To configure a captive portal policy:
The upper left-hand side of the user interface displays a Services menu where Captive Portal, DHCP, and RADIUS configuration options can be selected.
Captive Portal Policy | Displays the name assigned to the captive portal policy when initially created. A policy name cannot be modified as part of the edit process. |
Captive Portal Server Host | Lists the IP address (non DNS hostname) of the external (fixed) server validating user permissions for the listed captive portal policy. This item remains empty if the captive portal is hosted locally. |
Captive Portal IPv6 Server | Lists the IPv6 formatted IP address (non DNS hostname) of the external (fixed) IPv6 server validating user permissions for the listed captive portal policy. This item remains empty if the captive portal is hosted locally. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. |
Captive Portal Server Mode | Lists each policy's hosting mode as either Internal (Self) or External (Fixed). If the mode is Internal (Self), the controller or Access Point is maintaining the captive portal internally, while External (Fixed) means the captive portal is being hosted on an external server resource. |
Hosting VLAN Interface | Lists the VLAN (from 1 - 4,094) a client utilizes for controller or service platform interoperation when the Captive Portal Server Mode is set to Centralized Controller. |
Connection Mode | Lists each policy's connection mode as either HTTP or HTTPS. Both HTTP and HTTPS use the same Uniform Resource Identifier (URI) so that requesting clients can be identified. However, we recommend using HTTPS because it affords transmissions a measure of data protection HTTP cannot provide. |
Simultaneous Users | Displays the number of users permitted at one time for each listed captive portal. A captive portal can support from 0-8192 users simultaneously. |
Web Page Source | Displays whether the captive portal HTML pages are maintained Internally, Externally (on an external system you define), or are Advanced pages maintained and customized by the network administrator. Internal is the default setting. |
AAA Policy | Lists each AAA policy used to authorize captive portal access requests. When a captive portal policy is created or modified, an AAA policy must be defined and applied to effectively authorize, authenticate, and account user requests for captive portal access. |
Select Replace to replace an existing captive portal policy with another captive portal policy.
A Basic Configuration screen displays by default. Define the policy‘s security, access, and whitelist basic configuration before actual HTML pages can be defined for guest user access requests.
Captive Portal Policy | If you are creating a new policy, assign a name representative of its access permissions, location or intended wireless client user base. If you are editing an existing captive portal policy, the policy name cannot be modified. The name cannot exceed 32 characters. |
Captive Portal Server Mode | Set the mode as either Internal (Self), Centralized or Centralized Controller. Select the Internal (Self) radio button to maintain the captive portal configuration (Web pages) internally. Select the Centralized radio button if the captive portal is supported on an external server. Select the Centralized Controller radio button if the captive portal is supported on a centralized controller or service platform. The default value is Internal (Self). |
Hosting VLAN Interface | When Centralized is selected as the Captive Portal Server Mode, specify the VLAN (between 0 and 4096) for client communication. Select 0 to use the default client VLAN. 0 is the default setting. |
Captive Portal Server Host | When Centralized is selected as the
Captive Portal Server Mode, set a
numeric IP address (or DNS hostname) for the server
validating guest user permissions for the captive portal
policy. When Centralized Controller is selected, use this field to provide the hostname of the controller or controllers acting as the captive portal server host. |
Captive Portal IPv6 Server |
When using Centralized mode, select this option to define an IPv6 formatted address of the controller, service platform or Access Point resource hosting the captive portal. |
Connection Mode | Select either HTTP or HTTPS to define the connection medium to the Web server. We recommend the use of HTTPS because it affords some additional data protection HTTP cannot provide. The default value, however, is HTTP. |
Simultaneous Access | Select the check box and use the spinner control to set from 1-8192 users (client MAC addresses) allowed simultaneous access to the captive portal and its resources. |
Access Type | Select the authentication scheme
applied to clients requesting captive portal guest access to
the WiNG network. Within the WiNG UI there are six options.
