Configuring Firewall Friendly External Captive Portal on an AP

1. If configuring Rule-based Redirection, verify that Rule-based Redirection is enabled. Go to VNS > Global > Filtering Mode and select Enable Rule-Based Redirection.

   Rule-Based Redirection is enabled by default for new installations of ExtremeWireless v10.11 and later. When upgrading from an earlier version of ExtremeWireless, this option is cleared by default. You must enable Rule-Based Redirection from the Filtering Mode screen.

   

   Note

   The option to disable Rule-based Redirection is available for backward capability only.

   Rule-based Redirection relies on policy rules that are defined for HTTP(S) redirection. Non-Rule-based Redirection automatically redirects an un-authenticated client to ECP when a deny action occurs on HTTP(S) traffic.

   

   Note

   You cannot configure Captive Portal Redirection using IPv6 classifiers. While you can http to IPv6 websites, you cannot apply Captive Portal redirection to http [s] over IPv6 .
2. Create a basic topology where the topology mode is Bridge Traffic Locally at AP. The topology can be tagged or untagged. For more information, see Configuring a Basic Topology.
   If using RADIUS authentication, the AP must be in Site mode with at least one RADIUS server configured for local RADIUS authentication.
3. Create a role and define specific policy rules.
   The role must be configured with the following parameters:

   From the VLAN& Class of Service tab, select a default Access Control value for the role.

   

   

   Select from one of the following:

   • None - No role defined
   • No change - Default setting
   • Allow - Packets contained to role's default action's VLAN/topology.
   • Deny - Any packet not matching a rule in the Role is dropped.
   • Containment VLAN - A topology to use when a VNS is created using a role that does not specify a topology.

   The Allow and Containment VLAN options with the B@AP topology redirects HTTP traffic on the AP. For B@AP traffic, only the FF ECP is supported as an external captive portal.

   

   Note

   Rule-based Redirection to the FFECP is dependent on the configured VLAN ID. Do not change the client's VLAN ID at runtime.

   On the Policy Rules tab, enable AP Filtering.

   

   

   Configure specific policy rules. For more information, see Configuring Rule-Based Redirection.

4. Configure a WLAN Service with the following parameter settings:
   • Default Topology = Bridged at AP, tagged or untagged.
   • Select an AP.
   • Configure Privacy settings.
   • Configure the Captive Portal to be External Firewall Friendly.
   • (Optional) Configure RADIUS servers for RADIUS authentication. For more information, see Assigning RADIUS Servers for Authentication.
   • Configure the following parameters on the ECP:
     • The Identity and Shared Secret fields are required and must match the values used when you configured the captive portal.
     • When configuring the Allow policy for the ECP, the IP/subnet value specified on the Filter Rule Definition dialog, must match the Redirection URL value specified on the FFECP Configure dialog.
     • Select the Vendor Specific Attributes (VSAs) for authentication. For more information, see Vendor Specific Attributes.
     • Select an option for Send Successful Login To.
     For FFECP local radius authentication:

     • The AP must be in Site mode.
     • Local RADIUS authentication is configured on at least one RADIUS server.
     • The Signature option is unchecked.
5. Configure a VNS with the authenticated and non-authenticated policies.