Home > GUI > Configuration > Captive Web Portal
|
Captive Web Portal
Configure a captive web portal.
Navigate using the tab icons. Hover over an icon to see the name of the tab.
Configure > Network Policies > policy_name > Wireless Networks > Add > All other Networks (standard) > Enable Captive Web Portal > Add
or
Configure > Common Objects > Authentication > Captive Web Portals > Add
Extreme Networks provides two types of captive web portals: those that individual APs host on built-in web servers and those that ExtremeCloud IQ hosts on web servers in the cloud. The former supports several user registration types (user authentication, self-registration to provide user data, use policy acceptance, self-registration to obtain a PPSK) plus an extensive set of configuration options. The latter supports two registration options: users can register by authenticating with their social media credentials or by requesting and submitting a PIN. A cloud-based captive web portal also has a simpler set of configuration options.
Note
To configure a cloud-based captive web portal, you must create a wireless network SSID with Open SSID authentication, enable the use of a captive web portal, and then select Cloud Captive Web Portal. For more information about configuring a wireless network SSID, see Standard Wireless Network Settings.After defining a captive web portal, you must take one of two actions for your changes to take effect:
ExtremeCloud IQ can include multiple captive web portals. See Captive Web Portals to view previous captive web portal configurations.
To configure a captive web portal to be hosted on APs:
On the wireless network (SSID) configuration page in a network policy, set Enable Captive Web Portal to ON. Select the captive web portal type as follows:
If you select Enterprise 802.1X for SSID access security, the captive web portal can display a UPA (use policy acceptance). More...When joining the SSID, users authenticate themselves by entering a user name and password, which are checked against a RADIUS server. Then, when they open a web browser, the captive web portal appears and displays a UPA. After users agree to it, the AP allows them to access the rest of the network as determined by settings in the user profile applied to them.
If you select Personal WPA/WPA2 PSK for SSID access security, the captive web portal can be one of several types. When joining the SSID, users enter a commonly shared PSK to authenticate themselves. When they open a web browser, a captive web portal appears with one of the following registration types:
User authentication More...Users enter their user names and passwords in a simple form on the captive web portal, which are checked against a RADIUS server. Once they are authenticated, they can access the network.
Use policy acceptance More...Users agree to a UPA to be able to access the rest of the network.
If you selected Open for SSID access security, which means users can join the SSID without any form of authentication, the captive web portal can be one of several types:
User authentication
Use policy acceptance More...When a captive web portal requires users to accept a network use policy, they must select the Accept button indicating that they have read and accept the policy before they can access the network. Requiring users to agree to a network use policy whenever data is collected about them helps comply with the conditions of consent mandated by the GDPR (General Data Protection Regulation), a law to protect the privacy of personal data for EU citizens. For more information, see "GDPR" and GDPR Article 7.
Cloud-based using Social Login or PINs (see "Configure a Cloud-hosted Captive Web Portal for an SSID"
To add a new default captive web portal based on the type of user registration you defined, select +. See Captive Web Portals for more information about adding captive web portal parameters.
When you are done, select Save.
Note
To use a previously defined captive web portal as the default, choose Select next to Default Captive Web Portal. The Select CWPs dialog box displays a list of captive web portals that match the registration type specified. Select one from the list, and then choose Selectto make it the new default captive web portal.Extreme Networks provides two types of cloud-hosted captive web portals. One controls network access by leveraging user credentials in social media services like Google, Facebook, and LinkedIn. The other authenticates users by requiring them to enter a PIN, which is sent to them by email, to gain network access. Both cloud-based captive web portal types are available in ExtremeCloud IQ and ExtremeCloud IQ Connect.
Use Social Login to Authenticate Users
When an unregistered user connects to an SSID with a captive web portal that uses social log in, the user's client is assigned to a walled garden. Google, Facebook, and LinkedIn (depending on the configuration) authentication URLs are in a whitelist, allowing the client to reach them but nothing else on the network. When the user opens a web browser, the cloud-based captive web portal is invoked, and the user's HTTPS traffic is directed to cloud-xx.aerohive.com/webportal/<path-id>, where the xx stands for the abbreviated location of different data centers and <path-id> is the unique path for each captive web portal. The web app that serves the captive web portal is stateless and supports horizontal scaling. This elasticity allows a single captive web portal to expand and contract as needed to support increased and decreased numbers of users.
Before the sign-in links become active, users must select a check box indicating their acceptance of the network use policy, which appears in the lower half of the captive web portal landing page.
Note
Requiring that users accept the policy before granting them network access helps comply with the conditions of consent mandated by the EU GDPR (General Data Protection Regulation). For more information, see GDPR and GDPR Article 7.When users select Sign in with Google, Sign in with Facebook, or Sign in with LinkedIn, their browsers are redirected to the sign-in page for the respective social media authentication site. If the authentication process is successful, their browsers are redirected to the check-in URL on the AP to free their clients from the walled garden. From that point, users can access the network as determined by the firewall policy rules applied to them.
