Searching...

Matching results

    Configuring Extended Captive Portal

    Extended Captive Portal enables you to redirect traffic from Wi-Fi clients to a specified portal before granting those clients full Internet access.

    Once configured, Extended Captive Portal performs the following functions:

    • Redirecting unauthorized clients to a Portal Page (“Walled-Garden” access)
    • Managing user authentication and accounting using RADIUS
    • Managing RADIUS server accounts

    After you have configured Extended Captive Portal settings, you can direct traffic to a page hosted by the captive portal solution you are using. Redirecting HTTP traffic is handled by the AirLink router.

    For website authentication and managing RADIUS server accounts, use a solution compatible with CoovaChilli such as Picopoint, Colony Networks or HotspotSystem.

    For a more basic captive portal solution that doesn’t require login credentials or password, see Simple Captive Portal.

    Below is a flow diagram showing the different Extended Captive Portal components and how Internet access is granted (or denied) to clients.

    Initializing Table Of Contents...

    Before You Begin

    • Configure a Wi-Fi Access Point on the router for use by captive portal clients. See Wi-Fi Configuration.
    • Select a CoovaChilli-compatible captive portal solution and configure the required settings as directed by your vendor.

    Once these pre-requisites are met, you can configure AirLink OS Extended Captive Portal settings.

    To configure Extended Captive Portal, go to Networking > Captive Portal > Extended Captive Portal. The Extended Captive Portal settings, some of which may not be required by your captive portal solution vendor, are listed and described below.

    Extended Captive Portal settings

    UAM settings such as the one shown below are pre-populated with the default values from CoovaChilli. The default values will help you (if you are familiar with CoovaChilli) know which values in AirLink OS map to which value in the CoovaChilli config file.

    Most CoovaChilli solutions will provide you which values to change, and they will refer to these values by their names in the config file. These default UAM values will help you determine which value in AirLink OS is which.

    SETTING DESCRIPTION
    ENABLE

    Enable or disable the captive portal.

    • Off (default)
    • On

    WI-FI APS

    Select the Wi-Fi Access Points and/or SSIDs that will route traffic to the captive portal.

    The Wi-Fi options will vary depending on the router model and configuration.

    WAN INTERFACE

    Select the WAN interfaces that captive portal traffic is routed through. You can use this setting to restrict customers’ bandwidth access to a particular WAN interface. Leave blank to use any WAN interface, which can reduce network interference for users. When WAN INTERFACE is blank, captive portal traffic will use the default route (as displayed under Status > Networking > MultiWAN > Default IPv4 Traffic).

    WAN interface options will vary depending on the router model and configuration.

    GATEWAY IP

    Enter the captive portal’s IP address on subscriber network. The address is limited to a value in the range defined by the NETWORK and NETMASK.

    For example, if NETWORK is 192.168.0.0 and NETMASK is 255.255.255.0, the GATEWAY IP must be in the range 192.168.0.1 through 192.168.0.255.

    NETMASK

    Enter the netmask that defines the LAN segment based on the NETWORK.

    For example, 255.255.255.0 is a “/24” netmask. If the NETWORK field is 192.168.0.0 and the GATEWAY IP is 192.168.0.1, devices connecting to the captive portal will be assigned addresses in the range 192.168.0.2 – 192.168.0.255.

    NETWORK

    Enter the CoovaChilli network IP address: the internal IP address of the captive portal on the router.

    Example: 192.168.0.0

    Note: Internally, this value is assigned to the variable $HS_UAMLISTEN.

    PRIMARY DNS SERVER Enter the IP address of preferred DNS server to use.
    SECONDARY DNS SERVER Enter the IP address of alternate DNS server to use if Primary DNS is unavailable.
    PRIMARY RADIUS SERVER Enter the IP address of the computer where the RADIUS server is running, as provided by your CoovaChilli solution.
    SECONDARY RADIUS SERVER Enter the IP ADDRESS of the computer where the SECONDARY RADIUS server is running.
    RADIUS SECRET Enter the Shared secret with the RADIUS server.
    RADIUS AUTHENTICATION PORT

    Enter the UDP port used for RADIUS authentication requests. Default port is 1812.

    RADIUS ACCOUNTING PORT

    Enter the UDP port used for RADIUS accounting requests. Default port is 1813.

    RADIUS COA PORT

    Enter the RADIUS Change of Authorization port (if supported by your solution provider). COA allows a RADIUS server to adjust an active client session and force clients to reauthenticate or disconnect. This is the port through which the RADIUS server sends change of authorization requests. Default port is 3799.

    MAC AUTHENTICATION

    Select the MAC authentication mode. Options are:

    • Local: Allows you to enter a list of authorized MAC addresses in the MAC Allow List
    • Server (default): Allows you to authorize the host from RADIUS (outside of AirLink OS) using RADIUS MAC authentication
    • Off

    Some captive portal solutions support RADIUS MAC authentication, where clients need to log in and authenticate only once, and afterwards can access the web without authentication once the client’s MAC address is recognized.

    MAC ALLOW LIST

    Enter a comma-separated list the MAC addresses of devices that do not require authentication for Internet access. The maximum number of entries is 10.

    UAM SERVER

    Hostname of captive portal server. URL of the portal to which you want to redirect users. This portal must be hosted by a Coova Chilli-compatible server solution.

    UAM FORMAT

    URL of captive portal. Use the default value unless otherwise instructed.

    UAM HOME PAGE

    Captive portal main page (login page, for example). Use the default value unless otherwise instructed.

    UAM DOMAINS

    Users can access these sites without being authenticated.

    UAM DOMAINS is a comma-separated list of domain prefixes that can be accessed via the captive portal page before the user is approved. For example, if the captive portal has a paid tier of services, the user must be able to connect through to an appropriate payment site. If the payment site is not in this list, the portal would prevent it from being accessed. Use the default list (.paypal.com,.paypalobjects.com) to allow users to pay for service using paypal, or add additional domain prefixes to use other services.

    UAM ALLOW LIST

    Enter URLs for web sites that can bypass the captive port and be accessed by any client connected to the access point without authenticating. Enter domain names, IP addresses or network segments.

    UAM SECRET

    Shared secret between the router and the captive portal. You must configure the shared secret on both the router and the captive portal side.

    NAS ID

    RADIUS NAS (Network Access Server) Identifier for each device accessing the captive portal. When clients request access to the RADIUS server, the NAS ID identifies the Access Point to the RADIUS server.

    UAM PORT

    Captive portal’s UAM (Universal Access Mode) port on subscriber network. Use the default value (3990) unless otherwise instructed.

    UAM UI PORT

    Captive portal’s UAM “UI” port on subscriber network, for embedded portal. Use the default value (4990) unless otherwise instructed.

    SESSION TIMEOUT

    The session timeout to be used if not defined by the RADIUS server. Enter the maximum time a session can stay open before automatically ending.

    • Leave blank for no time limit
    • Enter a time (seconds are the default units) for the session timeout

    IDLE TIMEOUT

    The idle timeout to be used if not defined by the RADIUS server. Enter the maximum time a session can remain idle before automatically ending.

    • Leave blank for no time limit
    • Enter a time (seconds are the default units) for the idle timeout

    MAX DOWNLOAD SPEED

    Maximum download speed

    • Leave blank for no limit (can use all available bandwidth)
    • Enter a Maximum download speed (bits per second is the default unit)

    MAX UPLOAD SPEED

    Maximum upload speed

    • Leave blank for no limit (can use all available bandwidth)
    • Enter a Maximum upload speed (bits per second is the default unit)

    TOP