Home > GUI > Configuration > Captive Web Portals
|
Captive Web Portals
View, add, and modify ExtremeCloud IQ and ExtremeCloud IQ Connect captive web portal parameters. View, add, and delete a walled garden.
Navigate using the tab icons. Hover over an icon to see the name of the tab.
Configure > Network Policies > policy_name > Wireless Networks > Add > All other Networks (standard) > Enable Captive Web Portal/ON > Add
or
Configure > Network Policies > policy_name > Wireless Networks > SSID_name > SSID Usage > SSID Authentication > captive_web_portal > New or Modify
Extreme Networks provides two types of captive web portals: those that individual APs host on built-in web servers and those that ExtremeCloud IQ hosts on web servers in the cloud. The former supports several user registration types (user authentication, self-registration to provide user data, use policy acceptance, self-registration to obtain a PPSK) plus an extensive set of configuration options. The latter supports two registration options: users can register by authenticating with their social media credentials or by requesting and submitting a PIN. A cloud-based captive web portal also has a simpler set of configuration options.
For more information about how to create a captive web portal, see Captive Web Portal. For more information on various captive web portal use cases, see "Captive Web Portal Use Case Considerations".
Add a new default captive web portal or a new custom captive web portal to an SSID on the New Captive Web Portal page. Modify a default captive web portal or a custom captive web portal for an SSID, on the Edit Captive Web Portalpage.In both cases, refer to the following sections.
As described in Captive Web Portal, the Add Captive Web Portal section displays the following basic captive web portal parameters:
Name: Enter a captive web portal name. The name can contain up to 32 characters without spaces.
Select features for this captive web portal: This section shows the features that were selected for this captive web portal. Return to Configure > Network Policies >policy_name > Wireless Networks >SSID_name to change these features, as described in Captive Web Portal.
Authentication Type: (if assigned) Indicates whether the SSID uses a RADIUS server or redirects users to an external URL for authentication. To change this setting, navigate to Configure > Network Policies >policy_name > Wireless Networks >SSID_name, as described in Captive Web Portal.
Modify an existing captive web portal in the Edit Captive Web Portal window:
Name: The name of the captive web portal. The name can contain up to 32 characters without spaces.
Select features for this captive web portal: This section shows the features that were selected for this captive web portal. Return to Configure > Network Policies > policy_name > Wireless Networks > SSID_name to change these features, as described in Captive Web Portal.
Authentication Type (if assigned): Whether the SSID uses a RADIUS server or redirects users to an external URL for authentication. Return to Configure > Network Policies > policy_name > Wireless Networks > SSID_name to change the authentication type, as described in Captive Web Portal.
In the Captive Web Portal Settings section, you can customize and preview your login page, authentication method, and optional success and failure pages as described in "Customizing and Previewing Captive Web Portal Settings".
You can also import, upload, and remove login page files, and optional success and failure page HTML files in an admin-defined directory as described in "Importing Captive Web Portal HTML Files".
Extreme Networks provides a default captive web portal profile you can customize for specific deployments. After you have added or modified the captive web portal name, basic features, and authentication type, you can preview and customize the current basic captive web portal settings in the 
section.
Preview the Captive Web Portal Settings
In the Edit Captive Web Portal panel, select Customize and Preview to view the predefined or admin-modified basic captive web portal profile.
Select Customization and Preview to view the landing page as seen by users on their client devices. Select Cancel to return to the Edit Captive Web Portal page.
Authentication Method shows the current method: CHAP, PAP, or MS-CHAP V2.
Turn Success PageON, and then select Customization and Preview to view the success page as seen by users on their client devices.
Select the Redirect clients after a successful login attempt check box to redirect clients after they successfully log in to either the initial page or to a specified URL.
Set Failure Page to ON, then select Customization and Preview to view the error page as seen by users on their client devices. The selected radio button indicates whether the failure is displayed on the login page or on the standard failure page.
Select Save.
Customize Captive Web Portal Settings
Select Customize and Preview to see a preview of the captive web portal profile. You can modify the following items:
Select Customize to modify the landing page colors, logo, language, and landing message text. Select Save.
If required, change the authentication method to CHAP, PAP, or MS-CHAP V2.
Enable or disable Success Page. When enabled, select Customization and Preview to view the success page as seen by users on their client devices. Select Customize to modify success page colors, logo, language, and success message text. Select Save.
