Case 1: When a RADIUS Server Authenticates the Client

In this scenario, the ExtremeCloud IQ Controller redirection response includes the following:

• ExtremeCloud IQ Controller port and IP address or FQDN. The ECP can then cache this information and use it later to compose its redirection response.
• The token and WLAN ID.
• A user name and password that can be treated as the user‘s RADIUS credentials. These credentials must satisfy the standard requirements for RADIUS User-Name and User-Password attributes.

In order to trigger RADIUS authentication, the redirection response must not be signed.

If the appliance is configured to redirect successfully authenticated clients to their original destination, then the ECP must include in its redirection response, the “dest” parameter that was included in the appliance‘s redirection response.

The syntax of an unsigned ECP redirect to the appliance is:

[http | https]://<controller-IP-address-or-FQDN>{: <port>}/ext_approval.php?token=<token>&wlan=<wlanid>&username=<userid>&password=<password>{&dest=<dest>}

Where

• {…} denotes an optional component of the URL.
• [http | https] is either “http” or “https” depending on how the WLAN service‘s captive portal is configured.
• :// is the literal string.
• <controller-IP-address-or-FQDN> is the appliance‘s IP address or Fully Qualified Domain Name. Since the appliance receives the redirect at the default HTTP or HTTPS port it does not need to be included in the redirect.
• {: <port>} is a literal colon, followed by the appliance port to which the client is redirected. The port is optional. Only include it if the port is not port 80 or port 443.
• /ext_approval.php is the literal string. It is the name of the script that is invoked on the appliance when the redirect is received there.
• <token> is the token taken from the redirect to the ECP.
• <wlanid> is the numeric identifier for the client‘s WLAN Service as taken from the appliance‘s redirect to the ECP.
• <userid> is the user name the appliance to sends to the RADIUS server to authenticate this user.
• <password> is the password associated with the given user ID.
• <dest> is the original destination the client was trying to reach, as reported in the appliance‘s redirect to the ECP.

The order of the parameters in the query string is not important.

Examples of the redirection from the ECP to the appliance expressed as a URL are:

https://10.21.15.42/ext_approval.php?token= OakRQ7uFYOH5E8dVD4PgvQ!!&wlan=1&username=argon32&password=6Z*_aL40q!&dest=www.google.com

or

http://10.21.15.42/ext_approval.php?token= OakRQ7uFYOH5E8dVD4PgvQ!!&wlan=1&username=argon32&password=6Z*_aL40q!

The parameters in the redirection response are summarized in the table below.

Table 1. Parameters in the Redirection to ExtremeCloud IQ Controller, using RADIUS authentication

Parameter Name	Parameter Value	Mandatory	Notes
wlan	Numeric String	Yes	An identifier for the WLAN Service that the client is using to access the network.
username	Alphanumeric String	Yes	The user ID is mandatory even if the URL is signed. It is used to identify the client in reports and accounting messages, even if it is not used to authenticate the client.
password	Alphanumeric String	Yes	The password is mandatory if the client is to be authenticated using RADIUS. It must be the password that the authenticating RADIUS server associates with the user ID.
dest	URL	Conditional	The dest parameter is required only if the appliance is configured to redirect the client to its original destination. The appliance directs the client‘s browser to an error page if it is configured to redirect to the original destination and the dest parameter is not returned to the appliance.