Must be using vWLAN software 2.4 or later.
For the purposes of this document, it is assumed you have already licensed APs and they are online, locations are ACTIVE, and Roles are configured accordingly. Please see for help getting started with vWLAN.
Web-based authentication (captive portal) is an authentication process in which clients typically connect to an open system SSID and are then redirected to a login page or captive portal (after opening a browser). This authentication process requires no client-side configuration, although it can also be used with WPAPSK/WPA2PSK SSIDs, which requires the client to configure the preshared key. This authentication process typically occurs as described in Figure 1 below.
Figure 1. Client Authentication Process
In the authentication process, clients in the un-registered role are redirected to the secure vWLAN login page (captive portal). The client initially receives an authentication (NAC) IP address (10.254.0.0/14 or whatever the administrator has assigned) with a short lease time from the AP, and then the HTTP request is redirected to https://vWLAN-ip/login.pl. The credentials entered by the client are sent to vWLAN and authenticated against a local user database, external Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) server, external RADIUS server, or SIP2 library server. The client is then placed into the proper authenticated role and will receive an IP address on their target location/network and begin to pass traffic.
Web-authenticated traffic is secured using HTTPS, however, subsequent over-the-air traffic is secured based on the SSID configuration. For example, if the SSID is configured for open system, there is no over-the-air encryption. If the SSID is configured for WPAPSK/TKIP, WPA2PSK/AES, WPAPSK+WPA2PSK/TKIP or AES, there is over-the-air encryption. Please note, you cannot achieve 802.11n data rates while using TKIP, but will be limited to legacy data rates only up to 54 Mbps. This guide will serve as an aid for configuring a basic web-based (Captive Portal) authentication.
To allow wireless clients to connect to the vWLAN network, each AP domain must have at least one SSID. To configure an SSID, connect to the GUI and follow these steps:
Navigate to the Configuration tab, and select Wireless > SSIDs. Here any previously configured SSIDs are listed, and the name, role, broadcast, authentication method, accounting server, and cipher type for each SSID is displayed. You can edit an already configured SSID by selecting the SSID from the list. To create a new SSID, select Create SSID from the bottom of the menu or select Domain SSID from the Create drop-down menu (at the top of the menu).
Enter a name for the SSID. SSID names can be up to 31 characters in length.
Next, enable SSID broadcasting by selecting the Broadcast SSID check box. This is selected be default.
Specify whether the SSID will convert multicast or broadcast network traffic to unicast traffic by selecting the appropriate option from the Convert drop-down menu. You can select to Disable this feature, Convert broadcast to unicast, Convert multicast to unicast, or to Convert broadcast and multicast to unicast. By default, Convert multicast to unicast is enabled. Multicast transmissions are typically sent from one source to several destinations or to all destinations. From a security standpoint, it is difficult to configure the firewall properly for multicast transmissions between different client types. Converting multicast to unicast allows you to police traffic more efficiently to IP addresses or specific users. In addition, when multicast and broadcast transmissions are sent wirelessly, they use the lowest data rate available, resulting in lower performance than unicast transmissions. If traffic is converted from broadcast or multicast to unicast, it is sent using a higher data rate which improves performance, using less air time. Broadcast traffic must be sent to all clients, and therefore it is sent at the rate of the slowest client. Unicast traffic is sent to a single client, therefore it can be sent at the speed of each client rather than that of the slowest client. For the purposes of the document, we will illustrate using the default setting.
If you do not choose to convert multicast network traffic to unicast traffic, you must allow multicast traffic in the default role of the SSID. Please see: Enabling Multicast Support for .
The default role of an 802.1x SSID is Un-registered. If you do not allow multicast traffic in the SSID’s default role, and you do not choose to convert multicast traffic to unicast traffic in the SSID, then multicast traffic from a unified access host or wireless client on another AP will not be seen.
Then specify the authentication method for connecting to the SSID by selecting an option from the Authentication drop-down menu. Authentication choices include: Open System, Shared Key, WPA, WPA-PSK, WPA2, WPA2-PSK, WPA+WPA2, WPA-PSK-WPA2-PSK. For the purposes of this document, we will only focus on Open System.
Open System authentication means that there is no client verification when a client attempts to connect to the SSID. With open system, you can choose not to use a cipher for data protection, or you can use wired equivalent privacy (WEP) as your cipher. To select open system as the authentication method for this SSID, without a cipher, select Open System from the Authentication drop-down menu.
Once you have selected the authentication, cipher, and preshared key (if necessary) information for the SSID, specify the login form to be associated with the SSID by selecting the appropriate form from the Login Form drop-down menu. By default, each SSID will use the default login form. If you have not created another login form, this will be the only option. You can select another login form if one has been created, or you can choose to use the default form from the AP template. Next, select the role for clients that connect to this SSID. By default, two roles exist from which to choose: Un-registered and Guest. You must choose Un-registered to allow clients to authenticate with web-based authentication. If you choose another role, note you will bypass web authentication entirely.
Select Create SSID. A confirmation will be displayed indicating the SSID was successfully created.
The SSID is now available for editing or deletion, and should be applied to the APs through AP templates. Once you add the SSID to the AP Template, you will see a Domain Task. Select Domain Tasks at the top of the GUI to apply the changes to the vWLAN system. This will take you to the Administration tab, Admin Tasks menu, and the Domain tab. Select the play icon next to to Must apply configuration to APs to push the SSID to the AP.
