If the ECP makes the final authentication and authorization decision, it must sign the redirection response it sends to the client‘s browser. If it signs the redirection, it can include options that the appliance applies to the authorized client‘s session, including an access control role and the maximum duration for the client‘s session. Parameters Available on the Redirection URL from ExtremeCloud IQ Controller to the ECP lists all the parameters that can appear in a signed redirection response from the ECP, and which of them are mandatory in this case.
The syntax of an unsigned ECP redirect to the appliance is:
[http | https]://<controller-IP-address-or-FQDN>{: <port>}/ext_approval.php?token=<token>&wlan=<wlanid>&username=<userid>{&dest=<dest>}{&role=<rolename>}{&opt27=<max-seconds-duration>}&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=<Scoped-Credential>&X-Amz-Date=<YYYYMMDDThhmmssZ>&X-Amz-Expires=<duration>&X-Amz-SignedHeaders=host&X-Amz-Signature=<signature>
Where
The order of the parameters in the query string is not important.
The following is an example of a signed redirection response that assigns the user to a role called “Guest_Access” and limits the session duration to 10 hours:
https://10.10.21.6/ext_approval.php?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=BigAuthInc%2F20140729%2Fworld%2Fecp%2Faws4_request&X-Amz-Date=20140729T153754Z&X-Amz-Expires=60&X-Amz-SignedHeaders=host&dest=http%3A%2F%2F1.2.3.4%2Fnews.com&opt27=36000&role=Guest_Access&token=T7vb1LdUZmsuY0q9V60Iww%21%21&username=test&wlan=1&X-Amz-Signature=48389399c4b9e237ff64bbbd203a9abe272b8df513dff1eae8202df82ceb2c34
| Parameter Name | Parameter Value | Mandatory | Notes |
|---|---|---|---|
| dest | URL | Conditional | The <dest> parameter is required only if the appliance is configured to redirect the client to its original destination. The appliance directs the client‘s browser to an error page if it is configured to redirect to the original destination and the <dest> parameter is not returned to the appliance. |
| opt27 In the RADIUS protocol option number 27 is the Session-Timeout attribute. |
Base 10 Number | No | The maximum amount of time, in seconds, that the current session can last before being terminated. If not specified, the default for the WLAN Service is applied to the authenticated client. |
| role | Alphanumeric String | No | The name of an access control role defined on ExtremeCloud IQ Controller. The appliance applies this role to the remainder of the authorized client‘s session. If a role parameter is not provided, the appliance uses the default authenticated role of the VNS that the authenticated client is accessing. |
| token | Alpha-numeric String | Yes | An identifier for the user‘s wireless session hosted on the appliance that performed the redirection. |
| username | Alpha-numeric String | Yes | The user name is mandatory even if the URL is signed. It is used to identify the client in reports and accounting messages, even if it is not used to authenticate the client. |
| wlan | Numeric String | Yes | An identifier for the WLAN Service that the client is using to access the network. |
| X-Amz-Algorithm | Alpha-numeric string | Yes | The identifier for the algorithm used to compute the “X-Amz-Signature”. This attribute must be present when the ECP is acting as the final authorizing authority. The value of this attribute is “AWS4-HMAC-SHA256” and is not configurable. The signing algorithm and the role of the identifier in it are covered in more detail in section Verify the Signed Request. |
| X-Amz-Credential | Alpha-numeric string | Yes | The identifier for the account whose shared secret was used to compute the “X-Amz-Signature”. Mandatory if the ECP signs the redirection response in order to act as the final authorizing authority. The credential has the format:<identity>/<YYYYMMDD>/world/ecp/aws4_request where:
|
| X-Amz-Date | Alpha-numeric string | Yes | This is the
date and time at which the appliance prepared and sent the redirection back to
the user‘s browser. The date and time are in ASCII-encoded UTC and has the
format:YYYYMMDDThhmmssZ This attribute must be present if the ECP signs the redirection response to indicate that it is the final authorizing authority. |
| X-Amz-Expires | Numeric String | Yes | This is the
maximum length of time in seconds that the appliance should trust the
redirection response. In other words a signed redirection response from the ECP
will be treated as valid only until X-Amz-Date + X-Amz-Expires. This attribute is mandatory if the ECP signs the redirection response. |
| X-Amz-Signature | ASCII-encoded hex string | Yes | This is the signature computed over some of the HTTP headers and parts of the query string, presented as ASCII encoded-hex. The field must be present if the ECP signs the request in order to act as the final authorizing authority. |
| X-Amz-SignedHeaders | Alpha-numeric String | Yes | Which of the
headers in the HTTP request were included in the input to the calculation of
the signature. This is present only when the appliance is configured sign the redirection to the ECP, in which case it must be present. |