configuring WeChat Wi-Fi hotspot support in WiNG captive portal

WeChat is a popular messaging app used in China with more than 500 million installations. WeChat‘s WiFi hotspot solution allows businesses to provide Internet access to their customers. The WiNG captive portal can be configured to incorporate the WeChat WiFi hotspot, so that WeChat users, on their first connect to a WiNG access point, can automatically authenticate with the WeChat server through an intermediate server.

This section provides an example that shows the configurations required to be made on the WiNG portal to enable WeChat Wi-Fi hotspot.

  1. Create an AAA policy re-directing the captive portal user to WeChat‘s AAA server for authentication, as shown in the following example:
    nx9500-6C8809(config)#aaa-policy cloud2
    nx9500-6C8809(config-aaa-policy-cloud2)#authentication server 1 host cloud2.synchroweb.com secret 0 firmware
    nx9500-6C8809(config-aaa-policy-cloud2)#show context
    aaa-policy cloud2
    authentication server 1 host cloud2.synchroweb.com secret 0 firmware
    nx9500-6C8809(config-aaa-policy-cloud2)#
    Note

    Note

    Synchroweb is an independent software vendor (ISV), whose third-party software is being used as the intermediate server. The AAA server and RADIUS accounting server configured in AAA policy must be as per the specification provided by the ISV.
  2. Create a DNS whitelist, whitelisting WeChat‘s server name in order to initiate RADIUS authentication. The “qq.com” domain name is where WeChat server can be reached.
    nx9500-6C8809(config)#dns-whitelist wxWL
    nx9500-6C8809(config-dns-whitelist-wxWL)#permit cloud2.synchroweb.com
    nx9500-6C8809(config-dns-whitelist-wxWL)#permit qq.com suffix
    nx9500-6C8809(config-dns-whitelist-wxWL)#show context
    dns-whitelist wxWL
    permit qq.com suffix
    permit cloud2.synchroweb.com
    nx9500-6C8809(config-dns-whitelist-wxWL)#
  3. Create a captive portal and associate the AAA policy and DNS whitelist created in steps 1 & 2, as shown in the following example:
    nx9500-6C8809(config)#captive-portal wxCP
    nx9500-6C8809(config-captive-portal-wxCP)#use aaa-policy cloud2
    nx9500-6C8809(config-captive-portal-wxCP)#use dns-whitelist wxWL
  4. Configure the following parameters in the captive portal created in step 3:
    nx9500-6C8809(config-captive-portal-wxCP)#access-time 10
    nx9500-6C8809(config-captive-portal-wxCP)#server host guest.extreme.com
    nx9500-6C8809(config-captive-portal-wxCP)#webpage-location external
    nx9500-6C8809(config-captive-portal-wxCP)#webpage external login http://cloud2.synchroweb.com/wechat.nx/index.phpc=WING_TAG_CLIENT_MAC
    nx9500-6C8809(config-captive-portal-wxCP)#)#show context
    captive-portal wxCP
    access-time 10
    server host guest.extreme.com
    webpage-location external
    webpage external login http://cloud2.synchroweb.com/wechat.nx/index.phpc=WING_TAG_CLIENT_MAC
    use aaa-policy cloud2
    use dns-whitelist wxWL
    --More--
    nx9500-6C8809(config-captive-portal-wxCP)#
    Note

    Note

    The login URL configured here must be as per the specifications provided by the ISV.
    Note

    Note

    The access-type remains unchanged (i.e. radius, which is the default setting). The access-time is set to a minimum value (10 minutes in this example) in order to avoid the default value of 24 hours being applied, in case the RADIUS response does not contain the session-timeout attribute.
  5. Create a WLAN and associate the captive portal created in step 3:
    nx9500-6C8809(config)#wlan wxOpen
    nx9500-6C8809(config-wlan-wxOpen)#ssid wxOpen
    nx9500-6C8809(config-wlan-wxOpen)#vlan 200
    nx9500-6C8809(config-wlan-wxOpen)#use captive-portal wxCP
    nx9500-6C8809(config-wlan-wxOpen)#captive-portal-enforcement
    nx9500-6C8809(config-wlan-wxOpen)#show context
    wlan wxOpen
    ssid wxOpen
    vlan 200
    bridging-mode local
    encryption-type none
    authentication-type none
    use captive-portal wxCP
    captive-portal-enforcement
    nx9500-6C8809(config-wlan-wxOpen)#
    Note

    Note

    The modes of authentication and encryption remain unchanged (i.e. none, which is the default setting for both parameters). Ensure captive-portal-enforcement is enabled on the WLAN.
    Following are the related commands:
    AAA Policy Documents AAA policy configuration mode commands
    dns-whitelist Documents DNS whitelist configuration mode commands
    captive-portal Documents captive portal configuration mode commands
    wlan Documents WLAN configuration mode commands