Configuring Firewall Friendly External Captive Portal

This task describes how to configure a Firewall Friendly External Captive Portal.

  1. From the Auth & Account tab, in the Mode field, select Firewall Friendly External .
  2. Click Save.
    The Configure button is enabled.
  3. Configure RADIUS servers for authentication. For more information, see Assigning RADIUS Servers for Authentication.
  4. Click Configure.
    Click to expand in new window
    Configuring Firewall Friendly External Captive Portal
    Graphics/firewall_friendly_ext_CP_configure.png

ExtremeWireless offers a scalable external captive portal (ECP) solution on the AP that can be managed locally or through a Cloud solution, in addition to the controller based ECP. The following table illustrates the WLAN redirection configuration options for the AP and the controller. Each setting is identified as mandatory or optional for redirection on the AP or on the controller. For more information about configuring ECP on an AP, see Configuring a Captive Portal on an AP

Click to expand in new window

Firewall Friendly External Captive Portal

Field/Button Description Redirection at the AP Redirection at the Controller
Redirect to External Captive Portal
Identity Type the name common to both the controller and the external Web server if you want to encrypt the information passed between the controller and the external Web server. Mandatory

Required for signing the redirected URL. If you do not configure the Identity, the redirector on the AP drops the traffic.

Optional
Shared Secret Type the password common to both the controller and the external Web server if you want to encrypt the information passed between the controller and the external Web server. Mandatory

Required for signing the redirected URL. If you do not configure the Shared Secret, the redirector on the AP drops the traffic.

Optional
Redirection URL Type the URL to which the wireless device user will be directed to after authentication.
Note: Ensure the request does not exceed the browser character limit. Older browsers limit requests to 255 characters. Newer browsers allow up to 2048 characters.

The Redirection URL does not support IPv6.

Mandatory Mandatory
EWC IP and Port IP address and Port number Mandatory

By default, this option is enabled. The IP address and port of the AP are always URL parameters. A deployment will have multiple APs. The IP address and port communicate to the External Captive Portal through the client, identifying which AP is redirecting the client.

Optional

This option is not required when the deployment includes only one controller. However, we recommend enabling this option when the deployment includes multiple controllers.

Replace EWC IP with EWC FQDN Use controller's Fully-Qualified Domain Name instead of IP address. Not supported Optional

You can enable this setting if the deployment uses a single controller.

AP Name and Serial Number Name and Serial Number of AP N/A

AP has this information locally.

Optional
AP Ethernet MAC MAC address of the AP N/A

AP has this information locally.

Optional
AP Location Text string used to describe physical AP location. Optional Optional
Associated BSSID Associated BSSID of AP N/A

AP has this information locally.

Optional
VNS Name Virtualized Network Service Name Optional

For non-site deployments, the VNS Name is not available on the AP. Therefore, it must be included in the mobile user associated response or as part of the mobile user update requirement from the controller.

Optional
SSID Service Set Identifier N/A

AP has this information locally.

Optional
Station MAC Address Media Access Control Address N/A

AP has this information locally.

Optional
Currently Assigned Role   Optional

For non-site deployments, the Assigned Role is not available on the AP. Therefore, it must be included in the mobile user associated response or as part of the mobile user update requirement from the controller.

Optional
Containment VLAN of Assigned Role   Optional

For non-site deployments, the Assigned Role is not available on the AP. Therefore, it must be included in the mobile user associated response or as part of the mobile user update requirement from the controller.

Optional
Timestamp Timestamp (in UTC) Mandatory

The timestamp (in UTC) is always included, because it prevents replay attacks of a recorded redirected URL. The AP must have access to UTC time, which is provided by the controller.

Optional
Signature   Optional

Signature is included when full authentication is employed. If configuring a RADIUS authentication server, clear the Signature checkbox. The Signature option is the flag that indicates how authentication is achieved.

Optional
Redirect From External Captive Portal
Use HTTPS for Users Connections Select this option to use HTTPS instead of HTTP. The default state will be set for HTTPS. This applies to both new WLANS and WLANS that existed prior to upgrading to V9.15 and later. Optional

The AP presents a self-signed certificate that triggers a warning page in most browsers. The AP does not support installing signed certificates from a trusted certificate authority.

Optional
Send Successful Login to: Select the IP address of the external Web server, and then enter the port of the controller. Mandatory

The session management page can contain a link to the original URL that was served when it was redirected. The session management page includes a button to terminate the user‘s session. The only way the client can come directly to this page is by replaying the redirection URL from the External Captive Portal within the grace period measured by the timestamp.

Optional

The session management page does include a button to terminate the user‘s session.

View Sample

Displays an example format of the redirection URL that the controller/AP expects to receive (indirectly) from the ECP.

If the WLAN Service is part of a VNS or has a default topology, then the server portion of the URL contains the IP address of the controller/AP. The query string is populated with realistic but fictional data. This information is provided to assist in developing the ECP program.