Case 2: When the ECP is the Final Authority

If the ECP makes the final authentication and authorization decision, it must sign the redirection response it sends to the client‘s browser. If it signs the redirection, it can include options that the appliance applies to the authorized client‘s session, including an access control role and the maximum duration for the client‘s session. Parameters Available on the Redirection URL from ExtremeCloud IQ Controller to the ECP lists all the parameters that can appear in a signed redirection response from the ECP, and which of them are mandatory in this case.

The syntax of an unsigned ECP redirect to the appliance is:

[http | https]://<controller-IP-address-or-FQDN>{: <port>}/ext_approval.php?token=<token>&wlan=<wlanid>&username=<userid>{&dest=<dest>}{&role=<rolename>}{&opt27=<max-seconds-duration>}&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=<Scoped-Credential>&X-Amz-Date=<YYYYMMDDThhmmssZ>&X-Amz-Expires=<duration>&X-Amz-SignedHeaders=host&X-Amz-Signature=<signature>

Where

The order of the parameters in the query string is not important.

The following is an example of a signed redirection response that assigns the user to a role called “Guest_Access” and limits the session duration to 10 hours:

https://10.10.21.6/ext_approval.php?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=BigAuthInc%2F20140729%2Fworld%2Fecp%2Faws4_request&X-Amz-Date=20140729T153754Z&X-Amz-Expires=60&X-Amz-SignedHeaders=host&dest=http%3A%2F%2F1.2.3.4%2Fnews.com&opt27=36000&role=Guest_Access&token=T7vb1LdUZmsuY0q9V60Iww%21%21&username=test&wlan=1&X-Amz-Signature=48389399c4b9e237ff64bbbd203a9abe272b8df513dff1eae8202df82ceb2c34
Table 1. Parameters that can be included in a Signed Redirection Response from the ECP
Parameter Name Parameter Value Mandatory Notes
dest URL Conditional The <dest> parameter is required only if the appliance is configured to redirect the client to its original destination. The appliance directs the client‘s browser to an error page if it is configured to redirect to the original destination and the <dest> parameter is not returned to the appliance.
opt27

In the RADIUS protocol option number 27 is the Session-Timeout attribute.

Base 10 Number No The maximum amount of time, in seconds, that the current session can last before being terminated. If not specified, the default for the WLAN Service is applied to the authenticated client.
role Alphanumeric String No The name of an access control role defined on ExtremeCloud IQ Controller. The appliance applies this role to the remainder of the authorized client‘s session. If a role parameter is not provided, the appliance uses the default authenticated role of the VNS that the authenticated client is accessing.
token Alpha-numeric String Yes An identifier for the user‘s wireless session hosted on the appliance that performed the redirection.
username Alpha-numeric String Yes The user name is mandatory even if the URL is signed. It is used to identify the client in reports and accounting messages, even if it is not used to authenticate the client.
wlan Numeric String Yes An identifier for the WLAN Service that the client is using to access the network.
X-Amz-Algorithm Alpha-numeric string Yes The identifier for the algorithm used to compute the “X-Amz-Signature”. This attribute must be present when the ECP is acting as the final authorizing authority. The value of this attribute is “AWS4-HMAC-SHA256” and is not configurable. The signing algorithm and the role of the identifier in it are covered in more detail in section Verify the Signed Request.
X-Amz-Credential Alpha-numeric string Yes The identifier for the account whose shared secret was used to compute the “X-Amz-Signature”. Mandatory if the ECP signs the redirection response in order to act as the final authorizing authority. The credential has the format:
<identity>/<YYYYMMDD>/world/ecp/aws4_request

where:

  • <identity> is the identity configured for the ECP on the appliance in the WLAN Service‘s ECP configuration.
  • <YYYYMMDD> is the year, month, and day extracted from X-Amz-Date.
  • world/ecp/aws4_request is a constant literal string that scopes the request.
X-Amz-Date Alpha-numeric string Yes This is the date and time at which the appliance prepared and sent the redirection back to the user‘s browser. The date and time are in ASCII-encoded UTC and has the format:
YYYYMMDDThhmmssZ

This attribute must be present if the ECP signs the redirection response to indicate that it is the final authorizing authority.

X-Amz-Expires Numeric String Yes This is the maximum length of time in seconds that the appliance should trust the redirection response. In other words a signed redirection response from the ECP will be treated as valid only until X-Amz-Date + X-Amz-Expires.

This attribute is mandatory if the ECP signs the redirection response.

X-Amz-Signature ASCII-encoded hex string Yes This is the signature computed over some of the HTTP headers and parts of the query string, presented as ASCII encoded-hex.

The field must be present if the ECP signs the request in order to act as the final authorizing authority.

X-Amz-SignedHeaders Alpha-numeric String Yes Which of the headers in the HTTP request were included in the input to the calculation of the signature.

This is present only when the appliance is configured sign the redirection to the ECP, in which case it must be present.