Wireless (General)

 View Only

 wireless BYOD web portal configuration

froggy's profile image
froggy posted 09-24-2021 13:46


We will be replacing our current wireless infrastructure with extreme products (for wireless controllers we will be using XCC, extreme XMC, and a couple of extreme engines for NAC). We are trying to come up with a solution to allows our staff to connect to one of our ssids with their personal devices for internet access only not internal access. We are currently allowing them to user their AD account to connect to our secure wlan and we have  a rule that puts them on the outside vlan for internet access only if they use their account to connect. I know we can keep using the same method where if they use their AD account to connect it puts them outside and also limit who can connect but We are looking into using the captive portal - authenticated users options instead to possibly use their work email to get a verification code to connect after being sponsored.  We will like to have one public ssid for our guests with captive portal - which we have configured already and we want another ssid with captive portal for our staff and have a way for us to either allow or reject their request and also have a way to monitor the accounts that connect to this ssid. The only document i could find with instructions is for extremecloud IQ.

Ovais Qayyum's profile image
Ovais Qayyum


This sounds like a Guest Registration with either OTP or Sponsored Access use case. There are a couple of ways you can achieve this:


1- In first method, users will connect to a Guest SSID, they see a splash portal with registration form, one of the fields in the registration form can be email address which is mandatory. The same splash page also have a list of sponsors, user will select one of the sponsors. The sponsor gets a network access request email with a link that allows them to either Allow/Deny the request.

2- The second method is similar to the first one except instead of selecting a sponsor on the registration portal, users will provide their mobile/email (whichever is set to be the preferred way of delivering the OTP), submit the request and receive the unique OTP code via SMS/Email. Use the OTP to log into the network. 



Assuming that you have XCC already added into the NAC, if not, please add it to the XMC and NAC.

1- Allow External Captive Portal on the SSID, point to your NAC IP/FQDN (this is where the splash page is hosted), set AAA policy and point both radius authentication and accounting servers to the NAC, make sure the “Shared secret” matches the one on the NAC, NAC uses a default shared secret of “ETS_TAG_SHARED_SECRET”. 


2- On the NAC, enable Captive Portal by following below instructions:

  1. In Extreme Management center click Control --> Access Control --> Configuration --> Captive Portals --> Default
  2. Click on "Website Configuration
  3. Enable desired portal 
  4. The system will automatically configure an "Unregistered" rule as a catch all and necessary rules for proper captive portal authentication.


3- To enable Sponsored Login,  Navigate to Guest Registration page and configure it as follows. Fill in the Admin Sponsor Email accordingly. The Sponsor Email Field provides few diff. options, choose the one that fits your needs. Specify the email IDs of the sponsors in the Predefined Sponsors text box. Make sure to Save and Enforce for the changes to take effect.  


4- On the XCC, make sure the AP Profile in Device Group has “Unregistered” and “Guest Access” roles are selected.


You can find user details in the NAC “End Systems” tab, this information includes user data such as name. email address etc. and can be downloaded in CSV file format. 

Let me know how it goes.



froggy's profile image

 Hello thank you very much for the instructions and screenshots, i think this is just what i need. I will give this a try and let you know. just a question is the fqdn necessary or can i use the ip address of the wireless nac and is the identity field needed (and what info do i need to add there if needed)? 


Thanks again for your time!

Ovais Qayyum's profile image
Ovais Qayyum


You can use IP address of the NAC instead of FQDN, identity and Shared Secret fields are not necessary. When you use NAC IP address in the ECP URL field, make sure to disable FQDN in the NAC’s Captive Portal settings else the portal won’t load.

Additionally, I would recommend that you use  HTTPS instead of HTTP in the ECP URL and enable HTTPS connections in the SSID settings. Likewise enable HTTPS based portal on the NAC. Otherwise most of mobile client devices will throw, security exception errors. 





Eddies's profile image

BYOD flow on Chromebook devices is different from other OS. Unlike other OS where there is no requirement for the endpoints to be pre-registered, the Chromebook devices needs to be enrolled to the Google-Suite before it can go through the ISE BYOD flow. The G-Suite admin needs to configure Chromebook policy on the G-Suite to force installation of NSA Chrome extension. Also, G-Suite admin needs to configure WiFi settings on the Google admin console.  

Judah's profile image

In Single SSID BYOD only one SSID is used for both onboardings of devices and later giving full access to the Registered Devices. First, the user connects to the SSID using the user name and password ( MSCHAPv2 ). Once authenticated successfully on ISE, the user gets redirected to the BYOD Portal. Once the Device Registration is done, the end-client downloads the Native Supplicant  Assistant (NSA) from ISE . NSA is installed on the end client and downloads the Profile and certificate from ISE.