Operating algorithm
Supported from versions:
Devices: WLC-15/30/3200, ESR-15/15R/30/3200
WLC firmware version: 1.26.0
Devices: WEP-1L/2L/30L/30L-Z/200L и WOP-2L/20L/30L/30LS
AP firmware version: 2.5.0
RADIUS portal authorisation is supported on the access point (thereafter "AP").
The client connects to an open SSID. When the client first connects, there is no account for the client in the external system (RADIUS server) yet, therefore all client traffic is blocked except:
- DHCP;
- DNS;
- Requests to the portal address;
- URL/IP whitelist request.
After the client is connected, the AP tries to perform MAC Authentication Bypass (MAB) on the RADIUS server by substituting the client's MAC address into the User-Name and User-Password attributes in the Access-Request to the RADIUS server. Since the RADIUS server does not currently have an account with these parameters, the server sends an Access-Reject.
Next, the client accesses the HTTP resource. The AP intercepts the request and redirects the client to the guest portal that was set in the SSID (portal-profile) settings. The client goes to the portal using the received URL, which contains:
- switch_url – URL for redirecting the client after authorisation on the portal;
- ap_mac – MAC address of the AP to which the client is connected;
- client_mac – MAC address of the client;
- wlan – name of the SSID to which the client is connected;
- redirect – the URL that the client originally requested.
URL example:
https://eltex-co.ru/?switch_url=http://redirect.loc:10081&ap_mac=68:13:E2:35:1F:30&client_mac=38:d5:7a:e1:e0:13&wlan=Portal-SSID&redirect=http://www.msftconnecttest.com/connecttest.txt
Next, the user self-registers on the guest portal and is returned a redirect URL to the AP via the portal form, which contains parameters:
- username – user name;
- password – user password;
- redirect_url – URL that the client originally requested as the portal may have spoofed the address. In our example, the client tried to connect to http://www.msftconnecttest.com, but was redirected to https://eltex-co.ru;
- error_url – URL for redirecting the client in case of authorisation error. This parameter is not used in our example.
Parameter names can be redefined in the ap-profile configuration.
URL example:
http://redirect.loc:10081/?username=60336144&password=3hMYEPEW0tdb&buttonClicked=4&redirect_url=https://eltex-co.ru/
The client device opens the redirect URL received from the portal. The AP reads username and password from it, substitutes them into the User-Name and User-Password attributes in the Access-Request and sends the request to the RADIUS server. After the client is successfully authorised on the RADIUS server, the AP removes access restrictions and redirects the client to the URL specified in redirect_url. After the user is logged, his account for MAB authorisation is created in the RADIUS database.
If the client reconnects to the AP or connects to another AP (to the same SSID), authorisation will be performed by MAC address; an Access-Request MAB-authorisation request will return Access-Accept, as the RADIUS server already has the corresponding client account (MAB-authorisation is requested when the client connects to the AP, if the AP does not "remember" the client). The client will not be redirected to the portal until the client's MAC address is removed from the database.
WLC configuration
An example of the configuration will be made on the WLC configuration.
Configuration order:
- Create URL whitelist.
- Create IP address whitelist.
- Сreate portal-profile.
- Сreate radius-profile.
- Create ssid-profile.
- Add ssid-profile to ap-location.
Whitelists are designed to allow a user to access certain resources before authorisation if necessary. The list of these resources can be specified via URL, RegExp or IP subnet. Whitelists are not mandatory. The portal address is added to the whitelist automatically, so there is no need to specify it.
Create a whitelist of URLs, it can contain URLs and/or RegExp. Access to the specified addresses will be allowed before authorisation.
object-group url white_url url eltex-co.ru regexp '(.+\.)eltex-co\.com' exit
Create a whitelist of IP addresses, access to the specified addresses will be allowed before authorisation. You can add to the whitelist the addresses of subnets that are required for authorisation.
object-group network white_ip ip prefix 192.168.0.0/24 exit
Create portal-profile.
Parameters description:
redirect-url – portal address;
age-timeout – the time interval during which the access point "remembers" the client and does not perform MAB authorisation;
verification-mode – portal operation mode;
white-list domain – URL whitelist;
white-list address – IP addresses whitelist.wlc portal-profile portal-pr redirect-url https://eltex-co.ru age-timeout 10 verification-mode external-portal white-list domain white_url white-list address white_ip exit exit
With verification-mode external-portal, parameters are automatically added to the specified URL in redirect-url so that the resulting URL has the form:
https://eltex-co.ru/?switch_url=<SWITCH_URL>&ap_mac=<AP_MAC>&client_mac=<CLIENT_MAC>&wlan=<SSID>&redirect=<ORIGINAL_URL>
If the names of the parameters switch_url, ap_mac, client_mac, wlan, redirect need to be changed, it is possible to specify the line yourself through the parameter redirect-url-custom, for example:
redirect-url-custom https://eltex-co.ru/?action_url=<SWITCH_URL>&ap_addr=<AP_MAC>&client_addr=<CLIENT_MAC>&ssid_name=<SSID>&red_url=<ORIGINAL_URL>&nas=<NAS_ID>
In the example <NAS_ID> was added to the line and the following parameter names were changed:
- switch_url → action_url
- ap_mac → ap_addr
- client_mac → client_addr
- wlan → ssid_name
- redirect → red_url
The redirect line may contain placeholders:
- <NAS_ID>
- <SWITCH_URL>
- <AP_MAC>
- <CLIENT_MAC>
- <SSID>
- <ORIGINAL_URL>
Create radius-profile.
wlc radius-profile portal_radius auth-address 192.168.4.5 auth-password ascii-text encrypted 92BB3C7EB50C5AFE80 auth-acct-id-send acct-enable acct-address 192.168.4.5 acct-password ascii-text encrypted 92BB3C7EB50C5AFE80 acct-periodic acct-interval 300 exit exit
Create ssid-profile.
wlc ssid-profile portal_test ssid portal_test radius-profile portal_radius portal-enable portal-profile portal-pr vlan-id 3 band 5g enable exit exit
Add ssid-profile to ap-location.
wlc ap-location default-location description default-location mode tunnel ap-profile default-ap ssid-profile portal_test exit exit