About This Guide
- Intended Audience
- How to Use This Guide
- Safety Information
- Sicherheitshinweise
- Consignes De S??curit??
- Text Conventions
- Providing Feedback to Us
- Getting Help
- Related Publications
Overview of the ExtremeWireless Solution
- Introduction
  - The ExtremeWireless Appliance
- Conventional Wireless LANs
- Elements of the ExtremeWireless Solution
  - Extreme Networks Extreme Management Center Integration
- ExtremeWireless and Your Network
- ExtremeWireless Appliance Product Family
Configuring the ExtremeWireless Appliance
- System Configuration Overview
- Logging on to the ExtremeWireless Appliance
- Wireless Assistant Home Screen
- Working with the Basic Installation Wizard
- Configuring the ExtremeWireless Appliance for the First Time
- Using a Third-party Location-based Solution
  - Configuring Location-Based Services
- Additional Ongoing Operations of the System
Configuring the ExtremeWireless APs
- Wireless AP Overview
- Discovery and Registration
- AP3916ic Integrated Camera Deployment
  - Camera Direct Stream Subscription
  - AP3916ic-Camera Web User Interface
    - Accessing the Camera Web User Interface
    - Camera UI Basic Functions
- Wireless AP Default Configuration
  - Configuring the Default Wireless AP Settings
- Configuring Wireless AP Properties
- Assigning Wireless AP Radios to a VNS
  - Assigning WLAN Services to Wired Client Ports
- Configuring Wireless AP Radio Properties
- Configuring IoT Properties
- Setting Up the Wireless AP Using Static Configuration
  - Configuring VLAN Tags for Wireless APs
- Setting Up 802.1x Authentication for a Wireless AP
- Configuring Co-Located APs in Load Balance Groups
- Configuring an AP Cluster
- Configuring an AP as a Guardian
- Configuring a Captive Portal on an AP
  - Configuring Firewall Friendly External Captive Portal on an AP
  - Controlling Network Access on the AP
- Performing AP Software Maintenance
- Understanding the ExtremeWireless LED Status
Configuring Topologies
- Topology Overview
- Configuring the Admin Port
- Configuring a Basic Data Port Topology
  - Configuring a Basic Topology
- Creating a Topology Group
- Edit or Delete a Topology Group
- Enabling Management Traffic
- Layer 3 Configuration
- Exception Filtering
- Multicast Filtering
Configuring Roles
- Roles Overview
- Configuring Default VLAN and Class of Service for a Role
- Policy Rules
Configuring WLAN Services
- WLAN Services Overview
- Third-party AP WLAN Service Type
- Configuring a Basic WLAN Service
  - Advanced WLAN Service Configuration
- Configuring Privacy
- Configuring Accounting and Authentication
- Configuring QoS Modes
  - Defining the DSCP and Service Classifications
- Configuring Hotspots
  - To Configure a New Hotspot
Configuring a VNS
- Configuring a VNS
  - Controller Defaults
- VNS Global Settings
- Methods for Configuring a VNS
- Manually Creating a VNS
  - Creating a VNS Manually
- Creating a VNS Using the Wizard
- Enabling and Disabling a VNS
- Renaming a VNS
- Deleting a VNS
Configuring Classes of Service
- Classes of Service Overview
- Configuring Classes of Service
- CoS Rule Classification
- Priority and ToS/DSCP Marking
  - Configuring ToS/DSCP Marking
- Rate Limiting
Configuring Sites
- VNS Sites Overview
- Configuring Sites
- Recommended Deployment Guidelines
  - Defining Roles, CoS, and RADIUS Servers for Local RADIUS Authentication
- Radius Configuration
- Selecting AP Assignments
- Selecting WLAN Assignments
Working with a Mesh Network
- About Mesh
- Simple Mesh Configuration
- Wireless Repeater Configuration
- Wireless Bridge Configuration
- Examples of Deployment
- Mesh WLAN Services
  - Mesh Setup with a Single Mesh WLAN Service
  - Mesh Setup with Multiple Mesh WLAN Services
- Key Features of Mesh
- Deploying the Mesh System
- Changing the Pre-shared Key in a Mesh WLAN Service
Working with a Wireless Distribution System
- About WDS
- Simple WDS Configuration
- Wireless Repeater Configuration
- Wireless Bridge Configuration
- Examples of Deployment
- WDS WLAN Services
  - WDS Setup with a Single WDS WLAN Service
  - WDS Setup with Multiple WDS WLAN Services
- Key Features of WDS
- Deploying the WDS System
- Changing the Pre-shared Key in a WDS WLAN Service
Availability and Session Availability
- Availability
- Session Availability
  - Events and Actions in Session Availability
  - Enabling Session Availability
- Viewing SLP Activity
Configuring Mobility
- Mobility Overview
- Mobility Domain Topologies
- Configuring a Mobility Domain
  - Designating a Mobility Manager
  - Designating a Mobility Agent
Working with Third-party APs
- Defining Authentication by Captive Portal for the Third-party AP WLAN Service
- Defining the Third-party APs List
- Defining Policy Rules for the Third-party APs
Working with ExtremeWireless Radar
- Radar Overview
- Radar Components
- Radar License Requirements
  - AP Limitations
- Radar Scan Profiles
  - In-Service Scan Profiles
  - Guardian Scan Profiles
- Enabling the Analysis Engine
- Viewing Existing Scan Profiles
- Adding a New Scan Profile
- Configuring an In-Service Scan Profile
- Configuring a Guardian Scan Profile
- Maintaining the Radar List of APs
- Working with Radar Reports
Working with Location Engine
- Location Engine Overview
- Location Engine on the Controller
- Deploying APs for Location Aware Services
- Configuring the Location Engine
Working with Reports and Statistics
- Application Visibility and Device ID
- Viewing AP Reports and Statistics
- Viewing All Clients
  - Displaying Client Details
    - Client Search Facility
    - Viewing Client MAC and OUI
- Viewing Role Filter Statistics
- Viewing Topology Reports
- Viewing Mobility Reports
- Viewing Controller Status Information
- Viewing Routing Protocol Reports
- Viewing RADIUS Reports
- Call Detail Records (CDRs)
Performing System Administration
- Performing Wireless AP Client Management
  - Adding Clients to a Blacklist
- Defining Wireless Assistant Administrators and Login Groups
  - Modifying Admin Password
  - Removing Administrator
Logs, Traces, Audits and DHCP Messages
- ExtremeWireless Appliance Messages
- Working with Logs
- Viewing Wireless AP Traces
- Viewing Audit Messages
- Viewing the DHCP Messages
- Viewing the NTP Messages
- Viewing Software Upgrade Messages
- Viewing Configuration Restore/Import Messages
Working with GuestPortal Administration
- About GuestPortals
- Adding New Guest Accounts
- Enabling or Disabling Guest Accounts
- Editing Guest Accounts
- Removing Guest Accounts
- Importing and Exporting a Guest File
- Viewing and Printing a GuestPortal Account Ticket
- Working with the Guest Portal Ticket Page
- Configuring Guest Password Patterns
  - To Configure a Guest Password Pattern
- Configuring Web Session Timeouts
Regulatory Information
- ExtremeWireless APs 37XX , 38XX, and 39XX
Default GuestPortal Ticket Page
- Example Ticket Page
  - Placeholders Used in the Default GuestPortal Ticket Page
  - Default GuestPortal Ticket Page Source Code

