B@AP + Captive Portal

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
Hi Everyone!


Is it possible to create an internal captive portal using B@AP ?

Follow what i'm thinking:

Non-Authenticated Network - 192.168.30.x - B@EWC (to generate the captive portal)
Authenticated Network1 - 192.168.50.x - B@AP
Authenticated Network2 - 192.168.60.x - B@AP
Authenticated Network3 - 192.168.70.x - B@AP

This will work properly ?

Thanks in advance!
Photo of Alex

Alex

  • 534 Points 500 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Anton Sax

Anton Sax

  • 1,294 Points 1k badge 2x thumb
hy,
i had a setup like this that was working, but there were small differences. 

non authenticated network was routed vns - next hop routing
authenticated network was B@AP tagged 

i had a seperat vlan so that "guest" traffic was not on my LAN

in the non authenticated profile you have to work with policies!

the setup made problems because the client has to change ip when switching from not-auth to auth network. some clients (ios sometimes also android) make problem with such setup
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 51,288 Points 50k badge 2x thumb
Set the lease time of 192.168.30.X very low so that the clients check the DHCP very fast do detect the new subnet.
Photo of Alex

Alex

  • 534 Points 500 badge 2x thumb
How the controller will change the user from 192.168.30.X (non-auth network) to 192.168.50.X (auth network). Since B@AP do not allow Layer 3 ?

Thanks!
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 51,288 Points 50k badge 2x thumb
You'd need to have an external DHCP server in the B@AP networks ..... or DHCP helper to the DHCP server.
Photo of Alex

Alex

  • 534 Points 500 badge 2x thumb
Thanks Ron!

I will set up an external DHCP server for B@AP networks.
For the B@EWC network (non-auth), I can keep internal DHCP server (with very low lease time) ?
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 51,288 Points 50k badge 2x thumb
Yes, that should work.
Photo of Anton Sax

Anton Sax

  • 1,294 Points 1k badge 2x thumb
The user is redirected to the captive portal where he has to be authenticated or on a splash captive portal he has to press ACCEPT.
Then he is an authenticated user.
Photo of Doug Hyde

Doug Hyde, Technical Support Manager

  • 20,710 Points 20k badge 2x thumb
Also note the controller will let the user know that the topology flip happened, they will be instructed to close the browser and open it again to complete the transition. 
Photo of Scott Van Artsdalen

Scott Van Artsdalen

  • 366 Points 250 badge 2x thumb
We had a similar setup for guests.  It worked.  We kept them in a separate VLAN with access lists so that they could only access Internet resources and local DHCP.  Unauthenticated DHCP scope had a very low lease time, then when they where authenticated they got a IP address at their local site, B@AP.  We forced them to use Google DNS so that there was no need to have them access any internal resources once they got their IP address.
Photo of Alex

Alex

  • 534 Points 500 badge 2x thumb
When you say "very low lease time", how long does it mean ?
Photo of Alex

Alex

  • 534 Points 500 badge 2x thumb
For the B@EWC topology, im using controller dhcp server.
How low I can get ?
Photo of Doug Hyde

Doug Hyde, Technical Support Manager

  • 20,710 Points 20k badge 2x thumb
The reason why this is done on the initial vlan, Extreme has no control over the device to re-ip when the topology changes. The device driver has to recognize that it changed subnets and renew its ip. Not all devices do this gracefully and can get stuck with the wrong ip. The lower lease timer allows the continuous check from the client. If the old address is no longer available as a result of the switch, the device will re-ip.  
Photo of Doug Hyde

Doug Hyde, Technical Support Manager

  • 20,710 Points 20k badge 2x thumb
1 second on the controllers server... 
Photo of Doug Hyde

Doug Hyde, Technical Support Manager

  • 20,710 Points 20k badge 2x thumb
Tip: Make sure default and max both are at 1 if not Apples will ask for 90 days by default and get it if max is at the default setting.  
Photo of Alex

Alex

  • 534 Points 500 badge 2x thumb
Thank you so much Doug!
Photo of Scott Van Artsdalen

Scott Van Artsdalen

  • 366 Points 250 badge 2x thumb
We did 1 second.  That's as low as our DHCP server would go.