Configuring an External Captive Portal Network

Configuring an External Captive Portal network.

  1. Go to Configure > Networks > WLANs > Add and configure the following parameters:
    Network Name
    Guest
    SSID
    Guest
    Auth Type
    Open
    Enable Captive Portal
    Check this option and specify the following parameters:
    Captive Portal Type
    External
    ECP URL
    (http/https)://nac1.extremenetworks.com

    FQDN should be resolvable by connecting end systems via DNS.

    Note

    Note

    Walled Garden rules are not required for this network. The process of enabling a captive portal on the network automatically creates rules allowing DNS, DHCP, and redirection rules. However, if users are unable to connect to the network, consider creating specific DNS and DHCP Allow rules as a Walled Garden configuration.

    When you enable Captive Portal on a WLAN ExtremeCloud IQ Controller automatically builds the role and redirect rules required for captive portal based on the Network Name configured in the WLAN.

    Identity/ Shared Secret
    Not required with integration with Extreme Control.

    Used when building a back-end captive portal server to integrate with the system. ExtremeCloud IQ Controller sends the Identity/Shared Secret and receives a response token.

    Use HTTPS
    Select this option if you want ExtremeCloud IQ Controller to attempt to redirect SSL traffic.

    Best Practice: Use https:// in the ECP URL and de-select this option.

    Send Successful Login To
    Original Destination. Or, enter the redirection URL here.
    MAC-based authentication (MBA)
    Enable and configure the following parameters:
    MBA Timeout Role
    Enterprise User
    AAA Policy
    Local Onboarding
    Traffic passes through the internal Network Access Control engine, which is configured to proxy traffic to the ExtremeCloud IQ Site Engine server control engines.
    Note

    Note

    It is possible to authenticate directly to the AAA RADIUS server. Refer to the ExtremeCloud IQ Controller User Guide for information about AAA RADIUS Authentication.
    Authentication Method
    Proxy RADIUS
    Primary RADIUS
    IP address of the Access Control Engine.

    Configure a primary and backup if you have more than one Access Control Engine.

    Authenticate Locally for MAC
    Must be Disabled for external captive portal on the NAC server.
    Default Auth Role
    Enterprise User
    Default VLAN
    Bridged at AP Untagged
  2. Select Advanced and configure the following parameters:
    RADIUS Accounting
    Enabled
    Pre-authenticated idle timeout
    Default value: 300 seconds
    Post-authenticated idle timeout
    Default value: 1800 seconds
    Maximum session timeout
    Default value: 0 seconds

    End-systems are re-authenticated on ExtremeCloud IQ Controller, not from the ExtremeCloud IQ Site Engine Access Control Engine. Therefore, ExtremeCloud IQ Controller ignores ExtremeCloud IQ Site Engine re-authentication requests to modify filter-ids (policies). Modification of these timeout values initiates re-authentication from the ExtremeCloud IQ Controller to the ExtremeCloud IQ Site Engine Access Control Engine, resulting in modification of the policy/filter-id as expected.

    Note

    Note

    There may be a delay or network interruption on policy changes. Adjust the timeout values if you do not see a timely policy change or if you experience network interruptions during the connection attempts from clients.
    Click to expand in new window
    Network Settings ExtremeCloud IQ Controller
    Network Settings on Controller
  3. Select Save to save the WLANS settings.
    You can assign the Network to device group configuration Profiles now or later.
  4. Select Yes to assign the WLAN to desired device groups or SKIP to assign them later.
9038115-00 Rev. AA