Enable or disable Success Page > Redirect clients after a successful login attempt. When enabled, successful clients are sent to either the initial page or to a specified URL.
Enable or disable the Failure Page. When enabled, select whether to show the failure on the login page or on the standard failure page.
Select Customization and Preview to view the error page as seen by failed users on their client devices. Select Customize to modify the error page colors, logo, and language. Select Save.
Enable or disable the Failure Page >Redirect clients after a successful login attempt. When enabled, choose to send failed clients either to the login page or to a specific URL.
Select Save.
You can import, upload, and remove custom HTML login pages, and optional custom success and failure page HTML files using an admin-defined directory. Imported HTML files override all customized captive web portal settings.
Select Captive Web Portal Settings >Import HTML to view the Web file directory and existing HTML files. You can use the predefined Web file directory and sample HTML files, or create a new Web file directory and upload replacement HTML files.
Select UPA-Example to download a sample .tgz file template. Use the template to create your own HTML files.
Verify the target Web file directory. If required, select Create to define a new Web file directory, and then select Done to return to the Edit Captive Web Portal page.
Select Manage Files >Upload/Remove to manage your replacement Login Page, Success Page, or Failure Page HTML files. Select Done to return to the Edit Captive Web Portal page.
Confirm your selections for replacement Login, Success, or Failure page HTML files from the Login Page, Success Page, and Failure Page drop-down menus.
Select Save.
Select the primary default language for your captive web portal from the drop-down list. You can then select multiple additional languages, allowing your captive web portal to be used in many locations worldwide. Select Save.
In the Advanced Configuration section, you can configure how previously-unregistered clients and visitor traffic is handled, and which client redirection policies to enforce.
Session Timer: Select the check box for Display session timer alert before session expires to display the session timer in the client's browser. The timer shows the registered client's login status, time remaining in the session, and elapsed time. You can choose to display the timer alert 5, 15, or 30 minutes before the session expires.
Network Settings: Enable Use default settings to use the default IP address and netmask for the interface hosting the SSID with the captive web portal, or an admin-defined IP address and netmask. Select Customize to enter an IP address and netmask for each of the interfaces. You can use IPv4 or IPv6 addresses.
You can configure whether traffic from unregistered clients is forwarded to external, or internal DHCP and DNS servers to resolve HTTP or HTTPS domain name requests to IP addresses, and receive IP address assignments.
Use external servers: (Enabled by default.) You can use external servers to forward DHCP and DNS traffic from unregistered clients to external servers on the network. When enabled, unregistered and registered clients must be assigned to the same VLAN.
When a previously unregistered client first associates with an SSID using a captive web portal, the AP assigns an unregistered user profile to the client. The AP allows DHCP and DNS traffic so the client can receive an address and TCP/IP assignments and resolve domain names to IP addresses, and ICMP traffic for diagnostic purposes. However, the AP intercepts all HTTP and HTTPS traffic from that client—and drops all other types of traffic—and directs the visitor’s browser to a registration page. After the visitor registers, the AP no longer intercepts HTTP and HTTPS traffic from that MAC address, but allows the client to access external web servers
Override the VLAN ID used during registration: (Only available for captive web portals using external DHCP and DNS servers.) Select the check box and choose a previously defined VLAN ID, or choose the empty space in the drop-down list and type in the VLAN ID that you want to assign to clients before and during the registration process. After successful registration, the AP assigns client traffic to the VLAN specified in the assigned user profile. If the VLAN assigned to clients during the registration process is different from that assigned to them afterward, make sure that the DHCP server in the pre-registration VLAN sets a short lease time, such as 10 seconds. With a short lease, clients can quickly obtain new network settings from the DHCP server in the post-registration VLAN after the registration process is complete.
Clear the check box to assign unregistered client traffic to the VLAN specified in the default user profile for the SSID where this captive web portal is used. By default, this check box is cleared.
Use Extreme devices: (Disabled by default.) Enable to forward DHCP and DNS traffic from unregistered clients to internal servers on the AP hosting the captive web portal. When enabled, unregistered and registered clients can be assigned to the same VLAN or to different VLANs because unregistered clients use DHCP and DNS servers on the AP, and registered clients use servers on the network. With this feature enabled, when the client of a previously unregistered guest first associates with the Guest Access SSID, the AP acts as a DHCP server, DNS server, and web server. The client’s network access is limited to only the AP with which it associated and the client browser is redirected to a registration page. After the guest registers, the AP stores the client’s MAC address as a registered client and allows the guest to access external servers.
