Header Only - DO NOT REMOVE - Extreme Networks

Extreme Wireless Controller Redirect to External Captive Portal


Userlevel 3
Hi Extreme experts,

I have a question regarding (Firewall friendly) External Captive Portal Redirection.

First my goal:
I need to integrate the Extreme Wireless Controller into an external Captive Portal System.
- The Portal System first needs a MAC Authentication Request via RADIUS (like Extreme NAC) - which is accepted.
- The Portal expects a URL-Request: "https://[i]:8443/ahsfasdzfgfaszdfd&mac=00-11-22-33-44-55" where 00-11-22-33-44-55 is the MAC of the Client.

The Extreme Wireless Controller should do the following:
1) Send MAC Authentication Request to Portal-System
2) Redirect any HTTP/HTTPS request to "https://[i]:8443/ahsfasdzfgfaszdfd&mac=00-11-22-33-44-55"
3) After successfull authentication the Role of the client should be changed via RADIUS-CoA.

What I tried is the Firewall Friendly External Captive Portal with the following settings:




But unfortunately that configuration does not work.
1) If MAC Authentication is enabled no redirection is performed (The return Policy role is identical to the Unauthenticated Role in VNS settings). If I disable the MAC Authentication on the WLAN Service URL-Redirection is performed but with unexpected attributes:



Is there any way to disable the unwanted attributes dst, token and wlan?
How can I perform MAC Authentication and Redirection?

Any ideas?

Best Regards
Michael

9 replies

Userlevel 4
How to you have your policies setup roles? You have to makes sure that this information is allowed based on your policy.

If you go to VNS > Roles > [u]

Verify that the services that you need to pass are allowed. Also please do not forget that the rules are run from top to bottom, so placement of your allows and denies are key

Please let me know if this does or does not work so I can assist further 🙂
Userlevel 3
Joseph Burnsworth wrote:

How to you have your policies setup roles? You have to makes sure that this information is allowed based on your policy.

If you go to VNS > Roles > [u]

Verify that the services that you need to pass are allowed. Also please do not forget that the rules are run from top to bottom, so placement of your allows and denies are key

Please let me know if this does or does not work so I can assist further 🙂

Hi Joseph,

first - thanks for your advice. I double checked bute unfortunately all necessary traffic is allowed.

In fact

I allow ARP, BootP, DNS, IP to WLC, IP to Portal and deny the rest

Should be enough and the Role works if I do no MACAuth.

Thanks

Michael
Userlevel 4
Joseph Burnsworth wrote:

How to you have your policies setup roles? You have to makes sure that this information is allowed based on your policy.

If you go to VNS > Roles > [u]

Verify that the services that you need to pass are allowed. Also please do not forget that the rules are run from top to bottom, so placement of your allows and denies are key

Please let me know if this does or does not work so I can assist further 🙂

You are very welcome. I just had a thought. Is this a virtual controller or a physical controller?

The reason I ask is, now that I am thinking about it I had a similar issue with guest in the past. it ended up being the port group security on the VSwitch in VMWare. If it is indeed a virtual controller and in VMWare, can you verify that the security settings look like this for that particular port group?



Otherwise, VMWare won't let the MAC through
Userlevel 6
Hi

Firstly if you haven't already I would recommend you study the guide found in this article: https://gtacknowledge.extremenetworks.com/articles/Q_A/What-is-a-Firewall-Friendly-External-Captive-Portal-on-the-IdentiFi-Appliance

It would be interesting to note the state of the client in the report after MBA (MAC based auth) has completed, in the left column is a padlock that indicates the various states the client is in, hanging your mouse over the padlock will give further details of the state.

As you will see in the guide, the unwanted attributes you inquired about are mandatory.

As Joseph said, check that your rule allows the client to reach the external web server on the ports you have configured, along with having dns/dhcp working and denying everything else.

I would also consider working on getting the authentication piece working first, then add in the MBA.

