Configuring a Captive Portal Policy

Note

Note

You must configure the policy‘s security, access, and whitelist basic parameters before actual HTML pages can be defined for guest user access requests.
  1. Select Policies > Captive Portals.
    The Captive Portal window opens. If any captive portal policies are configured, they appear in a list in the Captive Portal pane. The total number of captive portal policies is shown in parentheses. You can choose from the following actions:
    1. Select the sort icon adjacent to a column heading to sort the data by the heading topic. By default, the data is sorted in ascending order, as indicated by the direction of the arrow in the icon . Toggle the icon to sort the column data in descending order . The "1" indicates by which column heading topic the data is currently sorted.
    2. Select the Edit icon associated with a captive portal policy to modify it.
      When you select Edit, the Basic Configuration screen appears. Edit the captive portal policy parameters in accordance with the instructions in the steps in this procedure. You cannot edit the Policy Name.
    3. Select the Delete icon associated with a captive portal policy to remove it.
    4. Select the Add icon to create a new captive portal policy.
      When you select Add, the Add Policy window appears.
      1. Assign a policy Name representative of its access permissions, location or intended wireless client user base. The name cannot exceed 32 characters.
      2. Select Add to save the policy.

        The Basic Configuration screen opens.

      3. Configure the captive portal policy parameters in accordance with the instructions in the steps in this procedure.
  2. Configure the following captive portal policy Settings:
    Captive Portal Server Mode Set the server mode. Options are: as either
    • Internal (Self) — Select this option to maintain the captive portal configuration (Web pages) internally.
    • Centralized — Select this option if the captive portal is supported on an external server.
    • Centralized Controller — Select this option if the captive portal is supported on a centralized controller or service platform.

    The default value is Internal (Self).

    Hosting VLAN Interface When Centralized Controller is selected as the Captive Portal Server Mode, specify the VLAN (between 0 and 4096) for client communication. Select 0 to use the default client VLAN. 0 is the default setting.
    Captive Portal IPv6 Server

    When using Centralized mode, select this option to define an IPv6 formatted address of the controller, service platform, virtual platform or access point resource hosting the captive portal.

    Captive Portal Server Host When Centralized is selected as the Captive Portal Server Mode, set a numeric IP address (or DNS hostname) for the server validating guest user permissions for the captive portal policy.

    When Centralized Controller is selected, use this field to provide the hostname of the controller or controllers acting as the captive portal server host.

    Simultaneous Access Select this check box and use the spinner control to set from 1-8192 users (client MAC addresses) allowed simultaneous access to the captive portal and its resources.
    Connection Mode Select either HTTP or HTTPS to define the connection medium to the Web server. We recommend the use of HTTPS because it affords some additional data protection HTTP cannot provide. The default value, however, is HTTP.
  3. To define the Security settings, use the AAA Policy drop-down menu to select the policy used to validate user credentials and provide captive portal access to the network.
    If no AAA policies exist, you must create one. See Authentication, Authorization, and Accounting (AAA) Policy for details.
  4. Set the following Access parameters to define captive portal access, RADIUS lookup information, and whether the Login pages contain agreement terms that must be accepted before access is granted to controller, service platform or virtual plarform resources using the captive portal:
    Access Type Select the authentication scheme applied to clients requesting captive portal guest access to the WiNG network. Options are:
    • No authentication required - Requesting clients are redirected to the captive portal Welcome page without authentication.
    • RADIUS Authentication - A requesting client‘s user credentials require authentication before access to the captive portal is permitted. This is the default setting.
    • Registration - A requesting client‘s user credentials require authentication through social media credential exchange.
    • Email Access - Clients use E-mail username and passwords for authenticating their captive portal session. Optionally set whether E-mail access requests are RADIUS validated.
    • Mobile Access - Mobile clients use their device‘s access permissions for authenticating their captive portal session. Optionally set whether mobile access requests are RADIUS validated.
    • Other - Requesting guest clients use a different means of captive portal session access (aside from E-mail or mobile device permissions). Optionally set whether these other access requests are RADIUS validated.
    Terms and Conditions page Select this option (with any access type) to include terms that must be adhered to for clients requesting captive portal access. These terms are included in the Terms and Conditions page when No authentication required is selected as the access type, otherwise the terms appear in the Login page. The default setting is disabled.
    Frictionless Onboarding Select this option to enable wireless clients, associated with guest WLANs, to self-register with the Extreme Guest server. In other words, this feature enables frictionless on-boarding of guest users to the ExtremeGuest server.

    It also provides an integration API, as a means of on-boarding guest users through a loyalty application.

    In the captive portal, set Access Type to Registration, enable Frictionless Onboarding, and provide the Localization URL to trigger a one-time redirect on demand. The defined URL is triggered from a mobile application to derive location information from the wireless network so an application can be localized to a particular store or region.