Lease Time: (Default 10 seconds) Set the length of the DHCP lease assigned to the quarantined client of an unregistered guest. DHCP clients typically renew at the midpoint of the lease. After the client successfully registers, the AP allows the next DHCP lease request to pass to an external DHCP server. Keeping the lease short allows the client to obtain new network settings very soon after registering. You can change the DHCP lease length from 6 to 36,000 seconds (24 hours).
Renewal Response: From the drop-down list, choose how you want the AP to respond to a DHCP lease renewal request for a nonexistent lease. A lease can exist on a DHCP client but not on the AP DHCP server at two points in the captive web portal process:
(1) After a client registers and the AP DHCP server has just deleted the lease. Depending on the response (Renew-NAK-Broadcast or Renew-NAK-Unicast), the AP either broadcasts a DHCPNAK message on the quarantined section of the network or it sends a unicast message directly to the client whose lease it has deleted, prompting the client to move to the INIT state and send out a new DHCPDISCOVER message. If the AP DHCP server does not respond to the renewal request (Keep Silent), the client eventually sends a DHCPDISCOVER and finds the external DHCP server, which does respond. Because the lease for a quarantined address is short (10 seconds by default), ignoring the request results in a minimal delay in the transition from using a quarantined address provided by the AP DHCP server to a network address provided by an external DHCP server.
(2) When a registered client logs out of a session or the registration period expires. Even though there may be time left on the lease from an external DHCP server, the captive web portal session has ended and the AP disassociates the client. When the client reassociates, it sends a DHCPREQUEST message to the AP DHCP server, which discovers that there is no lease matching the DHCPREQUEST. The AP server responds with a broadcast DHCPNAK, unicast DHCPNAK, or remains silent. In response to the DHCPNAK or in response to a lack of a DHCP server response, the client sends a DHCPDISCOVER message, to which the AP responds with a DHCPOFFER, and the DHCP address cycle starts again.
However, some clients do not try to renew their lease when they reassociate if there is still a great amount of time remaining in their current lease. When they reassociate, they do not send a DHCPREQUEST, but instead continue using their current lease. As a result, the AP DHCP server cannot send a DHCPNAK—which it can only send in response to a DHCP client message—and the clients cannot go through the captive web portal process again.
Renew-NAK-Broadcast: By default, the AP responds by broadcasting DHCPNAK messages. Choosing either this option or the unicast DHCPNAK option can accelerate the transition to an external DHCP server on the network, or back to a quarantined address after the client logs out or the session times out.
Renew-NAK-Unicast: You can choose to have the AP respond by sending unicast DHCPNAK messages. Sending unicast messages can reduce traffic on the network; however, broadcasting the DHCPNAK is safer in environments where there is a large and uncontrollable variety of clients.
Keep Silent: You can choose to have the AP ignore the renewal request completely and allow the external DHCP server to respond. With this approach, the transition between DHCP servers can be slightly longer.
Registration Period: Set the length of time that a registered client with an active session remains registered. If the client closes one session and later starts a new one while the AP still has a roaming cache entry for that client (one hour by default), the client does not have to register with the captive web portal again. If the client closes a session and starts a new session after the roaming cache entry has been removed, the client must complete the registration process again even if the new session begins within the registration period. The default registration period is 720 minutes (12 hours). The range is 1 to 120,960 minutes or 1 to 2016 hours (84 days).
Domain name: Enter the same domain name as the CN (common name) value in the server certificate that the captive web portal uses for HTTPS. The domain name can contain up to 32 characters and must be a valid domain name that a DNS server can resolve to the IP address of the interface hosting the captive web portal. This option allows you to use a server certificate from a CA that supports domain names as CNs, but not IP addresses.
