Captive web portal for wired clients?

  • 1
  • Question
  • Updated 5 years ago
  • Answered
Hello,

we've set up an independent network with a local virtualized HiveManager instance, several APs and an Internet router. Furthermore we've created a SSID with private PSK users and a captive web portal to provide access to the Internet to our business guests, which works very well. Sometimes our guests only have restricted access to their hardware because of their employer's security policies, so that they can't use the wireless network card. In such cases we provide wired access to the network. I know that captive web portals are bound to the SSID, but is there a way that wired clients can't simply bypass the Aerohive devices and also have to confirm the captive web portal before they get access to the Internet?

Best regards.
Photo of User0815

User0815

  • 23 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 1
Photo of Tash Hepting

Tash Hepting

  • 55 Posts
  • 29 Reply Likes
You can enable captive web portal (CWP) auth on wired ports so clients connecting to these ports will be prompted to logon (or click-to-accept).

The configuration varies a bit depending on which software version you are using and which device you want to enable it on. In 5.1rx you can enable it in a routing/wifi network policy by going in to the "Router LAN Ports" section of the config. For APs, it's in the "LAN ports" section at the bottom of the network policy configuration. Check the online help, it should have some more details.

In 6.0r2 you use device templates to configure the ports, so the configuration will look a bit different.
Photo of User0815

User0815

  • 23 Posts
  • 0 Reply Likes
We are already on 6.0r2a. I've got a BR100 configured as AP for testing. I added device template and port type settings to the policy. I enabled cwp in port type section, but I can't choose any. Understandably, if I try to upload the config it says "The CWP must be configured in Port Type (BR100) in network policy (xxx)". But how?
Photo of Brian Powers

Brian Powers, Champ

  • 396 Posts
  • 92 Reply Likes
So once you tick the CWP box when creating your port type policy, and Ok that screen and get taken back to the Network Policy wizard, you should see the following...

Clicking on the will take you to either the CWP wizard, or the menu option to select an existing CWP. This should apply the CWP to the wired ports on the device you are working with (BR or SR).
Photo of User0815

User0815

  • 23 Posts
  • 0 Reply Likes
Here is what I get...



Photo of Brian Powers

Brian Powers, Champ

  • 396 Posts
  • 92 Reply Likes
So, save that screen and it'll take you back to your first images screen. And just after the port type (BR100AP), you should see the link to add/create a CWP for the ports. I'm testing this on a BR200, but surely the BR100 has similar capabilities. Let me dig one up and I'll verify for sure.
Photo of User0815

User0815

  • 23 Posts
  • 0 Reply Likes
I've already saved that before. Just wanted to show you the settings to be sure that there is no mistake in it.
Photo of Brian Powers

Brian Powers, Champ

  • 396 Posts
  • 92 Reply Likes
So far, looks good. Just add the CWP back in the original page, and push out to device and that should get it.
Photo of User0815

User0815

  • 23 Posts
  • 0 Reply Likes
I can't. There is no link to choose the CWP. Probably a bug.
Photo of Brian Powers

Brian Powers, Champ

  • 396 Posts
  • 92 Reply Likes
Checking that now on the BR100. Earlier you said "BR100 configured as AP for testing", can you elaborate more on that. Do you actually have it set to act as an AP? You actually have it set under "Device Function" as an AP? That shouldnt actually matter at the point where we are as we're just creating the Network Policy...

Well, so fired up a BR100, and I have the option for the CWP after I tick the box in the port configuration window...



Somehow or another we're not on the same page (figuratively...)

Let me dump the 6.0r2a code on it and see if it changes.
Photo of Brian Powers

Brian Powers, Champ

  • 396 Posts
  • 92 Reply Likes
On 2nd thought, it still doesnt matter what code is on the BR as all we are doing is creating the Policy still...
Photo of User0815

User0815

  • 23 Posts
  • 0 Reply Likes
Sorry for being imprecise. Yes, the BR100 is set to act as an AP and I have it set under "Device Funktion" as an AP.
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
I just played around with this and it looks like it depends on what features are enabled for the Network Policy. A network policy that includes branch routing and wireless looks like what Brian has depicted above (ie, the CWP option appears under port types.)

However, if the network policy is only has wireless, the CWP option does not appear for the BR100 Device Template.

In the short term, try adding Branch Routing to your network policy, and I will look into why the CWP doesn't appear here.
Photo of User0815

User0815

  • 23 Posts
  • 0 Reply Likes
I will do so and give you a report later.
Photo of User0815

User0815

  • 23 Posts
  • 0 Reply Likes
I created a new policy, added Branch Routing support, transfered our wireless settings and now it works!
Photo of User0815

User0815

  • 23 Posts
  • 0 Reply Likes
Now that I was able to enable CWP on wired ports, I wonder if it is not possible to authenticate there with the same Private PSK-Auto credentials that wireless users need for establishing the wireless connection? I don't like to set up a Radius server where I need to generate different credentials. Or can I configure an AP as radius server?
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
Unfortunately, Private Pre-shared keys can not be used for Captive Web Portal authentication. While all of our other APs and Branch Routers can be configured as a RADIUS server, that feature is not available on a BR100.
Photo of User0815

User0815

  • 23 Posts
  • 0 Reply Likes
Andrew, can not PPSKs be used for CWP authentication at all or only not on a BR100? Can a BR100 ask a Radius server (AP330) for PPSKs?
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
Thanks for bringing this issue to light. With the next version of HiveManager, you will be able to put a CWP on BR100 AP ethernet ports when using a wireless only policy.
Photo of User0815

User0815

  • 23 Posts
  • 0 Reply Likes
Thank you!