-Gareth
Userlevel 3
Gareth Mitchell wrote:

Hi

Firstly if you haven't already I would recommend you study the guide found in this article: https://gtacknowledge.extremenetworks.com/articles/Q_A/What-is-a-Firewall-Friendly-External-Captive-Portal-on-the-IdentiFi-Appliance

It would be interesting to note the state of the client in the report after MBA (MAC based auth) has completed, in the left column is a padlock that indicates the various states the client is in, hanging your mouse over the padlock will give further details of the state.

As you will see in the guide, the unwanted attributes you inquired about are mandatory.

As Joseph said, check that your rule allows the client to reach the external web server on the ports you have configured, along with having dns/dhcp working and denying everything else.

I would also consider working on getting the authentication piece working first, then add in the MBA.

-Gareth

Hi Gareth,

thanks a lot for your provided information. I checked the document and see that the unanwanted attributes are mandatory.

Do you see any chance to realize the requirement of the portal system?

Requirement is to redirect to a url like: https://%3cip/DNS%3E:8443/ahsfasdzfgfaszdfd&mac=001122334455

? -> Without token, ect.

Or would that be a feature request?

With best Regards

Michael
Userlevel 6
Gareth Mitchell wrote:

Hi

Firstly if you haven't already I would recommend you study the guide found in this article: https://gtacknowledge.extremenetworks.com/articles/Q_A/What-is-a-Firewall-Friendly-External-Captive-Portal-on-the-IdentiFi-Appliance

It would be interesting to note the state of the client in the report after MBA (MAC based auth) has completed, in the left column is a padlock that indicates the various states the client is in, hanging your mouse over the padlock will give further details of the state.

As you will see in the guide, the unwanted attributes you inquired about are mandatory.

As Joseph said, check that your rule allows the client to reach the external web server on the ports you have configured, along with having dns/dhcp working and denying everything else.

I would also consider working on getting the authentication piece working first, then add in the MBA.

-Gareth

Hi Michael

To strip these values would require you to submit a feature request.

In your URL, what does the string ahsfasdzfgfaszdfd actually refer to?

-Gareth
Userlevel 3
Gareth Mitchell wrote:

Hi

Firstly if you haven't already I would recommend you study the guide found in this article: https://gtacknowledge.extremenetworks.com/articles/Q_A/What-is-a-Firewall-Friendly-External-Captive-Portal-on-the-IdentiFi-Appliance

It would be interesting to note the state of the client in the report after MBA (MAC based auth) has completed, in the left column is a padlock that indicates the various states the client is in, hanging your mouse over the padlock will give further details of the state.

As you will see in the guide, the unwanted attributes you inquired about are mandatory.

As Joseph said, check that your rule allows the client to reach the external web server on the ports you have configured, along with having dns/dhcp working and denying everything else.

I would also consider working on getting the authentication piece working first, then add in the MBA.

-Gareth

Hi Gareth

"ahsfasdzfgfaszdfd" is just a place holder for a static reference. The portal system in this case can handle multiple mandators, so for each portal a spespific mandadtor reference needs to be included in the redirect URL - but that reference is static.

Best Regards

Michael
Userlevel 6
Gareth Mitchell wrote:

Hi

Firstly if you haven't already I would recommend you study the guide found in this article: https://gtacknowledge.extremenetworks.com/articles/Q_A/What-is-a-Firewall-Friendly-External-Captive-Portal-on-the-IdentiFi-Appliance

It would be interesting to note the state of the client in the report after MBA (MAC based auth) has completed, in the left column is a padlock that indicates the various states the client is in, hanging your mouse over the padlock will give further details of the state.

As you will see in the guide, the unwanted attributes you inquired about are mandatory.

As Joseph said, check that your rule allows the client to reach the external web server on the ports you have configured, along with having dns/dhcp working and denying everything else.

I would also consider working on getting the authentication piece working first, then add in the MBA.

-Gareth

Michael

Could you not, for example, use the VNS name attribute as an identifier?

At this point I would probably recommend you get a case opened for this so we can track it and make sure we are fully understanding your requirements.

-Gareth
Userlevel 7
Hi Michael,
Were you able to get this working?

Reply