      • Renew-NAK-Unicast: Choose to have the AP respond by sending unicast DHCPNAK messages. Sending unicast messages can reduce traffic on the network; however, broadcasting the DHCPNAK is safer in environments where there is a large and uncontrollable variety of clients.
      • Keep Silent: Choose to have the AP ignore the renewal request completely and enable the external DHCP server to respond. With this approach, the transition between DHCP servers can be slightly longer.
  18. For Web Servers Registration Period, set the length of time that a registered client with an active session remains registered.

    If the client closes one session and later starts a new one while the AP still has a roaming cache entry for that client (one hour by default), the client does not have to register with the captive web portal again. If the client closes a session and starts a new session after the roaming cache entry has been removed, the client must complete the registration process again, even if the new session begins within the registration period.

  19. For Web Servers Domain Name, enter the same domain name as the CN (common name) value in the server certificate that the CWP uses for HTTPS.

    The domain name must be a valid domain name that a DNS server can resolve to the IP address of the interface hosting the CWP. This option allows you to use a server certificate from a CA that supports domain names as CNs, but not IP addresses.

    Note

    Note

    If the CN has a wildcard domain name that can match multiple valid domain names, enter one of the valid domain names instead of selecting Override Web server domain name with CN value in the certificate. For example, if the CN is *.aerohive.com, then you can enter something like cwp.aerohive.com in the Web Server Domain Name field, and the clients' browsers will not show a security warning when they make an HTTPS connection to the captive web portal.
  20. Select Enable HTTP to enable HTTPS on the CWP
  21. Select Default-CWPCert.pem for preloaded CWPs.

    The AP hosting the CWP then uses HTTPS to secure traffic between the client and its CWP server. The certificate file must have the following properties:

    • The file format must be PEM (Privacy Enhanced Mail).
    • It must contain a server private key stored in an unencrypted format.
    • It must contain a server certificate concatenated to the private key.
  22. For Client Redirection, select Use HTTP 302 to redirect code as the redirection method instead of JavaScript.

    This option is useful for clients accessing the network with mobile browsers.

  23. Select Introduce a delay before redirecting after a successful login attempt to determine how long the CWP displays the Success page before initiating the redirection.
  24. Select Introduce a delay before redirecting after a failed login attempt to determine how long the CWP displays the failure page before initiating the redirection.
    Note

    Note

    This redirection differs from that in the Captive Web Portal Failure Page Settings section, which the AP applies after a failed log in attempt.
  25. Select Prevent the Apple CNA (Captive Network Assistant) application from requesting credentials to bypass the Apple CNA application for redirect actions.
  26. To create a walled garden, select the plus sign.
    1. In the Service Type box, select one of the following:
      • Web: Permit client access only to the World Wide Web.
      • All: Permit client access to the World Wide Web and all other servers.
      • Advanced: Permit client access only to the admin-defined IP object or host name.
    2. If you selected Web or All, then paste IP addresses or host names separated by commas into the Service Type text box.
    3. If you selected Advanced, then enter or select the following:
      • IP Object/Host Name: Enter an IP object or host name of the external web server. Choose a previously-defined IP address or host name from the drop-down list, enter a new IP address or domain name, or select the plus sign and define a new one.
      • Service: Choose Web to permit HTTP and HTTPS traffic from unregistered clients to the external web server, choose All to permit all types of traffic, or choose Protocol, enter a protocol number (from 0 to 255), and a port number to define the type of service you want to permit.
    4. Select Add.

      Your changes appear in the Walled Garden table.

    5. To remove a rule, select the check box next to the rule ID and select Remove.
  27. Select SAVE CWP.

Return to the Wireless Network page to complete the network policy configuration.

9038963-00 Rev AB