The WiNG CLI uses five options. User interface options
include:
|
Terms and Conditions page | Select this option (with any access type) to include terms that must be adhered to for clients requesting captive portal access. These terms are included in the Terms and Conditions page when No authentication required is selected as the access type, otherwise the terms appear in the Login page. The default setting is disabled. |
Frictionless Onboarding |
Select this option to enable wireless clients, associated with guest WLANs, to self-register with the ExtremeGuest server. In other words, this feature enables frictionless on-boarding of guest users to the ExtremeGuest server. It also provides an integration API, as a means of on-boarding guest users through a loyalty application. In the captive portal, set access-type as ‘Registration‘, enable ‘Frictionless Onboarding‘, and provide the Localization URL to trigger a one-time redirect on demand. The defined URL is triggered from a mobile application to derive location information from the wireless network so an application can be localized to a particular store or region. Note: If enabling this feature, in the
WLAN (using this captive-portal) set the following
parameters: authentication-type as ‘MAC‘ and
registration-mode as ‘device‘. Enable the ‘External
Controller‘ and ‘Follow AAA‘ options. Use the AAA Policy
drop-down menu to specify the AAA policy. In the AAA
policy, ensure that the authentication server
configuration points to the ExtremeGuest server.
|
If selected, the requesting client‘s guest user Facebook social media profile (collected from the social media server) is registered on the device. Captive portal authentication then becomes a fallback mechanism to enforce guest registration through social authentication. This option is disabled by default. | |
If selected, the requesting client‘s guest user Google social media profile (collected from the social media server) is registered on the device. Captive portal authentication then becomes a fallback mechanism to enforce guest registration through social authentication. This option is disabled by default. |
RADIUS VLAN Assignment |
Select this option to enable client VLAN assignments using the RADIUS server. If, as part of the authentication process, the RADIUS server returns a client‘s VLAN-ID in a RADIUS access-accept packet, and this feature is enabled, all client traffic is forwarded on the post authentication VLAN. If disabled, the RADIUS server‘s VLAN assignment is ignored and the VLAN configuration defined within the WLAN configuration is used instead. This feature is disabled by default. |
Post Authentication VLAN | When this option is selected, a specific VLAN is assigned to the client upon successful authentication. The available range is from 1 - 4,096. |
Client Access Time | Use the spinner control to define the duration wireless clients are allowed access to using the captive portal policy when there is no session time value defined for the RADIUS response. Set an interval from 10 - 10,800 minutes. The default interval is 1,440 minutes. |
Inactivity Timeout | Use the drop-down menu to specify an interval in either minutes (1 - 1,440) or seconds (60 - 86,400) that, when exceeded, times out the session. The default is 10 minutes. |
Enable | Select this option to report a captive portal client‘s loyalty application presence and store this information in the captive portal‘s user database. The client‘s loyalty application detection occurs on the Access Point to which the client is associated and allows a retail administrator to assess whether a captive portal client is using specific retail (loyalty) applications in their captive portal. This setting is enabled by default. |
App Name | Use the drop-down menu to select an existing application to track for loyalty utilization by captive portal clients. This enables an administrator to assess whether patrons are accessing an application as expected in specific retail environments. To create an application if none exists suiting the specific reporting needs of captive portal clients, see Application. |
To effectively host captive portal pages on an external web server, the IP addresses of the destination web servers should be in the whitelist.
Enable RADIUS Accounting | Select this option to use an external RADIUS resource for AAA accounting. When selected, a AAA Policy field displays. This setting is disabled by default. |
Enable Syslog Accounting | Select this option to log information about the use of remote access services by users using an external syslog resource. This information is of great assistance in partitioning local versus remote users. Remote user information can be archived to an external location for periodic network and user administration. This feature is disabled by default. |
Syslog Host | When syslog accounting is enabled, use the drop-down menu to determine whether an IP address or Hostname is used as a syslog host. The IP address or hostname of an external server resource is required to route captive portal syslog events to that destination external resource destination. A hostname cannot contain an underscore. |
Syslog Port | When syslog accounting is enabled, define the numerical syslog port the used to route traffic with the external syslog server. The default port is 514. |
Limit | Select this option to enable data limits for captive portal clients. Specify the maximum amount of data, in megabytes, allowed for each captive portal client. When a user reaches this threshold, from 1 and 102,400 megabytes, it triggers the specified action. |
Action | When a captive portal client reaches its data usage limit, a
specified log action is executed. Choose from one of:
When Log Only is selected, an entry is added to the log file whenever a captive portal client exceeds the data limit. When log-and-disconnect is selected, an entry is added to the log file when the data limit is exceeded and the client is disconnected from the captive portal. |
FQDN | Provide the FQDN address (for example, local.guestaccess.com) used to obtain localization parameters for a client. |
Response | Enter a response message (512-character maximum) directed back to the client for localization HTTP requests. |
The Login screen prompts the user for a username and password to access the captive portal and proceed to either the Terms and Conditions page (if used) or the Welcome page.
