The following numbered list corresponds to the numbers illustrated in Firewall Friendly ECP Event Flow with ExtremeCloud IQ Controller.
1.0 - When the user sends HTTP traffic, ExtremeCloud IQ Controller spoofs the destination web server.
1.1 - Traffic is redirected to the ECP. ExtremeCloud IQ Controller tells the client's browser that the resource it is requesting has temporarily been moved to another server (the ECP) .
ExtremeCloud IQ Controller adds parameters to the redirection, for example: the user‘s MAC address, the BSSID, or AP location, and AP Ethernet MAC. All available parameters are encoded into the URL request. The client‘s browser typically follows the redirection automatically. The redirection contains the query parameters added by ExtremeCloud IQ Controller.
1.2 - Because the ECP is located on a third-party server, the user‘s request must be forwarded through the enterprise firewall. Most companies allow requests for port 80 to pass through the firewall. Typically, the firewall also serves as a Network Address Translation (NAT). The NAT records the state of the connection, replaces the IP address in the request, and forwards it to the ECP.
When the ECP receives the redirected request, it typically replies with a web page. The client‘s browser sends subsequent requests to the ECP to retrieve additional content needed to render the page. If NAT is present, and the firewall allows it, the client establishes direct connection with the ECP web server, which serves the user experience and any necessary transactions related to the captive portal experience (including login, credentials collection, and validation).
ExtremeCloud IQ Controller is not involved in this interaction, except to forward traffic between the ECP and the client. The interaction can be as simple or complex as necessary (represented by the box labeled seq ECP Authentication).
1.3 - The ECP changes the client‘s authentication state and role. Once the server completes the captive portal workflow, the server responds to the client, instructing the client to redirect to ExtremeCloud IQ Controller. The status of the ECP authentication (and possibly credentials needed to have ExtremeCloud IQ Controller perform final authentication of the registering client) are encoded within the response message. You can display a set of terms and conditions on the ECP web page that the user must accept before a more liberal access control role is assigned.
1.4 - The client‘s browser usually follows the redirection URI automatically. Assuming the URI passes basic validation, the flow proceeds in one of two ways: If the URI contains a signature (secure hash) and the hash is verified by ExtremeCloud IQ Controller, the appliance accepts the user as authenticated. If the URI contains the name of an access control role defined on ExtremeCloud IQ Controller, it applies that role to all traffic that the client sends subsequently.
1.5 and 1.6 - If the URI is unsigned and contains a user name and password, then ExtremeCloud IQ Controller attempts to authenticate the user against a RADIUS server. The WLAN Service that redirects to the ECP must have at least one RADIUS server configured for authentication or an error is reported.
(Optional) If the ECP returns the credentials of the registered client (with the expectation that the appliance will perform final user authentication based on those parameters), the administrator can configure ExtremeCloud IQ Controller with the address and the shared secret of at least one RADIUS authentication server. Instructions on how to configure a RADIUS server for a network using captive portal authentication is documented in the ExtremeCloud IQ Controller User Guide located in the Extreme Networks product documentation portal.
The response from the RADIUS server may also contain attributes, such as maximum session duration, the VLAN to which the client‘s traffic is assigned, and the name of an access control role to apply to the traffic the client sends subsequently. If the attributes in the response are valid, ExtremeCloud IQ Controller applies them to the user session.
If no specific role is returned by the RADIUS server, then ExtremeCloud IQ Controller applies the Authorized role that is defined in the network configuration.
Once the user is authenticated, it is assigned to a new role that does not redirect its HTTP traffic to the ECP. The client's assigned role is enforced and access is granted or restricted based on the rules defined in the Policy role. Because this is a function of the role that the client gets assigned to, it is up to the ExtremeCloud IQ Controller administrator to define the authenticated role appropriately. The administrator can configure ExtremeCloud IQ Controller to steer the client back to the initially intended URL, or redirect the client to a specific URL.
1.7 - Assuming the client is authenticated, it has internet access to the extent allowed by the authenticated role to which it is assigned.