Guest Access WLAN-External Hotspot with RADIUS Authentication

Products Enterprise Wi-Fi Networks
1

Summary

Guest access WLAN is designed specifically for BYOD (Bring your own device) setup, where large organizations have both staff and guests running on same WLAN or similar WLANs. Cambium Networks provides different options to the customers to achieve this based on where the captive portal page is hosted and who will be validating and performing authentication process.

There are 3 locations where the captive portal page can be hosted:

  1. Internal Access Point (Limited customization like Logo and Background Image)
  2. External Hotspot (External 3rd party Web/Cloud hosted captive portal, fully customized)
  3. cnMaestro (Semi customized portal, with additional features like SMS Authentication, Payment Gateways and Vouchers)

Authentication Methods:

  1. Clickthrough (Portal page with a button to accept terms & conditions and get internet access)
  2. RADIUS (External Authentication server like, Windows NPS / IAS or Free RADIUS)
  3. LDAP (Authenticate using LDAP/Active Directory)
  4. Local Guest Account (Single username /password stored on Access Point)

In this document we will be specifically talking about External Hotspot with RADIUS based authentication.

This setup consists of 3 main parts:

  1. Supplicant (Wireless clients- Laptops, mobile phones etc)
  2. Authenticator (Cambium Access Points)
  3. Authentication Server (RADIUS)

The general workflow when an external server is being used is as follows:

image

Configuration

  1. On cnPilot Access Points: Configure >> WLAN
  2. On cnMaestro: Shared Settings/ WLANs and AP Groups >> WLANs

Enter the WLAN/SSID name and enable it on required Radios of the AP.

image
image1428×660 28.5 KB

Enter the AAA Server settings like IP address (RADIUS server) and shared secret (This shared secret should match to the secret created on RADIUS server).

image
image1388×746 28.9 KB

Guest Access: Enter the URL of captive portal hosted on external web server.

image
image1022×691 33.2 KB

The Portal Page hosted on the webserver should perform a POST from the client to Access Point in case of all the authentication methods.

POST should happen to the Access Point http://<AccessPoint IP Address>:880/cgi-bin/hotspot_login.cgi

Example

Here is one real time example of POST when submit button is clicked :

AP IP : 10.110.234.1
Port No Opened On AP: 880

POST http://10.110.234.1:880/cgi-bin/hotspot_login.cgi?ga_ssid=Site1-E400-Guest-WLAN&ga_ap_mac=00-04-56-AE-28-E4&ga_nas_id=00:04:56:AE:28:E4&ga_srvr=10.110.234.1&ga_cmac=E4-A7-A0-48-7A-C9&ga_rssi=51&ga_Qv=eEROBR86HBgAGDEEVgQAGw4UWRUCACYVMgFPTC5ZLlVfXVVGWS9FVghZRyRLBhMUMww.&ga_orig_url=http://www.ndtv.com/

Here is the packet flow between AP and the wireless client:

  1. When wireless client connects, it will get redirection page whose URL will be of the below format:

    http://172.19.32.18/guest/guest_register_3_login.php?ga_ssid=Raj_HC_Emp&ga_ap_mac=00-04-56-BF-98-9E&ga_nas_id=E500-BF989E&ga_srvr=10.110.234.1&ga_cmac=74-DF-BF-B7-C6-8D&ga_Qv=eQeEROBR86HBgAGDEEVgQAGw4UWRUCACYVMgFPTC5ZLlVfXVVGWS9FVghZRyRLBhMUMww

    Web Server IP is : 172.19.32.18
    Cambium AP IP is : 10.110.234.1
    Client MAC : 74-DF-BF-B7-C6-8D
    Query String : Everything after the question mark in the above url

    Note, that Cambium AP IP is present in ga_srvr in the query string part of above url.

  2. When wireless client fills the form and do/click the submit button, Cambium AP expects the submit URL (internally called as POST url), in the below format :

    http://10.110.234.1:880/cgi-bin/hotspot_login.cgi?ga_ssid=Raj_HC_Emp&ga_ap_mac=00-04-56-BF-98-9E&ga_nas_id=E500-BF989E&ga_srvr=10.110.234.1&ga_cmac=74-DF-BF-B7-C6-8D&ga_Qv=eQeEROBR86HBgAGDEEVgQAGw4UWRUCACYVMgFPTC5ZLlVfXVVGWS9FVghZRyRLBhMUMww

    Cambium AP IP: 10.110.234.1
    Cambium Port No: 880

    Note that, everything received as part of query string (everything after question mark) in the redirection URL, needs to be appended back in the POST URL.