Header Only - DO NOT REMOVE - Extreme Networks

How does WiNG Captive Portal (RADIUS) authentication work with locally bridged (self) mode and external captive portal web pages?


I'm operating a WiNG wireless controller to manage remote APs. I'm attempting to setup external captive portal pages, and in order to have the APs handle the captive portal capture and redirection process (and RADIUS authentication) without tunneling traffic through the controller.

So far, the setup works as expected, clients are getting redirected to the proper captive portal page by the AP.

The first question is, once the external pages perform their auth processes,
1) How does the authentication form submission work on the AP (or does it) in this configuration?

I'm currently testing form submission (POST) with these two endpoints:

https://1.1.1.1:444/cgi-bin/hslogin.cgi
http://1.1.1.1:880/cgi-bin/hslogin.cgi

and these parameters:
f_user =
f_pass =
f_Qv =
f_hs_server = 1.1.1.1

2) Is the script at 1.1.1.1 served by the AP, or is that supposed to supposed to be the controller?

3) Can I post to 880 when in http redirection mode and https mode or at all?

17 replies

Userlevel 6
Hi Jeff,

the thing is that with CP we need to redirect client's flow to a certain end-point (walled garden) so in case you do not specify a server (or use served mode self) AP acts as one - virtual IP 1.1.1.1.

Anyway, in case of external pages and local CP server you create kind of a Supplicant - Authenticator - Authentication Server scenario, when AP acts as authenticator and tunnels auth request to external pages..

Also, you can only select HTTP or HTTPS in CP - no special port redirection afaik.

If you have a specific config to discuss, please share it or raise a support case.
There is not-yet re-branded captive portal desing guide I would not like to post here.

Regards,
Ondrej
captive-portal CP-TEST inactivity-timeout 3600 server mode self webpage-location external webpage external login http://example.com/login webpage external welcome http://example.com/welcome webpage external fail http://example.com/failed webpage external no-service http://www.tide.com use aaa-policy CP-RADIUS use dns-whitelist CP-WHITELIST dns-whitelist CP-WHITELIST permit example.com permit someservice.com suffix wlan testwifinetwork vlan 680 bridging-mode local encryption-type none authentication-type none no answer-broadcast-probes radius vlan-assignment data-rates 2.4GHz gn use aaa-policy CP-RADIUS use captive-portal CP-TEST captive-portal-enforcement enforce-dhcp proxy-arp-mode strict broadcast-dhcp validate-offer service cred-cache clear-on-disconnect[/code]
Ondrej,

Here's what the config looks like...
We should be able to authenticate by POSTing credentials and the redirect token (from the WiNG captive portal guide example login.html) to:

https://1.1.1.1:444/cgi-bin/hslogin.cgi
or
http://1.1.1.1:880/cgi-bin/hslogin.cgi

And then, in this case, the AP would handle authentication with the RADIUS server using the parameters supplied, is that right?

Regarding other server modes, I was under the assumption that if we weren't using 'centralized' mode the server host would have to be a controller, is that not the case?

Thanks,
Jeff
Userlevel 6
Hi Jeff,

now couple of questions - the external page shall provide authentication / registration, right?
Are you using simple credentials authentication of full registration there?

Either or - you shall use RADIUS server / AAA policy for that also - either external or internal.
Captive portal, actually the AAA, rely on access-accept / reject to react as default option is "access-type radius".

When using external portals we do expect getting response similar to attached picture



Be careful to abide sequence of f_user, f_pass, f_hs_server, f_curr_time and f_Qv - hslogin.cgi is little touchy here 🙂

I would strongly recommend to get some captures from controller using these two commands in CLI:

- remote-debug captive-portal hosts CP1 clients all max-events 5000 events all
- remote-debug wireless hosts CP2 clients all max-events 5000 events all

Here CP1 is device running captive portal service and CP2 is AP where test client connects.
Try to connect and browse with unauthenticated client and I'll tell you more having these.

Also - server modes explained here



Regards,
Ondrej
Ondrej,

I am performing a simple authentication with my own web service on my external server, and from that we get the RADIUS credentials necessary to perform the login to the hs_server.

I am missing the 'f_curr_time' variable, my documentation must be a little bit old. I can add that one in if it's necessary. Also, regarding the order of parameters, I'm using a plain HTML form to submit those parameters to the hs_server, will that suffice? Here is what it looks like right now.

[i] [i] [i] [i] [i]
[/code]
This looks like a correct form POST for server mod 'self' right? 1.1.1.1 should handle the RADIUS authentication using the credentials supplied, is that correct?

Still working on getting the debugging you requested.

Thanks,
Jeff


[/code]
Userlevel 6
Jeff,

be careful - as I said above - hslogin.cgi is sensitive and you have f_Qv in front of f_hs_server. Annoying, but might be fatal. The current time attribute is there for database etc. so it could be really missing in older guides. Do not worry, thought, I think it is not necessary.

Question now is - is captive portal server recovering user / pass correctly and forwards that to RADIUS server to allow access.

You shall see this in debugs I mentioned before.

Regards,
Ondrej
Makes sense, given the contents of Qv aren't URL encoded. I switched the order, and it looks like the RADIUS Authentication request is going through now, it's just being blocked by a firewall. Thanks for all your help!
Userlevel 6
Jeff Lanza wrote:

Makes sense, given the contents of Qv aren't URL encoded. I switched the order, and it looks like the RADIUS Authentication request is going through now, it's just being blocked by a firewall. Thanks for all your help!

Hi Jeff,

if you consider this solved, please mark the question answered.

Thank you and good luck with your project!
Can you please explain me who is serving this page (http://1.1.1.1:880/cgi-bin/hslogin.cgi)?
what is exactly 1.1.1.1:880?
This must be my captive portal page server? Or is the ip and port of the AP controller?

Thanks!
The AP has a web server in 'self' mode that serves an unencrypted page to accept authentication requests at 1.1.1.1 over port 880. SSL requests would happen over port 444. I can't speak to the details of the web server on the AP that handles redirects to external captive portal pages.
Thanks for your answer, Jeff.
In the case we have an AP managed by a controller, what would be 1.1.1.1?
Thanks in advance.
What mode are you using for the Captive Portal:
Internal(self)
Centralized
or Centralized Controller

see notes above.
I'm using Centralized Controller mode.
Actually, not sure. Redirection still happens at the AP, so perhaps it's still the AP. The controller does act as authenticator in this case, so it does need some virtual interface to handle those web requests and direct them to the available controller, but I believe you need to manually define that in the configuration.

Sorry I can't help you here.
Jeff Lanza wrote:

Actually, not sure. Redirection still happens at the AP, so perhaps it's still the AP. The controller does act as authenticator in this case, so it does need some virtual interface to handle those web requests and direct them to the available controller, but I believe you need to manually define that in the configuration.

Sorry I can't help you here.

Thanks! You helped me a lot understanding the situation!
Hello, for login, i know the url is http://[HS_SERVER.
Is there any URL for logout also (to disconnect user)?

Thanks!
Cristiano Bevilaqua wrote:

Hello, for login, i know the url is http://[HS_SERVER.
Is there any URL for logout also (to disconnect user)?

Thanks!

I found myself the answer. To disconnect the user, the url is http://[HS_SERVER , note that its without the port.

Thanks!
Someone knows if there is a possible parameter (input with name) in the login form to redirect the user to a specific URL after success login (something similar to the welcome url configured in controller)?
[i] [i] [i] [i] [i]
Thanks![/code]

Reply