Extreme Cloud

Expand all | Collapse all

Configure External Captive Portal in WinG and ExtremeCloud with External Authentication

  • 1.  Configure External Captive Portal in WinG and ExtremeCloud with External Authentication

    Posted 11-26-2018 13:55

    Hi all Has someone been able to configure the correct parameters in the WinG series in order to redirect the users to authenticate to an external captive portal? The information that the GTAC or Extreme documents is not enough and does not work, could you share some success case where you can redirect the users to an external portal in the cloud and that authenticates them with social networks or forms? I appreciate your contributions and collaborations.


  • 2.  RE: Configure External Captive Portal in WinG and ExtremeCloud with External Authentication

    Posted 11-26-2018 14:18
    Now I have this working at home so I know it works Can you post your config mad we will try and debug it


  • 3.  RE: Configure External Captive Portal in WinG and ExtremeCloud with External Authentication

    Posted 11-26-2018 15:17
    ap7632-8D5ACF#sh running-config
    !
    ! Configuration of AP7632 version 5.9.3.0-018R
    !
    !
    version 2.6
    !
    !
    client-identity-group default
    load default-fingerprints
    !
    ip access-list BROADCAST-MULTICAST-CONTROL
    permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"
    permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies"
    deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows netbios"
    deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast"
    deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP local broadcast"
    permit ip any any rule-precedence 100 rule-description "permit all IP traffic"
    !
    mac access-list PERMIT-ARP-AND-IPv4
    permit any any type ip rule-precedence 10 rule-description "permit all IPv4 traffic"
    permit any any type arp rule-precedence 20 rule-description "permit all ARP traffic"
    !
    ip snmp-access-list default
    permit any
    !
    firewall-policy default
    no ip dos tcp-sequence-past-window
    no stateful-packet-inspection-l2
    ip tcp adjust-mss 1400
    !
    !
    mint-policy global-default
    !
    wlan-qos-policy default
    qos trust dscp
    qos trust wmm
    !
    radio-qos-policy default
    !
    aaa-policy Guestwifi
    authentication server 1 host 54.152.174.151 secret 0 securewifi
    authentication server 2 host 54.87.147.144 secret 0 securewifi
    accounting server 1 host 54.152.174.151 secret 0 securewifi
    accounting server 2 host 54.87.147.144 secret 0 securewifi
    mac-address-format pair-hyphen case upper attributes all
    !
    dns-whitelist DNSGuest
    permit securewifilogin.com suffix
    permit venuewifi.com suffix
    permit wifistageport.anscoop.com suffix
    permit akamaihd.net suffix
    permit fonts.googleapis.com suffix
    permit cloudfront.net suffix
    permit webhook.site suffix
    permit fbcdn.net suffix
    permit mywifi.io suffix
    permit fonts.gstatic.com suffix
    permit fbstatic-a.akamaihd.net suffix
    permit openweathermap.org suffix
    permit facebook.net suffix
    permit facebook.com suffix
    !
    captive-portal Captivehapu
    inactivity-timeout 1800
    simultaneous-users 100
    webpage-location external
    webpage external login https://wifistageport.anscoop.com/?nasid=WING_TAG_AP_MAC&client_ip=WING_TAG_CLIENT_IP&mac=WI...
    webpage external welcome https://wifistageport.anscoop.com/?res=success&nasid=WING_TAG_AP_MAC&client_ip=WING_TAG_CLIE...
    webpage external fail https://wifistageport.anscoop.com/?res=failure&nasid=WING_TAG_AP_MAC&client_ip=WING_TAG_CLIE...
    webpage external agreement https://wifistageport.anscoop.com/?nasid=WING_TAG_AP_MAC&client_ip=WING_TAG_CLIENT_IP&mac=WI...
    webpage external acknowledgement https://wifistageport.anscoop.com/?res=success&nasid=WING_TAG_AP_MAC&client_ip=WING_TAG_CLIE...
    webpage external registration https://wifistageport.anscoop.com/?nasid=WING_TAG_AP_MAC&client_ip=WING_TAG_CLIENT_IP&mac=WI...
