Configuring Firewall Friendly External Captive Portal on an AP

To configure a Firewall Friendly External Captive Portal (FFECP) on the AP, take the following steps:

  1. If configuring Rule-based Redirection, verify that Rule-based Redirection is enabled. Go to VNS > Global > Filtering Mode and select Enable Rule-Based Redirection.

    Rule-Based Redirection is enabled by default for new installations of ExtremeWireless v10.11 and later. When upgrading from an earlier version of ExtremeWireless, this option is cleared by default. You must enable Rule-Based Redirection from the Filtering Mode screen.

    Note

    Note

    The option to disable Rule-based Redirection is available for backward capability only.

    Rule-based Redirection relies on policy rules that are defined for HTTP(S) redirection. Non-Rule-based Redirection automatically redirects an un-authenticated client to ECP when a deny action occurs on HTTP(S) traffic.

    Note

    Note

    You cannot configure Captive Portal Redirection using IPv6 classifiers. While you can http to IPv6 websites, you cannot apply Captive Portal redirection to http [s] over IPv6 .
  2. Create a basic topology where the topology mode is Bridge Traffic Locally at AP. The topology can be tagged or untagged. For more information, see Configuring a Basic Topology.
    If using RADIUS authentication, FF-ECP on the AP can work with both local and central RADIUS authentication. The AP must be in Site mode.
  3. Create a role and define specific policy rules.
    The role must be configured with the following parameters:
    From the VLAN& Class of Service tab, select a default Access Control value for the role.
    Click to expand in new window
    Graphics/default_accessControl_vlan.png
    Select from one of the following:
    • None - No role defined
    • No change - Default setting
    • Allow - Packets contained to role's default action's VLAN/topology.
    • Deny - Any packet not matching a rule in the Role is dropped.
    • Containment VLAN - Any packet not matching a rule is sent to defined VLAN.

    The Allow and Containment VLAN options with the B@AP topology redirects HTTP traffic on the AP. For B@AP traffic, only the FF ECP is supported as an external captive portal.

    Note

    Note

    FFECP @AP is dependent on the configured non-authenticated VLAN ID. Do not change the client's VLAN ID at runtime.
    On the Policy Rules tab, enable AP Filtering.
    Click to expand in new window
    Graphics/PR_APFiltering2.png
    Configure specific policy filters.

    For more information, see Configuring Rule-Based Redirection.

  4. Configure a WLAN Service with the following parameter settings:
    • Default Topology = Bridged at AP, tagged or untagged.
    • Select an AP.
    • Configure Privacy settings.
    • Configure the Captive Portal to be External Firewall Friendly.
    • (Optional) Configure RADIUS servers for RADIUS authentication. For more information, see Assigning RADIUS Servers for Authentication.
    • Configure the following parameters on the ECP:
      • The Identity and Shared Secret fields are required and must match the values used when you configured the captive portal.
      • When configuring the Allow policy for the ECP, the IP/subnet value specified on the Filter Rule Definition dialog, must match the Redirection URL value specified on the FFECP Configure dialog.
      • Select the Vendor Specific Attributes (VSAs) for authentication. For more information, see Vendor Specific Attributes.
      • Select an option for Send Successful Login To.
      For FFECP local radius authentication:
      • The AP must be in Site mode.
      • Local RADIUS authentication is configured on at least one RADIUS server.
      • The Signature option is unchecked.
  5. Configure a VNS with the authenticated and non-authenticated policies.