Extreme Networks

f_bonacini · ‎11-21-2019

Hi all.

As the title says, my problem is the following:

we're deploying an AH SSID inside a place with a high number of guests.
the phone network is expected to blocked for this reason.
However, we need to be able to forward emails with credentials to the clients registering on the portal so that they can login.
The only possible solution would be to send these information by email even if the client has not logged in yet.
Sending an SMS is not a valid option due to the phone network not being reliable.

My questions are:

is this possible to achieve by using the Walled garden of the CWP?
if it is possible, how can I achieve it? Because I've tried to white list some services of Google to allow Gmail, but the native app on my mobile phone and an iOs device I used for tests ares not receiving the emails.
If this is not possible, can clients data registered with only self registration be retrieved by my server somehow? Because I've tried to remove the "User Auth" check (see attached image), but by using the developers API "/v1/identity/credentials" I cannot get the data the user has inserted.

f_bonacini · ‎12-27-2019

For those who'll stumble upon this same problem, here are a few guidelines that worked for me:

1 - Maximum of 64 rules.

Remember that the Walled Garden has a limited number of rules which can be inserted. At the time of writing, this limitation is of about 64 rules, regardless of their complexity. In other words you have to choose wisely which email domain providers you want to be enabled.

2 - Analyze email domain providers required resources.

Smaller email domain providers will usually put advertisement and other kind of analytic tools inside the resources they use to build their web app / native app. Without some of those, the application may refuse to work. You will have to check those applications individually.

Usually, big providers, such as Google, Apple, Microsoft and Yahoo, use less external tools, so it's easy to white list those applications domains and make them work. The same cannot be said for smaller providers which make a large use of in-app advertisement.

3 - Analyze https traffic to understand which DNS records must be added to the WalledGarden.

You can do this by opening the web app page inside of your browser and, by using the developer tools, check the Network panel to control the addresses of the requests.

This usually covers both the web application and the native application. However, this is not always true.

Again, small email providers may have created a native application where some resources need a particular DNS record to be accessible in order to work correctly (or be used at all).

If this is your case, then you will have to setup a sort of middleware on your PC and direct your device traffic to it so that you will be able to analyze all traffic coming from your test device.

4 - Devices make use of HTTP request to detect and activate the Captive portal land page.

As the title says and at the time of writing, to trigger the captive portal splash page, devices usually make an HTTP (not HTTPS) request to some predefined endpoint. For iOs is something like a .apple.com /some/path/ while for Android devices the endpoint can vary from Android distribution and physical device.

Therefore, to be sure that the Captive Portal will be correctly displayed regardless of the DNS rules set into the Walled Garden, make sure to enable only https traffic in your Walled Garden rules. Thats because when these connection endpoint cannot be reached, the device will automatically detect the captive portal and redirect the user to it.

5 - Max of 2MB of compressed archive can be deployed as Captive Portal to an access point device.

Do not build an over complex or too stylish Captive Portal splash page. At the time of writing, the compressed package sent to the access point configuration can be of a maximum of 2MB.

If your custom Captive portal makes use of too many resources or images, the ExtremeCloud manager will give you a deploy error when trying to transfer a compressed package whose size exceeds the limit mentioned above.

View solution in original post

f_bonacini · ‎11-21-2019

Regarding the white list docs, I think it would be a great addition no just to my use case but to AH documentation in general. So even if it will take you time to write it down, I suggest you to do it anyway.

 for the clarification on iOs.

For the external syslogs, just to check all possible ways, we would have to prepare our own server with some kind of software capable of accepting the log infos?

Because currently in this project we already have an external (from the AH SSID) machine which is fetching data from the AH developer portal trough API calls, and I think we could set that up to enable also this kind of data collection.

I don't think we can have the time in our current project to do that, but it would be an interesting solution nonetheless for future projects.

Anyway, right now I'm not in office anymore, but I will be there tomorrow so I'll answer you later.

And thank you again.

samantha_lynn · ‎11-21-2019

For the documentation on a white list, we don't have one that I know of but I can submit a request to have one made. I don't know when that would be available though, just to set expectations here, we're a bit behind at the moment.

For iOS devices, once they have submitted the registration they should be able to go to any sites within your walled garden list, otherwise any other functions that require internet access will have to wait until they are fully authenticated.

To view our buffered log you'd want to run the command: show log buff

You can narrow things down a bit, lets say you have the MAC address of the client, you could use the command: show log buff | include <mac address>

I know we can send the buffered log to a syslog server for long term storage and use, but I don't know if all external servers can access these logs.

f_bonacini · ‎11-21-2019

First of all, thank you for your reply.

In regard to the Walled Garden, by trial and error approach I'va managed to white list at least Gmail. I had to add different host names to allow Gmail to work both on iOs and Android. By using this approach I can allow the emails provider when I find the right resources to white list.

In your knowledge, is there some sort of documentation where I can find host names to white list? For example Microsoft Live, Yahoo, (etc...)?

Another related question. On iOs, they have that native app which intercepts the Captive portal. While the user is being held inside that app, after having submitted the registration, is the device already able to get emails inside native apps? (Once again, as example, Gmail app)

In regard to the self registration info being stored in the log of the AP: this is an interesting thing, do you have some documentation on how to access those logs? Is there a way to access them programmatically from another server?

samantha_lynn · ‎11-21-2019

You should be able to create a walled garden to allow them access to their email. If that configuration isn't working, I would recommend opening a case so we can review your configuration with you and troubleshoot from there. When you're testing and don't receive the emails, does that mean the email doesn't come to your inbox at all, or that you aren't able to see your email inbox despite the walled garden settings?

The information submitted by clients in the self registration portal will be listed in the buffered log of the AP. However you'll want a long term logging server like syslog set up, because the buffered log overwrites itself once it fills up.

Extreme Networks

Captive portal login allow receiving emails with generated credentials

Captive portal login allow receiving emails with generated credentials