    webpage external no-service https://wifistageport.anscoop.com/?res=failure&nasid=WING_TAG_AP_MAC&client_ip=WING_TAG_CLIE...
    accounting radius
    use aaa-policy Guestwifi
    use dns-whitelist DNSGuest
    webpage internal registration field city type text enable label "City" placeholder "Enter City"
    webpage internal registration field street type text enable label "Address" placeholder "123 Any Street"
    webpage internal registration field name type text enable label "Full Name" placeholder "Enter First Name, Last Name"
    webpage internal registration field zip type number enable label "Zip" placeholder "Zip"
    webpage internal registration field via-sms type checkbox enable title "SMS Preferred"
    webpage internal registration field mobile type number enable label "Mobile" placeholder "Mobile Number with Country code"
    webpage internal registration field age-range type dropdown-menu enable label "Age Range" title "Age Range"
    webpage internal registration field email type e-address enable mandatory label "Email" placeholder "you@domain.com" target="_blank" rel="nofollow noreferrer noopener">you@domain.com"
    webpage internal registration field via-email type checkbox enable title "Email Preferred"
    !
    wlan Guest
    description hapu networks
    ssid Guest-hapu
    vlan 1
    bridging-mode local
    encryption-type none
    authentication-type none
    use captive-portal Captivehapu
    captive-portal-enforcement
    !
    !
    management-policy default
    telnet
    no http server
    https server
    rest-server
    ssh
    user admin password 1 (removed) role superuser access all
    snmp-server community 0 private rw
    snmp-server community 0 public ro
    snmp-server user snmptrap v3 encrypted des auth md5 0 admin123
    snmp-server user snmpmanager v3 encrypted des auth md5 0 admin123
    !
    profile ap7632 default-ap7632
    autoinstall configuration
    autoinstall firmware
    crypto ikev1 policy ikev1-default
    isakmp-proposal default encryption aes-256 group 2 hash sha
    crypto ikev2 policy ikev2-default
    isakmp-proposal default encryption aes-256 group 2 hash sha
    crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
    crypto ikev1 remote-vpn
    crypto ikev2 remote-vpn
    crypto auto-ipsec-secure
    crypto load-management
    crypto remote-vpn-client
    interface radio1
    antenna-mode 2x2
    interface radio2
    antenna-mode 2x2
    interface bluetooth1
    shutdown
    mode le-sensor
    interface ge1
    interface vlan1
    ip address dhcp
    ip address zeroconf secondary
    ip dhcp client request options all
    interface pppoe1
    use firewall-policy default
    use client-identity-group default
    logging on
    service pm sys-restart
    router ospf
    adoption-mode controller
    !
    rf-domain Hapu
    timezone America/Bogota
    country-code co
    !
    ap7632 B4-2D-56-8D-5A-CF
    use profile default-ap7632
    use rf-domain Hapu
    hostname ap7632-8D5ACF
    ip default-gateway 192.168.20.1
    interface radio1
    wlan Guest bss 1 primary
    interface radio2
    wlan Guest bss 1 primary
    interface vlan1
    ip address dhcp
    adoption-mode controller
    !
    !
    end
    ap7632-8D5ACF#


  • 4.  RE: Configure External Captive Portal in WinG and ExtremeCloud with External Authentication

    Posted 12-20-2018 22:57
    Hi,

    I've encouraged myself to bump the topic up, as I also try to get things straight here.
    Based on Captive Portals manual (https://documentation.extremenetworks.com/ExtremeWireless/WING_5X_CAPTIVE_PORTALS_HTG_TME-12-2012-01_REVA_EN.pdf) I assume it should be like this:
    • Captive Portal Server Mode – Internal (self) or Centralized
    • Access Type – No Authentication
    • Web Page Source – Externally Hosted - URLs for each state just to EAC IP or else?
    Internal (AP does the redirection) would be the easiest with VX but it seems to require adding individual APs to XMC.

    I'm gonna play with this tomorrow, will post my findings but any suggestions that might reduce the time are welcome. ;)

    Kind regards,
    Tomasz