configuring ExtremeGuest captive portal

This section documents the basic configurations required to deploy an ExtremeGuest (EGuest) setup. A typical EGuest deployment consists of the EGuest server, EGuest captive-portal database, and NOC adopting the access points. The EGuest server and database can be hosted only on the VX9000 platform.

In the following example, the EGuest server and database are hosted on the same device.

On the EGuest server/database host,
1. enable the EGuest daemon. When enabled, the EGuest server is up and running.
```
EG-Server-DB(config-device-02-EE-1A-7E-AE-5B)#eguest-server
```
2. apply a database-policy to enable the EGuest database.
```
EG-Server-DB(config-device-02-EE-1A-7E-AE-5B)#use database-policy default
```
3. configure the NTP server. This is to ensure time synchronization across replica-set members (this is mandatory in replica-set deployments and should be configured either on the replica-set members‘ device or profile context).
```
EG-Server-DB(config-device-02-EE-1A-7E-AE-5B)#ntp server time.nist.govt
```
On the NOC,
1. create an AAA policy with the following configurations:
  - Configure the EGuest server (configured in Step 1) as the authentication and accounting RADIUS server.
```
NOC(config-aaa-policy-EguestAAA)#authentication server 1 host EG-Server secret 0 extreme123
```
```
NOC(config-aaa-policy-EguestAAA)#accounting server 1 host EG-Server secret 0 extreme123
```
  - Configure the proxy-mode as ‘through-controller‘. When configured, all requests to the server are proxied through the NOC.
```
NOC(config-aaa-policy-EguestAAA)#authentication server 1 proxy-mode through-controller
```
```
NOC(config-aaa-policy-EguestAAA)#accounting server 1 proxy-mode through-controller
```
```
NOC(config-aaa-policy-EguestAAA)#show context
aaa-policy EguestAAA
accounting server 1 host EG-OnBServer secret 0 extreme123
accounting server 1 proxy-mode through-controller
authentication server 1 host EG-Server secret 0 extreme123
authentication server 1 proxy-mode through-controller
NOC(config-aaa-policy-EguestAAA)#
```
2. Create a DNS whitelist. Note, DNS whitelist configuration is required only if enabling OAuth on the EGuest captive-portal. When created and used on the EGuest captive-portal, the DNS whitelist renders social plugin buttons on the client prior to successful captive portal authentication.
  - Configure the following permit rules:
```
NOC(config-dns-whitelist-EguestDNS)#permit fbstatic-a.akamaihd.net
```
```
NOC(config-dns-whitelist-EguestDNS)#permit connect facebook.net
```
```
NOC(config-dns-whitelist-EguestDNS)#permit facebook.com suffix
```
```
NOC(config-dns-whitelist-EguestDNS)#permit fbcdn.net suffix
```
```
NOC(config-dns-whitelist-EguestDNS)#permit googleapis.com suffix
```
```
NOC(config-dns-whitelist-EguestDNS)#permit google.com suffix
```
```
NOC(config-dns-whitelist-EguestDNS)#permit googleusercontent.com suffix
```
```
NOC(config-dns-whitelist-EguestDNS)#permit linkedin.com suffix
```
```
NOC(config-dns-whitelist-EguestDNS)#permit static.licdn.com
```
```
NOC(config-dns-whitelist-EguestDNS)#permit twitter.com suffix
```
```
NOC(config-dns-whitelist-EguestDNS)#permit twimg.com suffix
```
```
NOC(config-dns-whitelist-EguestDNS)#permit instagramstatic-a.akamaihd.net
```
```
NOC(config-dns-whitelist-EguestDNS)#permit instagram.com suffix
```
```
NOC(config-dns-whitelist-EguestDNS)#permit ssl.gstatic.com
```
```
NOC(config-dns-whitelist-EguestDNS)#permit extremenetworks.com suffix
```
```
NOC(config-dns-whitelist-EguestDNS)#permit local.extreme.com
```
3. Create a captive-portal with the following configurations:
  - Specify the captive-portal server.