Note
If the CN has a wildcard domain name that can match multiple valid domain names, enter one of the valid domain names instead of selecting the check box for Set the same domain name as the CN value in the certificate. For example, if the CN is *.aerohive.com, then you can enter something like "cwp.aerohive.com" in the Web Server Domain Name field, and the clients' browsers will not show a security warning when they make an HTTPS connection to the captive web portal.Security Using HTTPS
Enable HTTPS: Select the check box to enable HTTPS on the captive web portal, and then select the default HTTPS certificate, (Default-CWPCert.pem) for captive web portals preloaded on ExtremeCloud IQ.) The AP hosting the captive web portal then uses HTTPS to secure traffic between the client and its captive portal web server.
The certificate file must have the following properties:
Configure the following settings for client redirection.
Use HTTP 302: Select the check box to use HTTP 302 redirect code as the redirection method instead of JavaScript. Because some mobile web browsers do not support JavaScript, this option is useful for clients accessing the network with mobile browsers.
Introduce a delay before redirecting after a successful login attempt: When redirection is enabled for the success page, this setting determines how long the captive web portal displays this page before initiating the redirection. By default, the success page is displayed for 5 seconds before redirection occurs. You can enter a delay of 5 to 60 seconds.
Introduce a delay before redirecting after a failed login attempt: When redirection is enabled for the failure page, this setting determines how long the captive web portal displays this page before initiating the redirection. By default, the failure page is displayed to clients for 5 seconds before redirection occurs. You can enter a delay of 5 to 60 seconds.
Note
This redirection differs from that in the "Captive Web Portal Failure Page Settings" section, which the AP applies after a failed login attempt.Prevent the Apple CNA (Captive Network Assistant) application from requesting credentials: Select this check box if you want to bypass the Apple CNA application for redirect actions.
Add or Modify a Walled Garden
A walled garden is an area of the network to which unregistered clients are allowed access. If you redirect unregistered clients to an external server, then you must include the IP address or domain name of that server in the walled garden. The walled garden defines a rule permitting a type of service to a specific server or network segment.
To create a walled garden, select 
.
In the Service Type dialog box, select one of the following:
Web: Allow clients access only to the World Wide Web.
All: Allow clients access to the World Wide Web and all other servers.
Advanced: Allow clients access only to the admin-defined IP object or host name.
If you selected Web or All, then also paste IP addresses or Host Names separated by commas into the Service Type text box.
If you selected Advanced, then also enter or select the following:
IP Object/Host Name: Enter an IP object or host name of the external web server. Choose a previously-defined IP address or host name from the drop-down list, enter a new IP address or domain name (up to 32 characters), or select and define a new one.
Service: Choose Web to permit HTTP and HTTPS traffic from unregistered clients to the external web server, choose All to permit all types of traffic, or choose Protocol and enter a protocol number (from 0 to 255) and port number to define the type of service you want to permit.
Select Add when you are finished. Your changes appear in the Walled Garden table. To remove a rule, select the check box next to the rule ID and then select Remove.
When you are finished, select Save CWP.
The type of authentication method required depends on the captive web portal use case. The information below describes the five uses cases and the authentication information required.
User Authentication: Choose the authentication method between the AP and RADIUS server. You can choose PAP (Password Authentication Protocol), CHAP (Challenge Handshake Authentication Protocol), or MS CHAP V2 (for use when authenticating clients on an Active Directory server).
Redirect Connection Requests to an External Authentication System: Enter the information required, and then select Save.
login URL: Enter the URL for the external web server to which the AP will redirect HTTP or HTTPS traffic. For example, http://10.1.1.5/ecwp.php.
The URL must begin with one of the following text strings:
http://
https://
www(ExtremeCloud IQ automatically adds http://)
Password Encryption: If you want clients to create their own accounts on the external web server, choose No Encryption (Plaintext Password).
If you populate the RADIUS server with user accounts and want to require clients to submit a user name and password, then you can choose UAM Basic or UAM with Shared Secret, or you can still choose No Encryption (Plaintext Password). After the client submits a user name and password in an HTTP POST message to the external web server, that server replies with a redirect message. There are several options for protecting the user password during its transfer from the client to the AP. With UAM Basic and UAM with Shared Secret, the user name is in plaintext but the password is encrypted. You might want to use one of these methods if the AP captive web portal is using HTTP, which provides no confidentiality. Even if the AP is using HTTPS—in which case, everything between the client and the AP is encrypted —you still might want to use one of these encryption methods because they allow the AP and external web server to confirm their identities.