The Terms and Conditions page provides conditions that must be agreed to before captive portal access is permitted.
The Welcome page asserts a user has logged in successfully and can access the captive portal. The Welcome Back page greets returning users.
The Fail page asserts authentication attempt has failed, the user is not allowed to access the internet (using this captive portal) and must provide the correct login information again to access the internet.
The No Service page asserts the captive portal service is temporarily unavailable for technical reasons. Once the services become available, the captive portal user is automatically connected back to the services available through the captive portal.
Available sources include Internal, External and Advanced. If Internal is selected, provide the information for each of the screens. If Advanced is selected, follow the on-screen instructions to upload custom Web pages. If Externally hosted is selected, provide the URLs for each of the necessary pages in the fields below.
Organization Name | Set any organizational specific name or identifier which clients see during login. This setting is available only for the Login page. |
Title Text | Set the title text displayed on the pages when wireless clients access captive portal pages. The text should be in the form of a page title describing the respective function of each page and should be unique to each function. |
Header Text | Provide header text unique to the function of each page. |
Login Message | Specify a message containing unique instructions or information for the users who access the Login, Terms and Condition, Welcome, Fail, No Service or Registration pages. In the case of the Terms and Agreement page, the message can be the conditions requiring agreement before captive portal access is permitted. |
Footer Text | Provide a footer message displayed on the bottom of each page. The footer text should be any concluding message unique to each page before accessing the next page in the succession of captive portal Web pages. |
Main Logo URL | The Main Logo URL is the URL for the main logo image displayed on each of the pages. Use the Browse button to navigate to the location of the target file. Optionally select the Use as banner option to designate the selected main logo as the page‘s banner as well. The banner option is disabled by default. |
Small Logo URL | The Small Logo URL is the URL for a small logo image displayed on the screens. Use the Browse button to navigate to the location of the target file. |
Signature | Provide the copyright and legal signature associated with the usage of the captive portal and the usage of the organization name provided. This setting is available only for the Login page. |
These fields are customizable to meet the needs of retailers providing guest access. The captive portal sends a message to the user (on the phone number or Email address provided at registration) containing an access code. The user inputs the access code and the captive portal verifies the code before returning the Welcome page and providing access. This allows a retailer to verify the phone number or Email address is correct and can be traced back to a specific individual.
Web pages in the directory can be copied to and from the controller or service platform, to support the captive portal.
Use the File Transfers sub-menu in the Operations page to transfer files to the appropriate devices serving up the web pages.
Select Redirect the user to externally hosted URL to use an externally hosted server resource and its login permissions for logging into the advanced page. This setting is disabled by default.
Login URL | Define the complete URL for the location of the Login screen. The Login screen prompts the user for a username and password to access either the Terms and Conditions or Welcome page. |
Agreement URL | Define the complete URL for the location of the Terms and Conditions page. The Terms and Conditions page provides conditions that must be agreed to before wireless client access is provided. |
Welcome URL | Define the complete URL for the location of the Welcome page. The Welcome page asserts the user has logged in successfully and can access network resources via the captive portal. |
Fail URL | Define the complete URL for the location of the Fail page. The Fail page asserts authentication attempt has failed, and the client cannot access the captive portal. The client needs to provide correct login information to regain access. |
Acknowledgement URL | Define the complete URL to the location of the Acknowledgement page. The Acknowledgement URL is needed by returning users whose MAC addresses has been validated previously, but must accept the conditions of the captive portal again. |
No Service URL | Define the complete URL to the location of the No URL page. The No Service URL is needed by users encountering difficulties connecting to the external resource used to host the captive portal pages. |
Registration URL | Define the complete URL to the location of the Registration page. The Registration URL is supported by NX9500, NX9600 and NX75XX service platform models as an adopting controller verifying (registering) user information before client access is provided to captive portal managed Internet resources. |