Configuring External and Mode 802.1 Captive Portal

Captive Portal Page for External and 802.1x Modes

Graphics/captive_portal_http_redirect.png

External Captive Portal Page - Fields and Buttons

Field/Button	Description
Session Control Interface
EWC Connection	In the drop-down list, click the IP address of the external Web server. and then enter the port of the controller. If there is an authentication server configured for this VNS, the external Captive Portal page on the external authentication server will send the request back to the controller to allow the controller to continue with the RADIUS authentication and filtering.
Enable HTTPS support	Select Enable https support if you want to enable HTTPS support (TLS/SSL) for this external captive portal. This has no impact on the traffic exchanged between users‘ browsers and the External Captive Portal. When enabled, this option protects the session control traffic between the external captive portal and the controller from being read by a third party. This is particularly useful when a dedicated network management VLAN (Virtual LAN) is unavailable to carry the session control traffic. For more information, see the Integration Guide.
Encryption	Select the data encryption to use. Options are: None—no encryption is performed. If the HTTPS option is not enabled, session control messages are sent in plain text over the network. Legacy—both the ECP and the controller are expected to use simple message encryption based on MD5 (Message-Digest algorithm 5). Frames are encrypted by Xoring session control message payload with a keystream generated from an MD5 hash of a shared key. This is a weak encryption algorithm and is only supported for backward compatibility. If encryption is needed, consider using the option below. AES—session control messages sent by the controller and ECP are encrypted with the “Advanced Encryption Standard” based on the Rijndael cipher. AES encryption is considerably more secure than legacy encryption. If encryption is enabled then a shared key must be entered. Note: Using the encryption option has one advantage over using the HTTPS option alone. When HTTPS is enabled, the ECP can authenticate the controller‘s certificate, but the controller does not ask the client to provide one. Consequently, HTTPS does not prevent unauthorized users from sending messages to the session control interface. Because the encryption option is based on a shared key, the encryption provides a form of authentication. If the controller can decrypt the payload of a session control message, then it is has reason to believe the message came from the external captive portal.
Shared Secret	Type the password common to both the controller and the external web server if you want to encrypt the information passed between the controller and the external web server. If encryption is enabled then a shared key must be entered. A shared key is a string that both the controller and the ECP use to encrypt and decrypt session control messages. The shared key must be between 16 and 64 characters long. For better security, use a long key composed of randomly selected characters.
Redirection URL	The Redirection URL field contains the URL to which the controller will redirect all blocked, unauthenticated HTTP traffic on this WLAN Service, or traffic that has been explicitly configured for redirection, depending on your configuration. This should be the URL of the page that will prompt the user to authenticate. If using host name rules, the redirection url can be the configured host name. The redirected browser will issue a “get” to the ECP for this URL. The “Redirection URL”: Can begin with “http://” or “https://”. Must end with a “?” or “&”. Use “&” if the base URL contains some query strings. Note: The Redirection URL does not support IPv6.
Add EWC IP & Port to redirection URL	The Add HWC IP & Port to redirection URL option is useful if the external captive portal serves more than one controller. An ECP must send its session control messages to the controller hosting the controlled session. If an ECP serves more than one controller, then the Add HWC IP & Port to redirection URL option must be used to identify the source of the redirection. The ECP should store the controller address and port with the token and other session details so that it is available throughout the authentication process.
Special
ToS override for NAC	Allows for ToS marking results in redirection to a captive portal via a NAC server.
Close	Click to save your changes and close this page.
Cancel	Click to discard the configuration

Note

You must add a role rule to the non-authenticated filter that allows access to the external Captive Portal site. For more information, see Policy Rules.

Published May 2017prev | next

Email this topic

Print this page Print this page

Leave feedback Feedback

Configuring External and Mode 802.1 Captive Portal

Related Topics