UAM Basic: With this option, the AP adds a challenge to the HTTP-GET that it redirects the client to send to the external web server. The external web server uses the challenge to perform an XOR operation on the password that the client then sends in an HTTP-POST message. The external web server adds the result of that operation in its reply and redirects the client to send the HTTP-POST to the AP. The AP strips out the user name and encrypted password, uses XOR with the same challenge it originally added to the HTTP-GET to recover the plaintext password, and sends it to the RADIUS server using PAP, CHAP, or MSCHAPv2 authentication.
UAM with Shared Secret: The AP and the external web server use the same shared secret as part of a password encryption scheme. The AP sends the client's encrypted password to the RADIUS server along with other data that the RADIUS server can use to validate the identical to the text string that is set on the external web server. To ensure accuracy, enter the shared secret text string again.
No Encryption (Plaintext Password): (Default). Use this option when both the AP and external web server use HTTPS to encrypt traffic from the client.
Self-Registration: No authentication information required.
Both User Authentication and Self-Registration: This is the same information that is required by user authentication. Choose the authentication method between the AP and RADIUS server. You can choose PAP (Password Authentication Protocol), CHAP (Challenge Handshake Authentication Protocol), or MS CHAP V2 (for use when authenticating clients on an Active Directory server).
Use Policy Acceptance: No authentication information required.
You can customize the standard, or default, captive web portal pages that clients see when they try to access wireless networks that you control and manage. You can edit or replace the default wording with your own, and adjust design elements such as background or text color. To use your logo, upload your logo file to replace the Extreme Networks logo.
Customize the User Agreement Text
Select Customize to edit the user agreement wording, and change the web page appearance. You can select different format styles and design elements, including your logo. To upload your logo design, select Add new file. The maximum file size that can be uploaded is 200 KB. You can customize this page by changing the background color, font, links, button, and button text. Select the appropriate icon to select your color preference. Your choices appear simultaneously on the preview page.
Note
File names cannot include special characters, except for hyphen ( - ) and underscore ( _ ).
Edit the text directly in the Design Content section to change the wording of the default user agreement. As you enter text, it appears on the preview page. You can also replace the default text with your own terms-of-use content by highlighting the text in the Design Content section and using the DELETE, or backspace key to delete it. Then, enter or paste your content in the panel. Select Save in the panel, and then select Save in the main window when you are done. To restore the default wording and appearance, select Reset in the Customize panel.
Customize the Standard Success Page
Select Customize to edit the success page default wording, and change the web page appearance using the same procedures you used when customizing the standard web page. To add a short description that appears under "Login Successful", edit the text in the Design Content section. Select Save in the panel, and then Save at the lower right of the page when you are done. To restore the default wording and appearance, select Reset in the Customize panel.
You can choose to Redirect clients after a successful attempt by selecting the check box. You can redirect the client to the initial page, or to a specified URL. Enter the specific URL in the field.
Customize the Failure Page
When the client is unable to access to the network after entering valid credentials, you can choose a number of actions to take. You can choose to display the standard failure page, or to Use login page to display the failure message. You can change the wording on these pages and the web page appearance by selecting Preview, and then Customize. When you are finished, select Save in the panel, and then Save at the lower right of the page. To restore the default wording and appearance, select Reset.
Select the check box to Redirect clients after a failed login attempt. With this option the AP waits 5 seconds by default before it redirects the client's browser to the login page after an unsuccessful registration attempt. You can change the length of the delay in the Advanced Configuration section. You can also choose to redirect To a specified URL on an external web server after an unsuccessful login attempt. Enter the URL in the field.
The URL must begin with one of the following text strings:
http://
https://
www (ExtremeCloud IQ automatically adds http://)
Any URLs that do not begin with www must begin with either http:// or https://. For example: http://10.1.1.5/welcome.htm or https://guest.hyatt.com. If you change the external URL, you must upload captive web portal files to the APs hosting the captive web portal, and upload and activate captive web portal pages and server key. Uploading a delta or full configuration will not cause the change to take effect.
Note
If you enable redirection to an external page, you must configure a walled garden with the IP address or domain name of the server that unregistered clients will access. You can define a walled garden in the Optional Advanced Configuration Settings section. (If you enter a domain name, make sure that the AP has access to a DNS server that can resolve it to an IP address.)Copyright © 2020 Extreme Networks. All rights reserved. Published March 2020.