Configuring Firewall Friendly External Captive Portal on an AP

1. If configuring Rule-based Redirection, verify that Rule-based Redirection is enabled. Go to VNS > Global > Filtering Mode and select Enable Rule-Based Redirection.

   Rule-Based Redirection is enabled by default for new installations of ExtremeWireless v10.11 and later. When upgrading from an earlier version of ExtremeWireless, this option is cleared by default. You must enable Rule-Based Redirection from the Filtering Mode screen.

   

   Note

   The option to disable Rule-based Redirection is available for backward capability only.

   Rule-based Redirection relies on policy rules that are defined for HTTP(S) redirection. Non-Rule-based Redirection automatically redirects an un-authenticated client to ECP when a deny action occurs on HTTP(S) traffic.

   

   Note

   You cannot configure Captive Portal Redirection using IPv6 classifiers. While you can http to IPv6 websites, you cannot apply Captive Portal redirection to http [s] over IPv6 .
2. Create a basic topology where the topology mode is Bridge Traffic Locally at AP. The topology can be tagged or untagged. For more information, see Configuring a Basic Topology in the User Guide.
   If using RADIUS authentication, FF-ECP on the AP can work with both local and central RADIUS authentication.
3. Create a role and define specific policy rules.
   The role must be configured with the following parameters:

   From the VLAN (Virtual LAN)& Class of Service tab, select a default Access Control value for the role.

   

   

   Select from one of the following:

   • None - No role defined
   • No change - Default setting
   • Allow - Packets contained to role's default action's VLAN/topology.
   • Deny - Any packet not matching a rule in the Role is dropped.
   • Containment VLAN - Any packet not matching a rule is sent to defined VLAN.

   For B@AP traffic, only the FF ECP is supported as an external captive portal.

   On the Policy Rules tab, enable AP Filtering.

   

   

   Configure specific policy filters.

   • Allow DHCP (Dynamic Host Configuration Protocol) and DNS traffic.
   • Mobile user access to FF-ECP.
   • Allow traffic towards mobile user.
   • HTTP(S) redirection.
     

     Note

     ExtremeWireless v10.31, supports a non-topology specific implementation. Extreme will register sub-domain “portal.ezcloudx.com” and populate public/Extreme DNS server with DNS mapping of 1.1.1.1 for FQDN “portal.ezcloudx.com”.

   For more information, see Configuring Rule-Based Redirection in the User Guide.

4. Configure a WLAN (Wireless Local Area Network) Service with the following parameter settings:
   • Default Topology = Bridged at AP, tagged or untagged.
   • Select an AP.
   • Configure Privacy settings.
   • Configure the Captive Portal to be External Firewall Friendly.
   • (Optional) Configure RADIUS servers for RADIUS authentication. For more information, see Assigning RADIUS Servers for Authentication in the User Guide.
   • Configure the following parameters on the ECP:
     • The Identity and Shared Secret fields are required and must match the values used when you configured the captive portal.
     • When configuring the Allow policy for the ECP, the IP/subnet value specified on the Filter Rule Definition dialog must match the Redirection URL value specified on the FFECP Configure dialog.
     • Select the Vendor Specific Attributes (VSAs) for authentication. For more information, see Vendor Specific Attributes in the User Guide.
     • Select an option for Send Successful Login To.
     For FFECP local radius authentication:

     • The AP must be in Site mode.
     • Local RADIUS authentication is configured on at least one RADIUS server.
     • The Signature option is unchecked.
5. Configure a VNS with the authenticated and non-authenticated policies.