To configure a cloud-based captive web portal that uses social log in for user authentication:
On the SSID configuration page in a network policy, set Enable Captive Web Portal to ON.
In the SSID Authentication section, select Open.
Select Cloud Captive Web Portal, select Social Login, and then select Add.
In the New Captive Web Portal window, enter the following:
Name: Enter a name for the captive web portal.
Cloud Captive Web Portal: (selected by default).
Social Login: (selected by default).
Facebook: Select to support Facebook accounts.
LinkedIn: Select to support LinkedIn accounts.
Google: Select to support Google accounts.
Extreme Networks automatically populates whitelists for Facebook, LinkedIn, and Google domains based on which ones are enabled for the captive web portal. A Google-only captive web portal does not require Facebook domains and vice versa.
Allow domains: When Google is selected, you can restrict access to users in specific domains, such as the Google domain for a school.
Authentication Cache Duration: Set the period of time during which a user who has successfully authenticated does not need to reauthenticate if the client disassociates from the wireless network and then reassociates. During this time, the client will not be placed in the walled garden but will be allowed network access directly. The reauthentication period cannot exceed 30 days.
You can use the default captive web portal without customization; but if you want to customize it, toggle Customize to ON and then select Social-Login-Example to export the necessary files.
Give the files to a web designer for modification (see "File Customization" below for information about modifying the files).
Note
While waiting for the web designer, you can continue your configuration using the default captive web portal files. Upload the network policy with the captive web portal SSID to one or more APs to test the behavior and functionality with the default files, and swap in the customized files later.Note
If you previously completed the configuration with default files and uploaded the network policy to your APs, you do not need to upload the configuration again. As long as the customized files have the same names as the default ones, they will immediately take their place once they are imported to ExtremeCloud IQ.Use a PIN to Authenticate Users
When unregistered users connect to an SSID with a cloud-based captive web portal that requires them to enter a PIN, the AP redirects their web browser to a captive web portal hosted by ExtremeCloud IQ where they are prompted to submit a PIN if they have one or request a PIN if they do not. They can request a PIN be sent to them by email, or by another means such as a cellular connection. PINs are valid for a configurable length of time between 1 and 24 hours and are linked to the MAC address of the wireless adapter on the client device.
Note
Before the Submit button on the captive portal page becomes available for use, users must first select a check box indicating that they accept a network use policy. Because submitting a request for a PIN creates a record linking an email address to a PIN and submitting a PIN for authentication links the PIN to a MAC address, requiring agreement with a use policy helps comply with the conditions of consent mandated by the GDPR. For more information, see GDPR and GDPR Article 7.To configure a cloud-based captive web portal that uses PINs for user authentication:
In the SSID configuration window in a network policy, set Enable Captive Web Portal to ON.
In the SSID Authentication section, select Open.
Select Cloud Captive Web Portal, select Request a PIN, and then select Add and enter the following information:
Name: Enter a name for the captive web portal.
Cloud Captive Web Portal: (selected by default).
Request a PIN: (selected by default).
PIN Valid Time: Enter the length of time that the PIN remains valid. The validity period begins at the time that ExtremeCloud IQ receives the PIN request and can last from 1 to 24 hours. The default is 1 hour.
Email Address for Daily Report: Enter an email address where you want ExtremeCloud IQ to send daily reports about successfully authenticated users on this captive web portal. Each report is in .csv format and shows the login time (in UTC, or universal coordinated time) when the user submitted a PIN, the user name, and the MAC address of the client device use for the connection. When there are no entries to report, ExtremeCloud IQ sends a separate email communicating this.
Daily Report Delivery Time: Set the hour and minute when ExtremeCloud IQ generates a daily report of successful user authentications. The time is expressed in UTC and the report contains events for the previous 24 hours from that time. For example, if you are in San Francisco (UTC–08:00) and configure a report for 09:00 (UTC) in the GUI, ExtremeCloud IQ will generate a report every day at 1:00 AM PST because San Francisco is 8 hours behind UTC. The report will contain events from 1:00 AM PST of the previous day up to 12:59 AM PST of the current day.
Use the default captive web portal without customization, or to customize, toggle Customize to ON and then select PIN-Login-Example to export the necessary files.
Give the files to a web designer for modification (see "File Customization" for information about modifying the files). While you are waiting for the web designer, you can continue your configuration using the default captive web portal files. Upload the network policy with the captive web portal SSID to one or more APs to test the behavior and functionality with the default files, and swap in the customized files later.
When you receive the modified files, import them in the New Captive Web Portal window. Select Upload/Remove, navigate to the files on your system and upload them. Select Done.
Choose the directory you just created from the Web File Directory drop-down list. Select Create. In the dialog box, enter a name, select Create, and then select Done.
Select the files you want to use as the login and success pages, and then select Save. (There is no need for a failure page because error messages appear on the login page rather than requiring navigation to a separate page.) The imported files are immediately saved to ExtremeCloud IQ.
