This task describes how to configure a Firewall Friendly External Captive Portal.
ExtremeWireless offers a scalable external captive portal (ECP) solution on the AP that can be managed locally or through a Cloud solution, in addition to the controller based ECP. The following table illustrates the WLAN (Wireless Local Area Network) redirection configuration options for the AP and the controller. Each setting is identified as mandatory or optional for redirection on the AP or on the controller. For more information about configuring ECP on an AP, see Configuring a Captive Portal on an AP
Field/Button | Description | Redirection at the AP | Redirection at the Controller |
---|---|---|---|
Redirect to External Captive Portal | |||
Identity | Type the name common to both the controller and the external Web server if you want to encrypt the information passed between the controller and the external Web server. | Mandatory Required for signing the redirected URL. If you do not configure the Identity, the redirector on the AP drops the traffic. |
Optional |
Shared Secret | Type the password common to both the controller and the external Web server if you want to encrypt the information passed between the controller and the external Web server. | Mandatory Required for signing the redirected URL. If you do not configure the Shared Secret, the redirector on the AP drops the traffic. |
Optional |
Redirection URL | Type the URL to which the wireless device
user will be directed to after authentication. Note: Ensure the request does not exceed the
browser character limit. Older browsers limit requests to 255
characters. Newer browsers allow up to 2048 characters.
The Redirection URL does not support IPv6. |
Mandatory | Mandatory |
EWC IP and Port | IP address and Port number | Mandatory By default, this option is enabled. The IP address and port of the AP are always URL parameters. A deployment will have multiple APs. The IP address and port communicate to the External Captive Portal through the client, identifying which AP is redirecting the client. |
Optional This option is not required when the deployment includes only one controller. However, we recommend enabling this option when the deployment includes multiple controllers. |
Replace EWC IP with EWC FQDN | Use controller's Fully-Qualified Domain Name instead of IP address. | Not supported | Optional You can enable this setting if the deployment uses a single controller. |
AP Name and Serial Number | Name and Serial Number of AP | N/A AP has this information locally. |
Optional |
AP Ethernet MAC | MAC address of the AP | N/A AP has this information locally. |
Optional |
AP Location | Text string used to describe physical AP location. | Optional | Optional |
Associated BSSID | Associated BSSID of AP | N/A AP has this information locally. |
Optional |
VNS Name | Virtualized Network Service Name | Optional For non-site deployments, the VNS Name is not available on the AP. Therefore, it must be included in the mobile user associated response or as part of the mobile user update requirement from the controller. |
Optional |
SSID | Service Set Identifier | N/A AP has this information locally. |
Optional |
Station MAC Address | Media Access Control Address | N/A AP has this information locally. |
Optional |
Currently Assigned Role | Optional For non-site deployments, the Assigned Role is not available on the AP. Therefore, it must be included in the mobile user associated response or as part of the mobile user update requirement from the controller. |
Optional | |
Containment VLAN (Virtual LAN) of Assigned Role | Optional For non-site deployments, the Assigned Role is not available on the AP. Therefore, it must be included in the mobile user associated response or as part of the mobile user update requirement from the controller. |
Optional | |
Timestamp | Timestamp (in UTC) | Mandatory The timestamp (in UTC) is always included, because it prevents replay attacks of a recorded redirected URL. The AP must have access to UTC time, which is provided by the controller. |
Optional |
Signature | Optional Signature is included when full authentication is employed. If configuring a RADIUS authentication server, clear the Signature checkbox. The Signature option is the flag that indicates how authentication is achieved. |
Optional | |
Redirect From External Captive Portal | |||
Use HTTPS for Users Connections | Select this option to use HTTPS instead of HTTP. The default state will be set for HTTPS. This applies to both new WLAN Services and WLAN Services that existed prior to upgrading to V9.15 and later. | Optional The AP presents a self-signed certificate that triggers a warning page in most browsers. The AP does not support installing signed certificates from a trusted certificate authority. |
Optional |
Send Successful Login to: | Select the IP address of the external Web server, and then enter the port of the controller. | Mandatory The session management page can contain a link to the original URL that was served when it was redirected. The session management page includes a button to terminate the user‘s session. The only way the client can come directly to this page is by replaying the redirection URL from the External Captive Portal within the grace period measured by the timestamp. |
Optional The session management page does include a button to terminate the user‘s session. |
View Sample | Displays an example format of the redirection URL that the controller/AP expects to receive (indirectly) from the ECP. If the WLAN Service is part of a VNS or has a default topology, then the server portion of the URL contains the IP address of the controller/AP. The query string is populated with realistic but fictional data. This information is provided to assist in developing the ECP program. |