B@AP + Captive Portal


Userlevel 1
Hi Everyone!

Is it possible to create an internal captive portal using B@AP ?

Follow what i'm thinking:

Non-Authenticated Network - 192.168.30.x - B@EWC (to generate the captive portal)
Authenticated Network1 - 192.168.50.x - B@AP
Authenticated Network2 - 192.168.60.x - B@AP
Authenticated Network3 - 192.168.70.x - B@AP

This will work properly ?

Thanks in advance!

17 replies

Userlevel 3
hy,
i had a setup like this that was working, but there were small differences.

non authenticated network was routed vns - next hop routing
authenticated network was B@AP tagged

i had a seperat vlan so that "guest" traffic was not on my LAN

in the non authenticated profile you have to work with policies!

the setup made problems because the client has to change ip when switching from not-auth to auth network. some clients (ios sometimes also android) make problem with such setup
Userlevel 7
Set the lease time of 192.168.30.X very low so that the clients check the DHCP very fast do detect the new subnet.
Userlevel 1
How the controller will change the user from 192.168.30.X (non-auth network) to 192.168.50.X (auth network). Since B@AP do not allow Layer 3 ?

Thanks!
Userlevel 7
You'd need to have an external DHCP server in the B@AP networks ..... or DHCP helper to the DHCP server.
Userlevel 1
Ron wrote:

You'd need to have an external DHCP server in the B@AP networks ..... or DHCP helper to the DHCP server.

Thanks Ron!

I will set up an external DHCP server for B@AP networks.
For the B@EWC network (non-auth), I can keep internal DHCP server (with very low lease time) ?
Userlevel 7
Ron wrote:

You'd need to have an external DHCP server in the B@AP networks ..... or DHCP helper to the DHCP server.

Yes, that should work.
Userlevel 3
The user is redirected to the captive portal where he has to be authenticated or on a splash captive portal he has to press ACCEPT.
Then he is an authenticated user.
Userlevel 7
Also note the controller will let the user know that the topology flip happened, they will be instructed to close the browser and open it again to complete the transition.
We had a similar setup for guests. It worked. We kept them in a separate VLAN with access lists so that they could only access Internet resources and local DHCP. Unauthenticated DHCP scope had a very low lease time, then when they where authenticated they got a IP address at their local site, B@AP. We forced them to use Google DNS so that there was no need to have them access any internal resources once they got their IP address.
Userlevel 1
When you say "very low lease time", how long does it mean ?
Userlevel 7
Alex wrote:

When you say "very low lease time", how long does it mean ?

I would go as low as you can configure, that first B@ewc vlan is just a place holder until the user is moved to the B@AP vlans. On the B@AP vlan those can have a normal lease (days).
Userlevel 1
Alex wrote:

When you say "very low lease time", how long does it mean ?

For the B@EWC topology, im using controller dhcp server.
How low I can get ?
Userlevel 7
Alex wrote:

When you say "very low lease time", how long does it mean ?

The reason why this is done on the initial vlan, Extreme has no control over the device to re-ip when the topology changes. The device driver has to recognize that it changed subnets and renew its ip. Not all devices do this gracefully and can get stuck with the wrong ip. The lower lease timer allows the continuous check from the client. If the old address is no longer available as a result of the switch, the device will re-ip.
Userlevel 7
Alex wrote:

When you say "very low lease time", how long does it mean ?

1 second on the controllers server...
Userlevel 7
Alex wrote:

When you say "very low lease time", how long does it mean ?

Tip: Make sure default and max both are at 1 if not Apples will ask for 90 days by default and get it if max is at the default setting.
Userlevel 1
Alex wrote:

When you say "very low lease time", how long does it mean ?

Thank you so much Doug!
We did 1 second. That's as low as our DHCP server would go.

Reply