This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

How does WiNG Captive Portal (RADIUS) authentication work with locally bridged (self) mode and external captive portal web pages?

How does WiNG Captive Portal (RADIUS) authentication work with locally bridged (self) mode and external captive portal web pages?

Jeff_Lanza
New Contributor

ā€Ž02-02-2017 06:57 PM

I'm operating a WiNG wireless controller to manage remote APs. I'm attempting to setup external captive portal pages, and in order to have the APs handle the captive portal capture and redirection process (and RADIUS authentication) without tunneling traffic through the controller.

So far, the setup works as expected, clients are getting redirected to the proper captive portal page by the AP.

The first question is, once the external pages perform their auth processes,
1) How does the authentication form submission work on the AP (or does it) in this configuration?

I'm currently testing form submission (POST) with these two endpoints:

https://1.1.1.1:444/cgi-bin/hslogin.cgi
http://1.1.1.1:880/cgi-bin/hslogin.cgi

and these parameters:
f_user =
f_pass =
f_Qv =
f_hs_server = 1.1.1.1

2) Is the script at 1.1.1.1 served by the AP, or is that supposed to supposed to be the controller?

3) Can I post to 880 when in http redirection mode and https mode or at all?
0 Kudos
17 REPLIES 17

Ondrej_Lepa
Extreme Employee

ā€Ž02-06-2017 09:33 AM

Hi Jeff,

now couple of questions - the external page shall provide authentication / registration, right?
Are you using simple credentials authentication of full registration there?

Either or - you shall use RADIUS server / AAA policy for that also - either external or internal.
Captive portal, actually the AAA, rely on access-accept / reject to react as default option is "access-type radius".

When using external portals we do expect getting response similar to attached picture

748d5b63d1b84f07ad975b7f7c38802a_RackMultipart20170206-72138-72w3q6-hslogin_inline.png



Be careful to abide sequence of f_user, f_pass, f_hs_server, f_curr_time and f_Qv - hslogin.cgi is little touchy here šŸ™‚

I would strongly recommend to get some captures from controller using these two commands in CLI:

- remote-debug captive-portal hosts CP1 clients all max-events 5000 events all
- remote-debug wireless hosts CP2 clients all max-events 5000 events all

Here CP1 is device running captive portal service and CP2 is AP where test client connects.
Try to connect and browse with unauthenticated client and I'll tell you more having these.

Also - server modes explained here

748d5b63d1b84f07ad975b7f7c38802a_RackMultipart20170206-90005-1g90uaj-ServerMode_inline.png



Regards,
Ondrej

0 Kudos

Jeff_Lanza
New Contributor

ā€Ž02-03-2017 05:13 PM

captive-portal CP-TEST inactivity-timeout 3600 server mode self webpage-location external webpage external login http://example.com/login webpage external welcome http://example.com/welcome webpage external fail http://example.com/failed webpage external no-service http://www.tide.com use aaa-policy CP-RADIUS use dns-whitelist CP-WHITELIST dns-whitelist CP-WHITELIST permit example.com permit someservice.com suffix wlan testwifinetwork vlan 680 bridging-mode local encryption-type none authentication-type none no answer-broadcast-probes radius vlan-assignment data-rates 2.4GHz gn use aaa-policy CP-RADIUS use captive-portal CP-TEST captive-portal-enforcement enforce-dhcp proxy-arp-mode strict broadcast-dhcp validate-offer service cred-cache clear-on-disconnect
Ondrej,

Here's what the config looks like...
We should be able to authenticate by POSTing credentials and the redirect token (from the WiNG captive portal guide example login.html) to:

https://1.1.1.1:444/cgi-bin/hslogin.cgi
or
http://1.1.1.1:880/cgi-bin/hslogin.cgi

And then, in this case, the AP would handle authentication with the RADIUS server using the parameters supplied, is that right?

Regarding other server modes, I was under the assumption that if we weren't using 'centralized' mode the server host would have to be a controller, is that not the case?

Thanks,
Jeff

0 Kudos

Ondrej_Lepa
Extreme Employee

ā€Ž02-03-2017 08:52 AM

Hi Jeff,

the thing is that with CP we need to redirect client's flow to a certain end-point (walled garden) so in case you do not specify a server (or use served mode self) AP acts as one - virtual IP 1.1.1.1.

Anyway, in case of external pages and local CP server you create kind of a Supplicant - Authenticator - Authentication Server scenario, when AP acts as authenticator and tunnels auth request to external pages..

Also, you can only select HTTP or HTTPS in CP - no special port redirection afaik.

If you have a specific config to discuss, please share it or raise a support case.
There is not-yet re-branded captive portal desing guide I would not like to post here.

Regards,
Ondrej

0 Kudos
GTM-P2G8KFN