Centralized Web Authentication (CWA) provides the URL for the captive
portal dynamically through RADIUS attributes, following the successful
authentication over 802.1x. CWA can integrate with both an ExtremeControl captive portal server and a Cisco® ISE captive portal
server.
The configuration required on ExtremeCloud IQ
Controller is the same regardless of
the captive portal server used:
On ExtremeCloud IQ
Controller:
Configure a AAA Policy,
defining the RADIUS server, then reference that AAA Policy on the CWA
captive portal network configuration.
The RADIUS server in
the AAA Policy is the authentication server that sends the redirection
attribute back to ExtremeCloud IQ
Controller. You only need the
role name on ExtremeCloud IQ
Controller to match the
Filter-ID sent in the RADIUS-Accept.
Configure a CWA captive
portal network.
Configure a Redirect Policy
Role that includes at least one redirect rule.
When integrating with an ExtremeControl server, we use the ExtremeControl rules engine. The rules engine assigns the policy
Unregistered
to the redirection and assigns the policy Enterprise User when
authenticated by the captive portal:
Map the redirection policy
that you created on ExtremeCloud IQ
Controller to ExtremeControl.
Create an allow policy on ExtremeCloud IQ
Controller
and map it to ExtremeControl.
When integrating with a Cisco® ISE captive portal server:
Configure an Authorization
Profile that references the policy role configured on ExtremeCloud IQ
Controller.
Configure an Authorization
Policy that references the Authorization Profile.
The Authorization Policy
will include three profiles: the Redirection Profile, an Allow Profile,
and a Deny Profile.
Note
The Allow Role will take
effect once the user has been successfully authenticated to the network.
From the clients list on ExtremeCloud IQ
Controller, you can view the
client that authenticated the network. The Allow Role is listed in the
Role column.
The Authorization Profile
generates the following attribute details:
