Configuring External and Mode 802.1 Captive Portal

Click to expand in new window
Captive Portal Page for External and 802.1x Modes
Graphics/captive_portal_http_redirect.png
Click to expand in new window

External Captive Portal Page - Fields and Buttons

Field/Button Description
Session Control Interface
EWC Connection In the drop-down list, click the IP address of the external Web server. and then enter the port of the controller.

If there is an authentication server configured for this VNS, the external Captive Portal page on the external authentication server will send the request back to the controller to allow the controller to continue with the RADIUS authentication and filtering.

Enable HTTPS support Select Enable https support if you want to enable HTTPS support (TLS/SSL) for this external captive portal. This has no impact on the traffic exchanged between users‘ browsers and the External Captive Portal. When enabled, this option protects the session control traffic between the external captive portal and the controller from being read by a third party. This is particularly useful when a dedicated network management VLAN is unavailable to carry the session control traffic. For more information, see the Integration Guide.
Encryption Select the data encryption to use. Options are:
  • None—no encryption is performed. If the HTTPS option is not enabled, session control messages are sent in plain text over the network.
  • Legacy—both the ECP and the controller are expected to use simple message encryption based on MD5 (Message-Digest algorithm 5). Frames are encrypted by Xoring session control message payload with a keystream generated from an MD5 hash of a shared key. This is a weak encryption algorithm and is only supported for backward compatibility. If encryption is needed, consider using the option below.
  • AES—session control messages sent by the controller and ECP are encrypted with the “Advanced Encryption Standard” based on the Rijndael cipher. AES encryption is considerably more secure than legacy encryption.

    If encryption is enabled then a shared key must be entered.

Note: Using the encryption option has one advantage over using the HTTPS option alone. When HTTPS is enabled, the ECP can authenticate the controller‘s certificate, but the controller does not ask the client to provide one. Consequently, HTTPS does not prevent unauthorized users from sending messages to the session control interface. Because the encryption option is based on a shared key, the encryption provides a form of authentication. If the controller can decrypt the payload of a session control message, then it is has reason to believe the message came from the external captive portal.
Shared Secret Type the password common to both the controller and the external web server if you want to encrypt the information passed between the controller and the external web server. If encryption is enabled then a shared key must be entered. A shared key is a string that both the controller and the ECP use to encrypt and decrypt session control messages. The shared key must be between 16 and 64 characters long. For better security, use a long key composed of randomly selected characters.
Redirection URL
The Redirection URL field contains the URL to which the controller will redirect all blocked, unauthenticated HTTP traffic on this WLAN Service, or traffic that has been explicitly configured for redirection, depending on your configuration. This should be the URL of the page that will prompt the user to authenticate. If using host name rules, the redirection url can be the configured host name. The redirected browser will issue a “get” to the ECP for this URL. The “Redirection URL”:
  • Can begin with “http://” or “https://”.
  • Must end with a “?” or “&”. Use “&” if the base URL contains some query strings.
Note: The Redirection URL does not support IPv6.
Add EWC IP & Port to redirection URL

The Add HWC IP & Port to redirection URL option is useful if the external captive portal serves more than one controller. An ECP must send its session control messages to the controller hosting the controlled session. If an ECP serves more than one controller, then the Add HWC IP & Port to redirection URL option must be used to identify the source of the redirection. The ECP should store the controller address and port with the token and other session details so that it is available throughout the authentication process.

Special
ToS override for NAC Allows for ToS marking results in redirection to a captive portal via a NAC server.
Close Click to save your changes and close this page.
Cancel Click to discard the configuration
Note

Note

You must add a role rule to the non-authenticated filter that allows access to the external Captive Portal site. For more information, see Policy Rules.