Question

Configure External Captive Portal in WinG and ExtremeCloud with External Authentication

  • 26 November 2018
  • 3 replies
  • 1093 views

Hi all Has someone been able to configure the correct parameters in the WinG series in order to redirect the users to authenticate to an external captive portal? The information that the GTAC or Extreme documents is not enough and does not work, could you share some success case where you can redirect the users to an external portal in the cloud and that authenticates them with social networks or forms? I appreciate your contributions and collaborations.

3 replies

Userlevel 3
Now I have this working at home so I know it works Can you post your config mad we will try and debug it
ap7632-8D5ACF#sh running-config
!
! Configuration of AP7632 version 5.9.3.0-018R
!
!
version 2.6
!
!
client-identity-group default
load default-fingerprints
!
ip access-list BROADCAST-MULTICAST-CONTROL
permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"
permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies"
deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows netbios"
deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast"
deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP local broadcast"
permit ip any any rule-precedence 100 rule-description "permit all IP traffic"
!
mac access-list PERMIT-ARP-AND-IPv4
permit any any type ip rule-precedence 10 rule-description "permit all IPv4 traffic"
permit any any type arp rule-precedence 20 rule-description "permit all ARP traffic"
!
ip snmp-access-list default
permit any
!
firewall-policy default
no ip dos tcp-sequence-past-window
no stateful-packet-inspection-l2
ip tcp adjust-mss 1400
!
!
mint-policy global-default
!
wlan-qos-policy default
qos trust dscp
qos trust wmm
!
radio-qos-policy default
!
aaa-policy Guestwifi
authentication server 1 host 54.152.174.151 secret 0 securewifi
authentication server 2 host 54.87.147.144 secret 0 securewifi
accounting server 1 host 54.152.174.151 secret 0 securewifi
accounting server 2 host 54.87.147.144 secret 0 securewifi
mac-address-format pair-hyphen case upper attributes all
!
dns-whitelist DNSGuest
permit securewifilogin.com suffix
permit venuewifi.com suffix
permit wifistageport.anscoop.com suffix
permit akamaihd.net suffix
permit fonts.googleapis.com suffix
permit cloudfront.net suffix
permit webhook.site suffix
permit fbcdn.net suffix
permit mywifi.io suffix
permit fonts.gstatic.com suffix
permit fbstatic-a.akamaihd.net suffix
permit openweathermap.org suffix
permit facebook.net suffix
permit facebook.com suffix
!
captive-portal Captivehapu
inactivity-timeout 1800
simultaneous-users 100
webpage-location external
webpage external login https://wifistageport.anscoop.com/?nasid=WING_TAG_AP_MAC&client_ip=WING_TAG_CLIENT_IP&mac=WI...
webpage external welcome https://wifistageport.anscoop.com/?res=success&nasid=WING_TAG_AP_MAC&client_ip=WING_TAG_CLIE...
webpage external fail https://wifistageport.anscoop.com/?res=failure&nasid=WING_TAG_AP_MAC&client_ip=WING_TAG_CLIE...
webpage external agreement https://wifistageport.anscoop.com/?nasid=WING_TAG_AP_MAC&client_ip=WING_TAG_CLIENT_IP&mac=WI...
webpage external acknowledgement https://wifistageport.anscoop.com/?res=success&nasid=WING_TAG_AP_MAC&client_ip=WING_TAG_CLIE...
webpage external registration https://wifistageport.anscoop.com/?nasid=WING_TAG_AP_MAC&client_ip=WING_TAG_CLIENT_IP&mac=WI...
webpage external no-service https://wifistageport.anscoop.com/?res=failure&nasid=WING_TAG_AP_MAC&client_ip=WING_TAG_CLIE...
accounting radius
use aaa-policy Guestwifi
use dns-whitelist DNSGuest
webpage internal registration field city type text enable label "City" placeholder "Enter City"
webpage internal registration field street type text enable label "Address" placeholder "123 Any Street"
webpage internal registration field name type text enable label "Full Name" placeholder "Enter First Name, Last Name"
webpage internal registration field zip type number enable label "Zip" placeholder "Zip"
webpage internal registration field via-sms type checkbox enable title "SMS Preferred"
webpage internal registration field mobile type number enable label "Mobile" placeholder "Mobile Number with Country code"
webpage internal registration field age-range type dropdown-menu enable label "Age Range" title "Age Range"
webpage internal registration field email type e-address enable mandatory label "Email" placeholder "you@domain.com"
webpage internal registration field via-email type checkbox enable title "Email Preferred"
!
wlan Guest
description hapu networks
ssid Guest-hapu
vlan 1
bridging-mode local
encryption-type none
authentication-type none
use captive-portal Captivehapu
captive-portal-enforcement
!
!
management-policy default
telnet
no http server
https server
rest-server
ssh
user admin password 1 (removed) role superuser access all
snmp-server community 0 private rw
snmp-server community 0 public ro
snmp-server user snmptrap v3 encrypted des auth md5 0 admin123
snmp-server user snmpmanager v3 encrypted des auth md5 0 admin123
!
profile ap7632 default-ap7632
autoinstall configuration
autoinstall firmware
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto load-management
crypto remote-vpn-client
interface radio1
antenna-mode 2x2
interface radio2
antenna-mode 2x2
interface bluetooth1
shutdown
mode le-sensor
interface ge1
interface vlan1
ip address dhcp
ip address zeroconf secondary
ip dhcp client request options all
interface pppoe1
use firewall-policy default
use client-identity-group default
logging on
service pm sys-restart
router ospf
adoption-mode controller
!
rf-domain Hapu
timezone America/Bogota
country-code co
!
ap7632 B4-2D-56-8D-5A-CF
use profile default-ap7632
use rf-domain Hapu
hostname ap7632-8D5ACF
ip default-gateway 192.168.20.1
interface radio1
wlan Guest bss 1 primary
interface radio2
wlan Guest bss 1 primary
interface vlan1
ip address dhcp
adoption-mode controller
!
!
end
ap7632-8D5ACF#
Userlevel 5
Hi,

I've encouraged myself to bump the topic up, as I also try to get things straight here.
Based on Captive Portals manual (https://documentation.extremenetworks.com/ExtremeWireless/WING_5X_CAPTIVE_PORTALS_HTG_TME-12-2012-01_REVA_EN.pdf) I assume it should be like this:
  • Captive Portal Server Mode – Internal (self) or Centralized
  • Access Type – No Authentication
  • Web Page Source – Externally Hosted - URLs for each state just to EAC IP or else?
Internal (AP does the redirection) would be the easiest with VX but it seems to require adding individual APs to XMC.

I'm gonna play with this tomorrow, will post my findings but any suggestions that might reduce the time are welcome. ;)

Kind regards,
Tomasz

Reply