Configuring Firewall Friendly External Captive Portal on an
AP
To configure a Firewall Friendly External Captive Portal (FFECP)
on the AP, take the following steps:
-
If configuring Rule-based Redirection, verify that
Rule-based Redirection is enabled. Go to and select Enable
Rule-Based Redirection.
Rule-Based Redirection is enabled by default for new
installations of ExtremeWireless v10.11 and later. When upgrading from an earlier
version of ExtremeWireless, this option is cleared by default. You must
enable Rule-Based Redirection from the Filtering Mode
screen.
Note
The option to disable Rule-based Redirection is
available for backward capability only.
Rule-based Redirection relies on policy rules that are
defined for HTTP(S) redirection. Non-Rule-based Redirection automatically
redirects an un-authenticated client to ECP when a deny action occurs on
HTTP(S) traffic.
Note
You cannot configure Captive Portal Redirection using IPv6
classifiers. While you can http to IPv6 websites, you cannot apply Captive Portal
redirection to http [s] over IPv6 .
-
Create a basic topology where the topology mode is
Bridge Traffic Locally at
AP. The topology can be tagged or untagged. For more
information, see Configuring a Basic Topology.
If using RADIUS
authentication, FF-ECP on the AP can work with both local and central RADIUS
authentication. The AP must be in Site mode.
-
Create a role and define specific policy
rules.
The role must be configured with the
following parameters:
From the VLAN& Class of Service
tab, select a default Access Control value for the role.
Select from one of the following:
- None - No role
defined
- No change -
Default setting
- Allow - Packets
contained to role's default action's VLAN/topology.
- Deny - Any packet
not matching a rule in the Role is dropped.
- Containment VLAN - Any packet not matching a rule is sent to defined VLAN.
The Allow and Containment VLAN
options with the B@AP topology redirects HTTP traffic on the AP. For B@AP
traffic, only the FF ECP is supported as an external captive
portal.
Note
FFECP @AP is dependent
on the configured non-authenticated VLAN ID. Do not change the client's VLAN
ID at runtime.
On the Policy Rules tab, enable
AP Filtering.
Configure specific policy filters.
For more information, see Configuring Rule-Based Redirection.
-
Configure a WLAN Service with the following
parameter settings:
- Default Topology = Bridged at AP, tagged
or untagged.
- Select an AP.
- Configure Privacy settings.
- Configure the Captive Portal to be External Firewall
Friendly.
- (Optional) Configure RADIUS servers for
RADIUS authentication. For more information, see Assigning RADIUS Servers for Authentication.
- Configure the following parameters on the ECP:
- The Identity and Shared Secret fields are
required and must match the values used when you configured the
captive portal.
- When configuring the Allow policy for the
ECP, the IP/subnet value specified on the Filter Rule
Definition dialog, must match the Redirection URL
value specified on the FFECP Configure
dialog.
- Select the Vendor Specific
Attributes (VSAs) for authentication. For more information, see
Vendor Specific Attributes.
- Select an option for Send Successful Login
To.
For FFECP local radius
authentication:
- The AP must be in Site mode.
- Local RADIUS authentication is
configured on at least one RADIUS server.
- The Signature option is unchecked.
-
Configure a VNS with the authenticated and
non-authenticated policies.