Configuring External Captive Portal Network

To configure an External Captive Portal network:
  1. Go to Configure > Networks > WLANS > Add
  2. Configure the following parameters:
    Table 1. External Captive Portal Settings
    Field Description
    Network Name Enter a unique, user-friendly value that makes sense for your business. Example: Staff
    SSID Enter a character string to identify the wireless network. Maximum 32 characters. Upper and lowercase allowed. Example: PermanentStaff
    Status Enable or disable the network service. Disabling the network service shuts off the service but does not delete it.
    Auth Type Define the authorization type. Valid values are:
    • Open —Anyone is authorized to use the network. This authorization type has no encryption. The Default Auth role is the only supported policy role.
    • WEP — Static Wired Equivalent Privacy (WEP) offers keys for a selected network, that match the WEP mechanism used on the rest of the network. Each AP can participate in up to 50 networks. Specify one WEP key per network. This option is offered to support legacy APs.
    • WPA2 with PSK — Network access is allowed to any client that knows the pre-shared key (PSK). All data between the client and the AP is AES encrypted using the shared secret. Privacy is based on the IEEE standard, and privacy settings are editable. If MAC-based authentication (MBA) is enabled, you can assign different roles to different devices with a PSK because MBA distinguishes between different devices. If MBA is not enabled, then devices with a PSK use the Default Auth role only.
    • WPA2 Enterprise w/ RADIUS — Supports 802.1X authentication with a RADIUS server, using AES encryption. This method can be used with client certificate-based authentication (EAP-TLS). All 802.1X protocols are supported.
      Note: Captive Portal is not supported when using WPA2 Enterprise w/ RADIUS. An exception is Centralized Web Authentication (CWA). CWA captive portal supports WPA2 Enterprise w/ RADIUS.

      Privacy Settings

      Protected Management Frames — Management Frames are the signaling packets used in the 802.11 wireless standard to allow a device to negotiate with an AP. PMF adds an integrity check to control packets being sent between the client and the access point. Valid values are:
      • Enabled. Supports PMF format but does not require it.
      • Disabled. Does not address PMF format. Clients connect regardless of format.
      • Required. Requires all devices use PMF format. This could result in older devices not connecting.
    • WPA3 - Personal — 128-bit encryption.
      • AP3xx running ExtremeWireless WiNG 7.3x and later.
      • AP4xx running ExtremeWireless WiNG 7.3x and later.
      • AP5xx running ExtremeWireless WiNG 7.2x and later.
      WPA3 uses a pre-shared key (PSK) and Simultaneous Authentication of Equals (SAE) or Hash-to-Element (H2E). WPA3 offers an augmented handshake and protection against future password compromises.
    • WPA3-Compatibility — Option for mixed deployments of 802.11ax APs and older AP models. For use when WPA2 and WPA3 are configured on the same network. Clients that support either WPA3 Personal or WPA2 Personal can connect to this network at the same time and on the same SSID. If you are unsure which method your device supports, use WPA3-Compatibility. Note: When a device is assigned to 6 GHz radio, only WPA3 Personal is assigned.

    For more information, see the ExtremeCloud IQ Controller User Guide or Online Help.
    Enable Captive Portal Check this option to enable captive portal support on the network service.
    Captive Portal Type Select External as the Captive Portal Type.
    ECP URL URL address for the external captive portal.
    Walled Garden Rules Select Walled Garden Rules to configure policy rules for the external captive portal.
    Identity Determines the name common to both the ExtremeCloud IQ Controller and the external Web server if you want to encrypt the information passed between the ExtremeCloud IQ Controller and the external Web server. Required for signing the redirected URL. If you do not configure the Identity, the redirector on the AP drops the traffic.
    Shared Secret The password that is used to validate the connection between the client and the RADIUS server.
    Use HTTPS for connection Indicates that the connection will be secure with HTTPS.
    Send Successful Login To Indicates destination of authenticated user. Valid values are:
    • Original Destination. The destination of the original request.
    • Custom URL. Provide the URL address.
    MAC-based authentication (MBA) Check this option to enable MBA.
  3. Select Save.

Next, edit the configuration profiles in each device group, specifying the External Captive Portal network.

9038115-00 Rev. AA