10.11 HTTP Redirection at AP

  • 1
  • 1
  • Question
  • Updated 9 months ago
  • Answered
Hi Guys

So I am playing with the new HTTP redirection at the AP (Bridge@AP).

For my test I would like to redirect users to the NAC portal page using a Bridge at AP.
Not sure what I am doing wrong here:
 
I have enabled HTTP Redirection globally:



I have created a redirection role with the following rules:





The user connect and receives an IP, but is never redirected.
If I browse to the "Redirection URL" I do get the NAC Portal Page:


Looking at the note at the bottom of the "Redirection URL"
Note: token=<integer_val>&dest=<original_target_url>
&hwcip=<hwc_ip>&hwcport=<hwc_port>
will be APPENDED to the redirection URL

This might be the problem....

Any idea??
Photo of Andre Brits Kannemeyer

Andre Brits Kannemeyer

  • 4,980 Points 4k badge 2x thumb

Posted 2 years ago

  • 1
  • 1
Photo of Gareth Mitchell

Gareth Mitchell, Extreme Escalation Support Engineer

  • 5,476 Points 5k badge 2x thumb
Andre

Do you have your portal type set to firewall friendly and the mandatory fields filled in, see page 178 in the user guide?

I also recommend checking that DNS is working (ping www.extremenetworks.com and make sure that you resolve an IP.)

• Configure the Captive Portal to be External Firewall Friendly. Configure the following parameters on the ECP:
• The Identity and Shared Secret fields are required and must match the values used when you
configured the captive portal.
• When configuring the Allow policy for the ECP, The IP/subnet value specified on the Filter
Rule Definition dialog, must match the Redirection URL value specified on the FFECP
Configure dialog.
• Select an option for Send Successful Login To.

-Gareth
Photo of Andre Brits Kannemeyer

Andre Brits Kannemeyer

  • 4,980 Points 4k badge 2x thumb
Hi Gareth

The FFECP only applies to routed or b@ewc topologies.
With new redirect options should allow you to redirect traffic with a Bridge at AP topology.

I have tried to set this and the controller then warns you that it only applies to routed and B@EWC topologies.

Enhanced Access Points (AP38XX/39XX) to directly support redirection and Firewall Friendly External Captive
Portal (FFECP) for distributed topologies.

Thx
Photo of Gareth Mitchell

Gareth Mitchell, Extreme Escalation Support Engineer

  • 5,476 Points 5k badge 2x thumb
Andre

My understanding is that the wlan service must be of type FFECP (see the manual pages in my first post.)

If it is not, and the identity/shared secret fields are not complete, the AP will not redirect.

I would recommend attaching your configs to a case and we will take a look at it, I have it working in the lab on this code, in a wireless trace I see the AP sending http redirect.

-Gareth
Photo of Martin Flammia

Martin Flammia

  • 5,724 Points 5k badge 2x thumb
Hi,

Been in the process of setting this up myself but been struggling also to get the redirect working. (Think it might be having the redirect firewall rule set to the NAC address instead of 0.0.0.0 as above, as you would traditionally do - will test and post back)

Would it be possible to provide the detail of an exact working configuration that redirects to NAC Captive Portal - the above details 90% of it but not sure how accurate it is and some bits are missing like if FFECP was required, and its elements.

Are the settings above, all the firewall entries exactly how they should be?

Did this require FFECP in the end to work? What was entered for the mandatory fields, like 'identity' for example (perhaps wireless controller hostname?)

I'm running on code 10.34.x

Many thanks.
Photo of Martin Flammia

Martin Flammia

  • 5,724 Points 5k badge 2x thumb
Have it working, screenshots of the configuration below. I did end up using FFECP but I didn't need to fill in feilds except the URL.








Mistakes I made to avoid:
  • Make sure redirect rule is set to 0.0.0.0/0 for HTTP and HTTPS, and not NAC IP (As Above)
  • Make sure you enter NAC IP address in, otherwise you get an 'Internal Error' when redirected (As Above)
  • You don't need to fill out any fields in FFECP config other than URL (As Above)
  • IP 10.199.0.120 is NAC
  • IP 10.114.15.101/32 can be removed, this is a mistake. This was a hangup when originally configured for Bridge@EWC
Thanks.