The request for the login page is in the form of
an HTTP/HTTPS GET
request. All the arguments to the request are passed as query strings appended to the
URL. Typically, the web server or the back-end runtime system will parse the query
strings and make them available to the back-end scripts.
Additional parameters are provided optionally for reporting purposes.
| Parameter Name | Parameter Value | Required | Notes |
|---|---|---|---|
| ap | No | The AP Name to which the authenticating user has associated. | |
| bssid | Alphanumeric String | No | The BSSID to which the authenticating client has associated. The BSSID is a MAC address belonging to the AP to which the client associated. The BSSID is in the format of six hex digits. The hex digits are “0123456789abcdef”. An example BSSID could be “00026fe9b568”. This is the same value that would be included in the Called-Station-ID field of a RADIUS Access-Request sent on behalf of this client. |
| ssid | A character string up to 32 bytes long | No | The SSID (Service Set Identifier) to which the client associated. ASCII-encoded hex string. |
| dest | Alphanumeric string | No | This is the original URL that the client‘s browser was trying to receive when the request was redirected. The string is URI-encoded. For example, slashes in the URL are replaced by “%2F”. |
| hwc_ip | Numeric String | No | This is the
IP address to which clients should be redirected to complete authentication.
Typically, an appliance ends up with many IP addresses, but only one of them
will map to the WLAN service‘s ECP implementation. Note: This address may not be
accessible directly by the ECP. However, it will be accessible to the
client that is being authenticated.
This attribute appears in the redirection response from the appliance. A sample hwc_ip address is “10.10.21.6”. |
| hwc_port | ASCII-encoded numeric string | No | This the
port on the appliance interface to which the client should be redirected. If
ECP support is configured for HTTP then the hwc_port will be “80”, otherwise
it will be “443”. This attribute appears in the redirection response from the appliance. |
| mac | ASCII-encoded hex string | No | The MAC
address of the client that is being authenticated. A client could have
multiple MAC addresses. This MAC address is the MAC address of the client‘s
wireless interface that it used to associate to the wireless network. The client MAC address is in the format of six hex digits. The hex digits are “0123456789abcdef”. An example “mac” could be “0023149032a8”. This is the same value that would be included in the Calling-Station-ID field of a RADIUS Access-Request sent on behalf of this client. |
| role | Alphanumeric String | Yes | The name of the access control role to which the authenticating client is assigned at the moment of redirection. A best practice is to use the ExtremeCloud IQ Controller default roles. |
| sn | ASCII-encoded hex string | No | The serial
number of the AP to which the client being authenticated associated. The
serial number identifies the AP. It is assigned to the AP at manufacturing
time. The serial number is a sequence of hex digits with the ‘alphabetic‘ characters in lower case. “12b2694560000000” is an example of an AP serial number. |
| token | Alphanumeric String | Yes | An identifier for the user‘s wireless session hosted on the appliance that performed the redirection. |
| vlan | ASCII-encoded decimal number | No | The VLAN ID
of the VLAN/topology to which the client is assigned at the moment of
authentication. The VLAN ID is a number in the range 1 to 4094. The VLAN ID is the containment VLAN of the default action of the role to which the authenticating client is assigned. A role‘s default action does not have to be “contain to VLAN”. If the default action is not “Contain to VLAN” then this attribute will be empty or not present. |
| vns | Alphanumeric String | No | The name of
the Virtual Network Service (VNS) on which the client is authenticating. In
ExtremeCloud IQ
Controller, this value is treated as the ssid-name. |
| wlan | ASCII-encoded decimal string | Yes | An internal
identifier for the WLAN service on which the client is authenticating. The
wlan attribute must be present in all redirection
responses (and redirected requests) sent by the appliance. The ECP must
return the wlan attribute in the redirection back to the appliance that it
sends to the authenticating client‘s browser. |
| X-Amz-Algorithm | Alphanumeric String | No | The identifier for the algorithm used to compute the “X-Amz-Signature”. Only present when the appliance is configured to sign the redirection. This attribute must be present when the appliance is configured to sign the redirection. The value of this attribute is “AWS4-HMAC-SHA256” and is not configurable. The signing algorithm and the role of the identifier in it are covered in more detail in section Verify the Signed Request. |
| X-Amz-Credential | Alphanumeric String | No | The identifier for the account whose shared secret was used to compute the “X-Amz-Signature”. Only present when the appliance is configured to sign the redirection. If the appliance is configured to sign the redirection then this field must be present. This is covered in more detail in section Verify the Signed Request. |
| X-Amz-Date | Alphanumeric String | No | This is the
time at which the appliance prepared and sent the redirection back to the
user‘s browser. The date and time are in ASCII-encoded UTC. This attribute is present if a time stamp or a signature is requested. It can be used to identify stale or replayed URLs. If the appliance is configured to sign the request this must be included in the redirection response (and the browser‘s redirected request). |
| X-Amz-Expires | Numeric String | No | This is the
maximum length of time in seconds to trust the request. In other words the
web request is only good until X-Amz-Date + X-Amz-Expires. After that time
the URL should not be trusted as it is highly likely to have been
replayed. This attribute is present only when the appliance is configured to sign the redirection to the ECP, in which case it must be present. |
| X-Amz-Signature | ASCII-encoded hex string | No | This is the
signature computed over some of the HTTP headers and parts of the query
string, presented as ASCII encoded-hex. The field is present only when the appliance is configured to sign the request. |
| X-Amz-SignedHeaders | Alphanumeric String | No | Which of
the headers in the HTTP request were included in the input to the
calculation of the signature. This is present only when the appliance is configured sign the redirection to the ECP, in which case it must be present. |