    Note: If enabling this option, in the WLAN (using this captive-portal) configure the settings as follows:
    • Set authentication-type as ‘MAC‘.
    • Set registration-mode as ‘device‘.
    • Enable the ‘External Controller‘ and ‘Follow AAA‘ options.
    • Use the AAA Policy drop-down menu to specify the AAA policy.
    • In the AAA policy, ensure that the authentication server configuration points to the ExtremeGuest server.
  5. Set the following Social Media Authentication parameters to utilize a requesting client‘s social media profile for captive portal registration:
    Facebook Select this option to register the requesting client‘s guest user Facebook social media profile (collected from the social media server) on the device. Captive portal authentication then becomes a fallback mechanism to enforce guest registration through social authentication. This option is disabled by default.
    Google Select this option to register the requesting client‘s guest user Google social media profile (collected from the social media server) on the device. Captive portal authentication then becomes a fallback mechanism to enforce guest registration through social authentication. This option is disabled by default.
  6. Select the checkbox to enable Bypass Captive Portal Detection capabilities.
    If enabled, captive portal detection requests are bypassed. This feature is disabled by default.
  7. Configure the following Client Settings to define client VLAN assignments, how long clients are allowed captive portal access, and when clients are timed out due to inactivity:
    RADIUS VLAN Assignment

    Select this option to enable client VLAN assignments using the RADIUS server. If, as part of the authentication process, the RADIUS server returns a client‘s VLAN-ID in a RADIUS access-accept packet, and this feature is enabled, all client traffic is forwarded on the post authentication VLAN. If disabled, the RADIUS server‘s VLAN assignment is ignored and the VLAN configuration defined within the WLAN configuration is used instead. This feature is disabled by default.

    Post Authentication VLAN ID When this option is selected, a specific VLAN is assigned to the client upon successful authentication. The available range is from 1 - 4,096.
    Client Access Time Use the spinner control to define the duration wireless clients are allowed access to using the captive portal policy when there is no session time value defined for the RADIUS response. Set an interval from 10 - 10,800 minutes. The default interval is 1,440 minutes.
    Inactivity Timeout Use the drop-down menu to specify an interval in seconds (60 - 86,400) that, when exceeded, times out the session. The default is 10 minutes.
  8. Configure the following Loyalty App settings to allow administrators to detect and report a captive portal client‘s usage of a selected (preferred) loyalty application:
    Enable Select this option to report a captive portal client‘s loyalty application presence and store this information in the captive portal‘s user database. The client‘s loyalty application detection occurs on the access point to which the client is associated and allows a retail administrator to assess whether a captive portal client is using specific retail (loyalty) applications in their captive portal. This setting is enabled by default.
    App Name Use the drop-down menu to select an existing application to track for loyalty utilization by captive portal clients. This enables an administrator to assess whether patrons are accessing an application as expected in specific retail environments.
  9. To effectively host captive portal pages on an external web server, configure a set of allowed destination IP addresses for the captive portal. These allowed DNS destination IP addresses are called a whitelist.
    1. Select DNS Whitelist checkbox to enable the Select DNS Whitelist field.
    2. Use the Select DNS Whitelist drop-down menu to view a list of existing DNS Whitelist policy entries, and to select a policy to be applied to the current captive portal policy.
      If no DNS Whitelist policy entries exist, you must create one. See Configuring DNS Whitelist Policies.
  10. Set the following Accounting parameters to define how accounting is conducted for clients entering and exiting the captive portal.
    Accounting is the method of collecting and sending security server information for billing, auditing and reporting user data; such as captive portal start and stop times, executed commands (such as PPP), number of packets and number of bytes. Accounting enables wireless network administrators to track captive portal services users are consuming.
    Enable RADIUS Accounting Select this option to use an external RADIUS resource for AAA accounting. When selected, a AAA Policy field displays. This setting is disabled by default.
    Enable Syslog Accounting Select this option to log information about the use of remote access services by users using an external syslog resource. This information is of great assistance in partitioning local versus remote users. Remote user information can be archived to an external location for periodic network and user administration. This feature is disabled by default.
    Syslog Host When syslog accounting is enabled, use the drop-down menu to determine whether an IP address or Hostname is used as a syslog host. The IP address or hostname of an external server resource is required to route captive portal syslog events to that destination external resource destination. A hostname cannot contain an underscore.
    Syslog Port When syslog accounting is enabled, define the numerical syslog port the used to route traffic with the external syslog server. The default port is 514.
  11. Set the following Data Limit parameters values to define a data limit for clients accessing the network using the restrictions of a captive portal:
    Limit Select this option to enable data limits for captive portal clients. Specify the maximum amount of data, in megabytes, allowed for each captive portal client. When a user reaches this threshold, from 1 and 102,400 megabytes, it triggers the specified action.
    Action When a captive portal client reaches its data usage limit, a specified log action is executed. Choose from one of the following:
    • Log Only — Logs the event
    • log-and-disconnect — Logs the event and disconnects the user

    When Log Only is selected, an entry is added to the log file whenever a captive portal client exceeds the data limit. When log-and-disconnect is selected, an entry is added to the log file when the data limit is exceeded and the client is disconnected from the captive portal.

  12. Set the Logout FQDN as the fully qualified domain name (FQDN) of the domain where the user is to be redirected after logging out of the captive portal.
    Example: logout.guest.com
  13. Configure the following Localization parameters to add a URL to trigger a one-time redirect on demand.
    The defined URL is triggered from a mobile application to derive location information from the wireless network so an application can be localized to a particular store or region.
    FQDN Provide the FQDN address (for example, local.guestaccess.com) used to obtain localization parameters for a client.
    Response Enter a response message (512-character maximum) directed back to the client for localization HTTP requests.
  14. Configure the Redirection PortsDestination Port field) by entering destination ports or consideration when re-directing client connections. Separate the defined ports by using a comma or a dash to indicate a range.
    Standard ports 80 and 443 are always considered for client connections regardless of what is entered by the administrator.
  15. After you have completed configuring the settings, choose from the following actions:
    1. Select Revert to restore default settings.
      Note

      Note

      You cannot restore default settings after applying or saving changes.
    2. Select Apply to commit the configured settings.
      Note

      Note

      This does not permanently save the settings you configured. If you perform a Reload (warm reboot), applied settings will be lost.
    3. Select Save to commit and save the configured settings.
      Note

      Note

      If you do not select Apply or Save, the settings that you configured are not saved when you move away from the configuration window.