You can now configure an external RADIUS web-based authentication, LDAP or AD, or Session Initiation Protocol 2 (SIP2) web-based library authentication server for vWLAN authentication. To configure an authentication server for the specified domain, follow the steps for each server type as outlined in the following sections. Again, the credentials entered by the client are sent to vWLAN and authenticated against a local user database, external Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) server, external RADIUS server, or SIP2 library server. The local database is checked first, then the authentication servers are checked in the order specified by the administrator (set when creating or editing the external server).
RADIUS accounting can be used to notify external systems about user’s usage of the vWLAN system. When a client is authenticated, and joins the vWLAN system, a start request is sent to the accounting server. After a timeout period (when the client leaves the vWLAN system), a stop request is sent to the accounting server. Interim records can also be sent in periodic intervals, so that the external system can track vWLAN users at intervals. This can be helpful in tracking users that stay logged into the system for extended periods of time. To use accounting servers with vWLAN, you must configure the accounting server and then associate the server with one of the methods of authentication; RADIUS 802.1X, RADIUS web, LDAP, or SIP2 authentication servers, or local or MAC authentication. Accounting can also be used for a client that is assigned a default role using an SSID or unified access group by selecting the server in the SSID or unified access group configuration.
When configuring a RADIUS accounting server to use with vWLAN, note that the standard RADIUS accounting attributes apply, as well a vendor-specific attribute under the vendor code (9967).
To configure a RADIUS accounting server in vWLAN, follow these steps:
Local user authentication in vWLAN takes precedence over external server authentication and can be used for web-based authentication. Each local user authentication database record consists of the following:
By default, no local users exist in the vWLAN system.
To configure local user authentication for the specified domain, follow these steps:
To configure a RADIUS web-based authentication server for use with vWLAN, follow the steps outlined below. For more on configuring a Windows Server for Authentication, see: vWLAN External RADIUS-802.1X Authentication.
|External RADIUS web-based authentication uses PAP and requires a RADIUS client to be configured in the RADIUS server for the vWLAN instance.|
To configure an LDAP authentication server for use with vWLAN, follow these steps:
|It is not recommended to use an administrative account. Using a standard account is sufficient. The entered account must match the user account configured in LDAP or AD.|
To configure a SIP2 authentication server (typically used in libraries) for user authentication, follow these steps:
|The administrator and password for the SIP2 server are optional. If no administrator or password is set, then the SIP2 authentication occurs without them. However, if an administrator is specified, a password must also be specified for authentication to occur.|
The Redirect to hostname option requires both a forward (A record) and a reverse pointer (PTR record) in your organization’s DNS server for the public network interface and the fully qualified domain name (FQDN) of the vWLAN. The vWLAN and APs query the PTR record and redirect traffic based on the response. If there is no PTR record, clients are redirected to an IP address (rather than a host name). This action can result in the receipt of a web browser security warning indicating a domain name mismatch. Clients use the A record to resolve the host name of vWLAN to an IP address.
To enable Redirect to hostname:
As part of the AP template (Configuration tab, Wireless > AP Templates), the administrator can optionally choose to enable or disable Captive Network Assistant (CNA). This option allows remote devices to store the credentials to networks requiring captive portal authentication so they do no have to be entered in manually every time they authenticate or re-authenticate to the network. By default, CNA is enabled on the AP template. When CNA is enabled, vWLAN responds to the device’s CNA request with a redirection request to the vWLAN captive portal. The CNA device receives the redirection and detects that there is a captive portal in place. It then presents the CNA automatically and prompts the user to enter their credentials in the vWLAN login page. If CNA is disabled, the device will connect using a web request which redirects to vWLAN captive portal. For Microsoft NCSI, an information popup appears at the bottom right corner of the computer suggesting the user open a web browser to authenticate. For CNA to function properly, however, there are additional configuration steps that are necessary. A custom certificate must be loaded on vWLAN because CNA has no method to allow the user that is accessing the network to accept the certificate. In addition, vWLAN must be configured to redirect to a host name, and a DNS server and hostname may need to be configured.
vWLAN supports redirection of HTTP and HTTPS traffic for webpage authentication. HTTPS redirection is optional and must be enabled on the vWLAN, when needed to resource consumption. By default, un-registered clients’ HTTPS traffic is not redirected. For example, a user with the home page set to a secure HTTPS banking page will not be redirected when this feature is disabled. To enable the redirection of HTTPS traffic for un-registered users, navigate to the Configuration tab, select System > Settings, and Domain. In the menu, select Redirect HTTPS traffic for Unregistered clients from the list, and select Enable from the drop-down menu. Enabling this feature redirects HTTPS traffic to the captive portal. Select Update Domain setting to apply the change. If you change this setting you will see a Domain Task. Select Domain Tasks at the top of the GUI to apply the changes to the vWLAN system. This will take you to the Administration tab, Admin Tasks menu, and the Domain tab. Select the play icon next to to Must apply configuration to APs to push the change to the AP.
|2016-05-18 09:32:27||user||login||failed||Login user Bsmith at [e8:50:8b:e1:26:90]/10.253.143.2 has failed.||ERRORS|
|2016-05-18 09:31:55||defaultssid||auth||successful||User e8:50:8b:e1:26:90 successfully authenticated to SSID OpenSSID||INFORMATION|