Introduction
This guide describes the configuration steps to enable an external captive portal in the WiNG WLAN plataform.
The following guide was created using an Extreme Wireless network running WiNG v5.5 solution.
Configuring the RADIUS server
Configure the CoffeeBean RADIUS server by creating a new AAA Policy.
Go to "Configuration > Network > AAA Policy", click in the "Add" button and fill the AAA Policy name, such as "AAA-COFFEEBEAN"
RADIUS Authentication
In the "RADIUS Authentication" tab click in the "Add" button and fill the following info:
- Host: the primary RADIUS server hostname according to your environment/region (Hostname)
- Port: make sure that the chosen port is 1812
- Secret: the provided RADIUS client secret
- Request Proxy Mode: Through Centralized Controller or Through Wireless Controller
Click "OK" to save these settings and then "Exit".
Repeat the procedure for the secondary RADIUS server.
RADIUS Accounting
In the "RADIUS Accounting" tab click in the "Add" button and fill the following info:
- Host: the primary RADIUS server hostname according to your environment/region (Hostname)
- Port: make sure that the chosen port is 1813
- Secret: the provided RADIUS client secret
- Request Proxy Mode: Through Centralized Controller or Through Wireless Controller
Click "OK" to save these settings and then "Exit".
Repeat the procedure for the secondary RADIUS server.
RADIUS Settings
In the "Settings" tab, double check these settings:
- RADIUS Authentication > Protocol for MAC, Captive Portal Authentication: PAP
- RADIUS Address Format > Attributes: All
You can also configure which type of RADIUS Accounting packets you want to send (Start/Interim/Stop) and the request interval.
Configuring the DNS Whitelist
Go to "Configuration > Services > DNS Whitelist", click in the "Add" button and fill the "Name", such as "SOCIAL-LOGIN":
Create the DNS Entries according to Walled Garden for the Social Login URLs. Add each URL as a "Hostname" and Match Suffix as "Yes".
Configuring the Captive Portal
Go to "Configuration > Services > Captive Portal", click in the "Add" button and fill the Captive Portal Policy name, such as "CP-SOCIAL-ID":
Basic Configuration
Change the following settings in the "Basic Configuration" tab:
- Captive Portal Server Mode: Internal (Self) [you can select a more appropriate option if you prefer]
- AAA Policy: the previously AAA Policy created (e.g.: "AAA-SOCIAL-ID")
- Access Type: RADIUS Authentication
- DNS Whitelist: the previously DNS Whitelist created (e.g.: "SOCIAL-LOGIN")
- Enable RADIUS Accounting checkbox
Click in "OK" to save the settings.
Web Page
Go to the "Web Page" tab to configure the external captive portal:
- Web Page Source: Externally Hosted
- Login URL: the provided captive portal login URL*
- Welcome URL: the provided captive portal welcome URL
- Fail URL: the provided captive portal fail URL
*Important: you need to add parameters to the Login URL query string to track client and AP MACs successfully. Example:
http://wifi.socialidnow.com/portals/my-portal/auth?client_mac=WING_TAG_CLIENT_MAC&ap_mac=WING_TAG_AP_MAC&hs_server=WING_TAG_CP_SERVER&
You can fill the other URLs if you need also. Click in "OK" to save the settings.
Configuring the Wireless LAN
Now you need to associate the Captive Portal previously created to the Wireless LAN. You need to have a Wireless LAN already created and configured in order to proceed with this step.
Select your Wireless LAN in "Configuration > Wireless > Wireless LANs" and go to the "Security" tab:
In order to provide Free Wi-Fi with Captive Portal enabled you need to set the following parameters:
- Select Authentication: PSK / None
- Enforcement: check "Captive Portal Enable"
- Captive Portal Policy: select the previously created Captive Portal Policy (e.g.: "CP-SOCIAL-ID")
- Select Encryption: Open
Configuring the Device Services
You need to add the Captive Portal Policy previously created to the Device Services responsible to perform the RADIUS authentication, such as the Controller or Access Point (AP).
Select you device in "Configuration > Devices > Device Configuration" and go to the "Services" tab:
Check the Captive Portal Policy previously created (e.g.: "CP-SOCIAL-ID").
Also review the device DNS settings in "Network > DNS" tab.
Customer Parameters
The summary of customer specific parameters is:
Basic Settings
- RADIUS (primary and secondary)
- Authentication
- Host: the RADIUS server hostname according to your environment/region.
- Port: 1812
- Secret: the provided RADIUS client secret
- Accounting
- Host: the RADIUS server hostname according to your environment/region.
- Port: 1813
- Secret: the provided RADIUS client secret
- Authentication
- DNS Whitelist: get the list of URLs you want to enable to unauthenticated users at our Walled Garden Page.
- Login URL: the provided captive portal login URL
- Welcome URL: the provided captive portal welcome URL
- Fail URL: the provided captive portal fail URL