Extreme Networks

gluo · ‎02-15-2017

Hi, I have setup a captive portal on a VX9000 and I noticed that every day the user has to re-enter the username and password. Is there a way to remain authenticated for as long as the user is valid? Also is there a way to un-authorize a certain user from the captive portal?

gluo · ‎02-20-2017

Hi Ondrej, Thank you for your detailed answer and testing. Really helpful information, good job! My use case is site visitors that are being handed out pre-printed vouchers with username/passwords in order to authenticate and being able to access the WLAN, so there is no previous knowledge of the MAC address, hence the first fork does not fit, please correct me if i am wrong. About the second fork, I can not download the document because it takes my to your sharepoint cloud server. So I need your aid with the following: 1. Does self registration allow anyone to access the WLAN? (That would be a problem in this case) 2. Is it possible to provide a username/password (CP) and then the user enter his own mac (AAA)? If the second is possible then the inactivity timeout of the RADIUS holding MAC addresses, would not be a problem since it happens automatically.

Ondrej_Lepa · ‎02-20-2017

Hi Konstantinos,

I setup scenario with AP adopted to a controller when AP had Captive Portal service and controller ran RADIUS service.

Captive Portal configuration as follows:

captive-portal RADIUS
access-time 10
inactivity-timeout 60
simultaneous-users 1

use aaa-policy RADIUS
bypass captive-portal-detection

WLAN configuration as follows:

wlan RADIUS
bridging-mode local
encryption-type none
authentication-type mac
use aaa-policy RADIUS
use captive-portal RADIUS
captive-portal-enforcement fall-back

Then connecting to SSID I see in logs that system first tries to authenticate client against AAA / RADIUS and then failover to Captive Portal

6c4b47eeaf8c4ea78abecdb7c4b051f8_RackMultipart20170221-32907-153fjwj-Radius1_inline.png

Then successful authentication via Captive Portal pages against same RADIUS server

6c4b47eeaf8c4ea78abecdb7c4b051f8_RackMultipart20170221-36736-1wbbwaf-Radius2_inline.png

So in theory this will work fine as you see first attempt goes to RADIUS.
You might noticed a problem though - AAA policy asks to authenticate user 38-F2-3E-18-5B-04

6c4b47eeaf8c4ea78abecdb7c4b051f8_RackMultipart20170221-18418-i7at8v-Radius3_inline.png

This is result of having authentication method MAC.

So here we go with a fork:

either you have to create a user database based on clients' MAC addresses instead of username and password

or you will use Captive portal guest registration based on your VX-9000

Problem here is that using authentication we need to send a username to question database. With MAC based authentication we use MAC as one and do not actually link it with a RADIUS user account provided through Captive Portal credentials fields. However it works as correctly, it is not designed to be used with anything else than Guest registration.

Regards,
Ondrej

EDIT: Just checked RADIUS group policy for timeout options and I have some bad news - it is also limited to 86400 seconds

6c4b47eeaf8c4ea78abecdb7c4b051f8_RackMultipart20170221-19267-11tzm7b-Radius4_inline.png

However RFC2865 does specify its maximum as 32-bit integer, we have limitation for a day in WiNG

gluo · ‎02-20-2017

Hi Ondrej, Did you have a chance to test this?

gluo · ‎02-20-2017

It is the inactivity timeout the value in question that is limited to 1 Day (1440minutes). The above numbers are both the same in 5.8.4. (inactivity timeout & Client Access time)

Ondrej_Lepa · ‎02-20-2017

Theoretically speaking it shall pass automatically with first CP authentication - then it relies on RADIUS authentication timeout.

Let me test it to get it confirmed.

EDIT: In WiNG 5.8.5 I see the access time is extended to max 10080 minutes / 7 days.

Extreme Networks

WiNG captive portal re-authentication timeout

WiNG captive portal re-authentication timeout