```
NOC(config-captive-portal-EguestCP)#server host guest.extreme.com
```
  - Use the AAA policy created in Step 2 a.
```
NOC(config-captive-portal-EguestCP)#use aaa-policy EguestAAA
```
  - Enable social-media authentication. This setting is optional.
```
NOC(config-captive-portal-EguestCP)#oauth
```
  - Use the DNS whitelist created in Step 2 b. Note, the DNS whitelist is required only if enabling OAuth on the captive-portal.
```
NOC(config-captive-portal-EguestCP)#use dns-whitelist EguestDNS
```
  - Configure the captive portal's webpage location as advanced.
    Note
    Webpage-location should be ‘advanced‘ if using pages created with EGuest splash templates.
```
NOC(config-captive-portal-EguestCP)#webpage-location advanced
```
4. Create a WLAN policy with the following configurations:
  - Enable MAC authentication.
```
NOC(config-wlan-EguestWLAN)#authentication-type mac
```
  - Use the AAA policy created in Step 2 a.
```
NOC(config-wlan-EguestWLAN)#use aaa-policy EguestAAA
```
    Note
    When used, access points/controllers forward registration requests to the EGuest server specified in the AAA policy. However, ensure that the registration > external > follow-aaa option is configured on the WLAN. See below.
```
NOC(config-wlan-EguestWLAN)#registration external follow-aaa
```
    Note
    This enables the use of the Authentication and Accounting servers specified in the AAA policy applied on the WLAN.
  - Use the captive-portal created in Step 2 c.
```
NOC(config-wlan-EguestWLAN)#use captive-portal EguestCP
```
  - Enable captive-portal enforcement with fall-back.
```
NOC(config-wlan-EguestWLAN)#captive-portal-enforcement fall-back
```
  - Configure the following guest registration parameters:
```
NOC(config-wlan-EguestWLAN)#registration device group-name Eguest expiry-time 4320 agreement-refresh 1440
```
    Note
    This is the RADIUS group assigned to registered users post authentication.
```
NOC(config-wlan-EguestWLAN)#show context
wlan EguestWLAN
ssid _EXTREME-GUEST-NRF2017
vlan 1
bridging-mode local
encryption-type none
authentication-type mac
no answer-broadcast-probes
no client-client-communication
wireless-client hold-time 300
use aaa-policy EguestAAA
use captive-portal EguestCP
captive-portal-enforcement fall-back
registration device group-name Eguest expiry-time 4320 agreement-refresh 1440
registration external follow-aaa
mac-authentication cached-credentials
NOC(config-wlan-EguestWLAN)#
```
5. In the NOC‘s self context, configure the EGuest server.
```
NOC(config-device-74-67-F7-5C-64-4A)#eguest-server host 1 EG-Server https
```
In the Access Point‘s device or profile context, use the captive-portal configured in Step 2 c.
```
Eguest-AP(config-device-74-67-F7-5C-64-4A)#use captive-portal EguestCP
```
To view EGuest registration status and statistics, on the EGuest server, use the following commands:
```
EG-Server-DB#show eguest registration statistics
```
```
EG-Server-DB#show eguest registration status
```

To clear EGuest registration statistics, on the EGuest server, use the following command:

EG-Server-DB#clear eguest registration statistics

Following are the related commands:


AAA Policy	Documents AAA policy configuration mode commands
dns-whitelist	Documents DNS whitelist configuration mode commands
captive-portal	Documents captive portal configuration mode commands
wlan	Documents WLAN configuration mode commands
eguest-server (VX9000 only)	Documents the eguest-server command. When used in the EGuest server‘s device/profile context, without the ‘host‘ option, it enables the EGuest daemon. When used on the NOC along with the ‘host‘ option, it points to the EGuest server.