To configure a device-based captive web portal, you must create a wireless network
SSID with Enterprise
802.1X access security, enable the use of a captive web portal, and
then select Captive Web
Portal on the Add a Wireless
Network screen.
This task is part of creating or editing a network policy. Use this task to configure
a device-based captive web portal (CWP). To join the SSID, users enter a user name
and password, which are checked against a RADIUS server. When they open a web
browser, the captive web portal is displayed and includes a Use Policy Acceptance
(UPA) page. When the user agrees to the UPA, the AP allows them to access the rest
of the network as determined by settings in the user profile applied to them.
-
Enter a CWP name.
-
Select Customize and Preview to see a preview of the
captive web portal profile.
-
Select Customize
to modify the landing page colors, logo, language, and message text.
-
Select SAVE CONFIGURATION.
-
Enable or disable the Success Page.
-
Select Customization and
Preview to view the enabled Success Page.
-
Select Customize
to modify the landing page colors, logo, language, and message text.
-
Select SAVE
CONFIGURATION.
-
Enable or disable Success Page > Redirect clients after a successful
login attempt.
When enabled, successful
clients are sent to either the initial page or to a specified URL.
-
Enter the Default Language.
-
Select any additional languages you intend to support.
-
Select the check box for Display session timer alert before session
expires to display the session timer in the client's
browser.
The timer shows the registered
client's login status, time remaining in the session, and elapsed time. You can
choose to display the timer alert 5, 15, or 30 minutes before the session
expires.
-
Enable Network Settings Use default settings to use the
default IP address and netmask for the interface hosting the SSID with the
captive web portal, or an admin-defined IP address and netmask.
-
Select Customize to enter an IP address and
netmask for each of the interfaces.
You can use IPv4 or IPv6 addresses.
-
Enable Use external servers to forward DHCP and DNS
traffic from unregistered clients to external servers on the network.
When enabled, unregistered and
registered clients must be assigned to the same VLAN.
-
Select Override the VLAN ID used during
registration and choose a previously defined VLAN ID
from the drop-down list to assign to clients before and during the
registration process.
-
You can also select the plus sign to add a new VLAN ID.
-
Enter the name and VLAN ID.
-
Select SAVE VLAN.
-
Select Use Extreme Network Devices to forward DHCP and
DNS traffic from unregistered clients to internal servers on the AP hosting the
CWP.
When enabled, unregistered and
registered clients can be assigned to the same VLAN or to different VLANs
because unregistered clients use DHCP and DNS servers on the AP, and registered
clients use servers on the network.
Note
When the client of a previously
unregistered guest first associates with the Guest Access SSID, the AP acts
as a DHCP server, DNS server, and web server. The client‘s network access is
limited to only the AP with which it associated and the client browser is
redirected to a registration page. After the guest registers, the AP stores
the client‘s MAC address as a registered client and allows the guest to
access external servers.
-
Set the length of the DHCP lease assigned to the quarantined client of
an unregistered guest.
DHCP clients typically
renew at the midpoint of the lease. After the client successfully
registers, the AP allows the next DHCP lease request to pass to an
external DHCP server. Keeping the lease short allows the client to
obtain new network settings very soon after registering.
-
From the drop-down list, choose how you want the AP to respond to a
DHCP lease renewal request for a nonexistent lease.
- Renew-NAK-Broadcast: By default, the AP
responds by broadcasting DHCPNAK messages. Choosing either this
option or the unicast DHCPNAK option can accelerate the
transition to an external DHCP server on the network, or back to
a quarantined address after the client logs out or the session
times out.
- Renew-NAK-Unicast: Choose to have the AP
respond by sending unicast DHCPNAK messages. Sending unicast
messages can reduce traffic on the network; however,
broadcasting the DHCPNAK is safer in environments where there is
a large and uncontrollable variety of clients.
- Keep Silent: Choose to have the AP ignore
the renewal request completely and enable the external DHCP
server to respond. With this approach, the transition between
DHCP servers can be slightly longer.
-
For Web Servers Registration Period, set the length of
time that a registered client with an active session remains registered.
If the client closes one
session and later starts a new one while the AP still has a roaming cache entry
for that client (one hour by default), the client does not have to register with
the captive web portal again. If the client closes a session and starts a new
session after the roaming cache entry has been removed, the client must complete
the registration process again, even if the new session begins within the
registration period.
-
For Web Servers Domain Name, enter the same domain name
as the CN (common name) value in the server certificate that the CWP uses for
HTTPS.
The domain name must be a valid
domain name that a DNS server can resolve to the IP address of the interface
hosting the CWP. This option allows you to use a server certificate from a CA
that supports domain names as CNs, but not IP addresses.
Note
If the CN has a wildcard
domain name that can match multiple valid domain names, enter one of the
valid domain names instead of selecting
Override Web server
domain name with CN value in the certificate. For example,
if the CN is *.aerohive.com, then you can enter something like
cwp.aerohive.com in the Web Server Domain Name
field, and the clients' browsers will not show a security warning when they
make an HTTPS connection to the captive web portal.
-
Select Enable HTTP to enable HTTPS on the CWP
-
Select Default-CWPCert.pem for preloaded CWPs.
The AP hosting the CWP then
uses HTTPS to secure traffic between the client and its CWP server. The
certificate file must have the following properties:
- The file format must be
PEM (Privacy Enhanced Mail).
- It must contain a server
private key stored in an unencrypted format.
- It must contain a server
certificate concatenated to the private key.
-
For Client Redirection, select Use HTTP
302 to redirect code as the redirection method instead of
JavaScript.
This option is useful for
clients accessing the network with mobile browsers.
-
Select Introduce a delay before redirecting after a successful login
attempt to determine how long the CWP displays the Success page
before initiating the redirection.
-
Select Introduce a delay before redirecting after a failed login
attempt to determine how long the CWP displays the failure page
before initiating the redirection.
Note
This redirection differs
from that in the
Captive Web Portal Failure Page Settings section, which the
AP applies after a failed log in attempt.
-
Select Prevent the Apple CNA (Captive Network Assistant) application
from requesting credentials to bypass the Apple CNA application
for redirect actions.
-
To create a walled garden, select the plus sign.
-
In the Service Type box, select one of the
following:
- Web: Permit client access only to the World
Wide Web.
- All: Permit client access to the World Wide Web
and all other servers.
- Advanced: Permit client access only to the
admin-defined IP object or host name.
-
If you selected
Web or All, then
paste IP addresses or host names separated by commas into the Service
Type text box.
-
If you selected Advanced, then enter or select
the following:
- IP Object/Host Name: Enter an IP object
or host name of the external web server. Choose a
previously-defined IP address or host name from the drop-down
list, enter a new IP address or domain name, or select the plus
sign and define a new one.
- Service: Choose
Web to permit HTTP and HTTPS traffic
from unregistered clients to the external web server, choose
All to permit all types of traffic,
or choose Protocol, enter a protocol
number (from 0 to 255), and a port number to define the type of
service you want to permit.
-
Select Add.
Your changes appear in
the Walled Garden table.
-
To remove a rule, select the check box next to the rule ID and select
Remove.
-
Select Save CWP.
Return to the Wireless Network screen to complete the network policy
configuration.