configuring ExtremeGuest captive portal

About this task

This section documents the basic configurations required to deploy an ExtremeGuest (EGuest) setup. A typical EGuest deployment consists of the EGuest server, EGuest captive-portal database, and NOC adopting the access points. The EGuest server and database can be hosted only on the VX9000 platform.

In the following example, the EGuest server and database are hosted on the same device.

Procedure

  1. On the EGuest server/database host,
    1. enable the EGuest daemon. When enabled, the EGuest server is up and running.
      EG-Server-DB(config-device-02-EE-1A-7E-AE-5B)#eguest-server
    2. apply a database-policy to enable the EGuest database.
      EG-Server-DB(config-device-02-EE-1A-7E-AE-5B)#use database-policy default
    3. configure the NTP server. This is to ensure time synchronization across replica-set members (this is mandatory in replica-set deployments and should be configured either on the replica-set members‘ device or profile context).
      EG-Server-DB(config-device-02-EE-1A-7E-AE-5B)#ntp server time.nist.govt
  2. On the NOC,
    1. create an AAA policy with the following configurations:
      • Configure the EGuest server (configured in Step 1) as the authentication and accounting RADIUS server.
        NOC(config-aaa-policy-EguestAAA)#authentication server 1 host EG-Server secret 0 extreme123
        NOC(config-aaa-policy-EguestAAA)#accounting server 1 host EG-Server secret 0 extreme123
      • Configure the proxy-mode as ‘through-controller‘. When configured, all requests to the server are proxied through the NOC.
        NOC(config-aaa-policy-EguestAAA)#authentication server 1 proxy-mode through-controller
        NOC(config-aaa-policy-EguestAAA)#accounting server 1 proxy-mode through-controller
        NOC(config-aaa-policy-EguestAAA)#show context
        aaa-policy EguestAAA
        accounting server 1 host EG-OnBServer secret 0 extreme123
        accounting server 1 proxy-mode through-controller
        authentication server 1 host EG-Server secret 0 extreme123
        authentication server 1 proxy-mode through-controller
        NOC(config-aaa-policy-EguestAAA)#
    2. Create a DNS whitelist. Note, DNS whitelist configuration is required only if enabling OAuth on the EGuest captive-portal. When created and used on the EGuest captive-portal, the DNS whitelist renders social plugin buttons on the client prior to successful captive portal authentication.
      • Configure the following permit rules:
        NOC(config-dns-whitelist-EguestDNS)#permit fbstatic-a.akamaihd.net
        NOC(config-dns-whitelist-EguestDNS)#permit connect facebook.net
        NOC(config-dns-whitelist-EguestDNS)#permit facebook.com suffix
        NOC(config-dns-whitelist-EguestDNS)#permit fbcdn.net suffix
        NOC(config-dns-whitelist-EguestDNS)#permit googleapis.com suffix
        NOC(config-dns-whitelist-EguestDNS)#permit google.com suffix
        NOC(config-dns-whitelist-EguestDNS)#permit googleusercontent.com suffix
        NOC(config-dns-whitelist-EguestDNS)#permit linkedin.com suffix
        NOC(config-dns-whitelist-EguestDNS)#permit static.licdn.com
        NOC(config-dns-whitelist-EguestDNS)#permit twitter.com suffix
        NOC(config-dns-whitelist-EguestDNS)#permit twimg.com suffix
        NOC(config-dns-whitelist-EguestDNS)#permit instagramstatic-a.akamaihd.net
        NOC(config-dns-whitelist-EguestDNS)#permit instagram.com suffix
        NOC(config-dns-whitelist-EguestDNS)#permit ssl.gstatic.com
        NOC(config-dns-whitelist-EguestDNS)#permit extremenetworks.com suffix
        NOC(config-dns-whitelist-EguestDNS)#permit local.extreme.com
    3. Create a captive-portal with the following configurations:
      • Specify the captive-portal server.
        NOC(config-captive-portal-EguestCP)#server host guest.extreme.com
      • Use the AAA policy created in Step 2 a.
        NOC(config-captive-portal-EguestCP)#use aaa-policy EguestAAA
      • Enable social-media authentication. This setting is optional.
        NOC(config-captive-portal-EguestCP)#oauth
      • Use the DNS whitelist created in Step 2 b. Note, the DNS whitelist is required only if enabling OAuth on the captive-portal.
        NOC(config-captive-portal-EguestCP)#use dns-whitelist EguestDNS
      • Configure the captive portal's webpage location as advanced.
        Note

        Note

        Webpage-location should be ‘advanced‘ if using pages created with EGuest splash templates.
        NOC(config-captive-portal-EguestCP)#webpage-location advanced
    4. Create a WLAN policy with the following configurations:
      • Enable MAC authentication.
        NOC(config-wlan-EguestWLAN)#authentication-type mac
      • Use the AAA policy created in Step 2 a.
        NOC(config-wlan-EguestWLAN)#use aaa-policy EguestAAA
        Note

        Note

        When used, access points/controllers forward registration requests to the EGuest server specified in the AAA policy. However, ensure that the registration > external > follow-aaa option is configured on the WLAN. See below.
        NOC(config-wlan-EguestWLAN)#registration external follow-aaa
        Note

        Note

        This enables the use of the Authentication and Accounting servers specified in the AAA policy applied on the WLAN.
      • Use the captive-portal created in Step 2 c.
        NOC(config-wlan-EguestWLAN)#use captive-portal EguestCP
      • Enable captive-portal enforcement with fall-back.
        NOC(config-wlan-EguestWLAN)#captive-portal-enforcement fall-back
      • Configure the following guest registration parameters:
        NOC(config-wlan-EguestWLAN)#registration device group-name Eguest expiry-time 4320 agreement-refresh 1440
        Note

        Note

        This is the RADIUS group assigned to registered users post authentication.
        NOC(config-wlan-EguestWLAN)#show context
        wlan EguestWLAN
        ssid _EXTREME-GUEST-NRF2017
        vlan 1
        bridging-mode local
        encryption-type none
        authentication-type mac
        no answer-broadcast-probes
        no client-client-communication
        wireless-client hold-time 300
        use aaa-policy EguestAAA
        use captive-portal EguestCP
        captive-portal-enforcement fall-back
        registration device group-name Eguest expiry-time 4320 agreement-refresh 1440
        registration external follow-aaa
        mac-authentication cached-credentials
        NOC(config-wlan-EguestWLAN)#
    5. In the NOC‘s self context, configure the EGuest server.
      NOC(config-device-74-67-F7-5C-64-4A)#eguest-server host 1 EG-Server https
  3. In the Access Point‘s device or profile context, use the captive-portal configured in Step 2 c.
    Eguest-AP(config-device-74-67-F7-5C-64-4A)#use captive-portal EguestCP
  4. To view EGuest registration status and statistics, on the EGuest server, use the following commands:
    EG-Server-DB#show eguest registration statistics
    EG-Server-DB#show eguest registration status
  5. To clear EGuest registration statistics, on the EGuest server, use the following command:
    EG-Server-DB#clear eguest registration statistics
    Following are the related commands:
    AAA Policy Documents AAA policy configuration mode commands
    dns-whitelist Documents DNS whitelist configuration mode commands
    captive-portal Documents captive portal configuration mode commands
    wlan Documents WLAN configuration mode commands
    eguest-server (VX9000 only) Documents the eguest-server command. When used in the EGuest server‘s device/profile context, without the ‘host‘ option, it enables the EGuest daemon. When used on the NOC along with the ‘host‘ option, it points to the EGuest server.