This document explains the configuration of the Internal Guest Portal.
DHCP server/Gateway (VLAN1) ßà E400 AP ßà Client device.
Configuration on the AP:
Navigate to Configuration>WLAN and add WLAN. On the WLAN Basic page, configure SSID, VLAN, and security. Security should be configured to “Open”.
Navigate to Guest Access page and enable Internal Access Portal. To demonstrate guest page redirection, I have configured access policy to Local Guest Account (User name and password configuration on the AP). This is common user credential for the all users who are connecting to the WLAN. Local Guest Account supports 128 characters in the User Name & user Password field.
Configure Redirect Mode to “HTTP” because HTTPS redirect needs certificate on the AP.
We can configure splash page Title, Contents, and Terms.
Additionally, we can change default logo & Background image on the splash page. The AP GUI has option to configure URL where logo & Background image are hosted. The logo & Background image can be either hosted on the local web server or over the internet.
Example 1: Web server is in the internal network.
I have web server (192.168.88.63) in the network and hosted logo & Background image.
Example 2: Web server is hosted over the internet.
Session & Inactivity Timeout: Default configuration of Session Timeout is 8 hours (28800 Seconds) and Inactivity Timeout is 1 hour (1800 seconds). This value can be increased if require. User has to login again if either of the Timeout threshold value triggered.
Redirect “HTTP Only”: Enable Redirect to “HTTP Only”. This will help to avoid getting security working when user attempt to redirect using https website. User will not redirect to the splash page until user will try with pure HTTP website.
Redirect User Page: This will help user to logout the session. We can modify redirect User Page URL/IP address. Redirect User Page URL/IP should not be route to the internet.
Success Action: Success Action can be configured to “Internal Logout page” or “Redirect User to External URL” or “Redirect user to Original URL”.
- Internal Logout Page: user will be redirect to Internal Logout Page after successful authentication. We can modify Success message which will be displayed on Internal Logout Page.
- Redirect User to External URL: We need to configure Redirect URL. This will redirect user to specific URL after successful authentication.
- Redirect user to Original URL: This will redirect user to original URL which is used to get redirection to the splash page.
Splash page Redirect & Authentication process:
Now a days, most of the client OS supports CNA- Captive Network Assistance to auto pop up splash page. If CNA is not supported by the OS, user must manually redirect to the splash page with the help of pure http URL/website.
The AP will redirect the user to the splash page when CAN or manual redirect trigger.
User will enter the credential and hit login button. As soon as user hit login button, browser will send HTTP POST to the AP. If user entered correct credential, AP will redirect user to the page as configuration of Success Action and allow all traffic from the user.
Internal Logout Page:
User can logout the session by hitting Logout button or entering 184.108.40.206/logout. Here, 220.127.116.11 is the Redirect User Page IP configured on the AP. I have change default 18.104.22.168 because 22.214.171.124 is public DNS server. Redirect User Page IP should be dummy IP which is not router to internal or external network.
Sometime, the user does not redirect to the splash page and get security warning as shown in the screenshot. This could happen if the user has tried to surf a HTTPS website. User must try pure HTTP website or CNA to redirect to the splash page. To avoid security error, “Redirect” field on the guest configuration must be enabled with “HTTP-only”. It does not help to have HTTPS redirection.
Sometime, user can redirect to the splash page; However, splash page does not load logo & background image. This could happen if communication to web server is blocked or web server is not operational. First, we need to check the status of the web server and confirm that it is in the running state. Then, ping web server IP from client device. If any ACL rule configure, make sure that IP address/URL of the web server is allowed.