Note
If you previously completed the configuration with default files and uploaded the network policy to your APs, you do not need to upload the configuration again. As long as the customized files have the same names as the default ones, they will immediately take their place once they are imported to ExtremeCloud IQ.File Customization
This table lists files to import for customized files:
| Social Login | Request a PIN |
|---|---|
| aerohive.svg | aerohive.svg |
| failure.html | icon-success.svg |
| fb.swg | index.html |
| google.svg | style.css |
| icon-failure.svg | success.html |
| icon-success.svg | terms-of-use.html |
| index.html | |
| linkedin.svg | |
| style.css | |
| success.html |
Note
Refer the web designer to the README.txt documentation in the sample captive web portal template package.To support multiple languages, the HTML files must have the language tag appended to the base file name. For example:
The default language is your choice. Simply delete the original index.html file and remove the language tag from the file name of the one you want to use as the default. (For example, to make the Japanese version the default, change index_ja.html to index.html.) The cloud captive web portal server uses the {{Accept-Language}} header in the HTTPS request from clients to select the language variant to return.
The following sections contain more information about device-hosted captive web portals.
Define Captive Web Portal Requirements
You have a great deal of flexibility in how you design a captive web portal. Consider these options:
Each of the these options is described in more detail below, along with additional configuration details.
Note
Wireless clients must first associate with a device before being directed to a captive web portal.Captive Web Portal Use Cases
The Extreme Networks captive web portal feature supports the following use cases:
User authentication: Select to require clients to enter and submit a valid user name and password to log in.
Redirecting connection requests to an external authentication system: Select to redirect unregistered clients’ HTTP and HTTPS traffic to a captive web portal on an external server, such as the Amigopod Visitor Management Appliance.
Self-Registration: Select to require clients to accept a network use policy by filling out various fields in a form, and submitting it.
Both User Authentication and Self-Registration: Select to combine the previous two registration types. Clients can authenticate by submitting a user name and password or complete and submit a registration form.
Use policy acceptance (UPA): Select for clients to accept a network use policy without having to complete a form.
SSID Access Security Methods
Different authentication methods support different captive web portal use cases. Except for self-registration or use policy acceptance, which do not require setting up an authentication method, the other use cases require you to enter access credentials and other information. The following authentication methods are used to secure captive web portals.
WPA/WPA2 802.1X (Enterprise): Select to use WPA2 for key management. Because WPA2 supports PMK caching and preauthentication whereas WPA does not. WPA2 is the better choice over WPA for wireless clients.
Note
When a ExtremeCloud IQ SSID uses WPA/WPA2 802.1X (Enterprise), the RADIUS clients are stored on the RADIUS server. If that server is an Extreme Networks device, you assign the user groups in the device-level settings. RADIUS user groups are never assigned to devices through a network policy. To see an outline of the configuration steps required to set up an Extreme Networks RADIUS server, see AAA Server Settings.WPA/WPA2 PSK (Personal): Authenticate each client using a unique private preshared key.
Private PSK: Authenticate clients using a preshared key.
WEP: Use WEP (Wired Equivalent Privacy) to authenticate clients.
Unsecured (Open) Network: Allows open access to the SSID (not recommended).
Note
Unsecured, open networks provide neither authentication nor encryption for traffic in the SSID. However, you can assign a captive web portal to the SSID and enable MAC authentication.Supported Captive Web Portal Use Cases and SSID Access Security Table
The table below lists the supported captive web portal use cases, which are directly related to the SSID access security method that you select.
Before a client reaches a captive portal, it must first form an association with the Extreme Networks device using key management, and the encryption and authentication methods that you configure for the SSID. In the table, this is indicated by a "+" where the Use policy acceptance row and the 802.1X columns intersect. Supported is indicated by +, not applicable is indicated by -.
Supported Captive Web Portal Use Case Combinations
| Captive Web Portal Use Case | PSK(WPA/WPA2 PSK (Personal) | Private PSK | 802.1X(WPA/WPA2 802.1X (Enterprise) | WEP | Open(Unsecured (Open) Network) |
|---|---|---|---|---|---|
| User authentication | + | - | - | + | + |
| Redirecting connection requests to an external authentication system (External Authentication) | + | - | - | + | + |
| Self-Registration | + | - | - | + | + |
| Both User Authentication and Self-Registration | + | - | - | + | + |
| Use policy acceptance | + | + | + | + | + |
When the registration type is Private PSK Server, clients connect to the network through two SSIDs: they use the first SSID during the registration process and the second after they complete their registration and receive private PSKs. The initial SSID uses open authentication; however, the device can secure client traffic through HTTPS. After clients receive their private PSKs, they can reconnect to the network through a second SSID—as indicated by the captive web portal—and secure their traffic using the private PSKs that they just received.
Copyright © 2020 Extreme Networks. All rights reserved. Published March 2020.