external CWP

  • 1
  • Question
  • Updated 3 years ago
  • Answered
Hi, i am planing on creating an external CWP using php on a webserver.
As i have seen in the docs that i need to POST a username and a password from my custom page to my login script and then POST something back to the AP. But there is no information on what to POST to the AP and in which url / ip. If anyone can point me to some docs that iclude these type of information or even give me a direct answer, would be really helpful.
Thanks.
Photo of Stavros Charitidis

Stavros Charitidis

  • 7 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of David Simon

David Simon

  • 18 Posts
  • 1 Reply Like
Out of the HiveManager Help:

HiveManager 6.1r3 Enterprise Mode Help System.

Scan the QR code in the footer with your mobile device to access the mobile version of the Help.

External Web Server (amigopod Visitor Management Appliance) 

This is an example of configuring an amigopod Visitor Management Appliance to function as an external web server for a captive web portal using external authentication. For Help, see "Captive Web Portal Settings".

On the amigopod VMA, configure a web login page and NAS (network access server) list that includes the APs that will be redirecting unregistered users' HTTP or HTTPS traffic to the amigopod appliance. The following are the basic steps involved in establishing communication between the AP and amigopod VMA.

  1. Click RADIUS Services > Web Logins > Create a new web login page, enter the following, and then click Save Changes:

Name: Enter a name for the RADIUS web login.

Page Name: Enter the name of the web page. The amigopod VMA adds this to its IP address or domain name to form a complete URL like this: <ip_addr>.<page_name>.php. For example, if the amigopod VMA is at 10.1.1.5 and you name this page "ecwp", then the login URL is http://10.1.1.5/ecwp.php, which is what you enter in the Login URL field when configuring the external server.

Vendor Settings: Custom Settings

Submit URL: Enter a URL like this: https://1.1.1.1/reg.php

The Aerohive device tracks the wifi interface on which the HTTP POST with the user name/password arrives. When the device receives a response from the amigopod VMA, it can automatically exchange the destination IP address from what it receives to that of the correct interface—as long as the received IP address does not match any address that the Aerohive device is already using on an interface. If it does match an existing interface IP address, the device does not translate the address. For example, anAerohive AP has these addresses:

  • 802.11a radio interface (wifi1.x) = 1.1.1.1/24
  • 802.11b/g radio interface (wifi0.y) = 1.1.2.1/24
  • mgt0 interface = 192.168.18.1/24

Entering these IP addresses in the Submit URL field produces the following results:

Submit URL = http://1.1.1.1/reg.php

It matches the wifi1.x IP address and can only work for that interface.


Submit URL = http://1.1.2.1/reg.php

The same as above but for wifi0.y.


Submit URL = http://192.168.18.1/reg.php

It matches the mgt0 interface and will not work for either wifi interface.


Submit URL = http://208.132.55.21/reg.php (Any IP address that does not conflict with an existing interface address on the AP)

It can work for both the wifi0 and wifi1 interfaces.



If you want an SSID with an external captive web portal to operate on both radios, set their IP addresses in different subnets with netmasks that are not smaller than 24 bits, and set the Submit URL on the amigopod VMA to be any IP address other than one that the Aerohive device is already using on one of its interfaces.

Submit Method: POST

Username Field: Enter the name of the user name field for the login form. By default, it is username.

Password Field: Enter the name of the password field for the login form. By default, it is password.

Password Encryption: Choose the same method that you configured on the AP: No encryption (plaintext password)UAM basic, or UAM with shared secret. If you want users to create their own accounts on the external web server, choose No encryption (plaintext password). If you populate the RADIUS server with user accounts and require the user to submit a user name and password, then choose one of the other options.

UAM Secret: If you choose UAM with shared secret, then enter the same secret here as you did in the Shared Secret field in the captive web portal definition on the AP.

In the Login Page section, use HTML code to design the layout of the login page.

In the Network Login Access section, enter the IP addresses from which you want to allow or deny login access.

  1. Click RADIUS Services > NAS List > Create, enter the following, and then clickCreate NAS Device:

Name: Enter a name for the NAS (AP) that will be communicating with the amigopod VMA.

IP Address: Enter the IP address or domain name of an AP or an IP address/netmask for a group of APs in the same subnet.

NAS Type: Aerohive (RFC 3576 support)

Shared Secret: Enter the same shared secret that you used in the RADIUS server definition for the amigopod Visitor Management Appliance, which you previously configured on the AP.

Confirm Shared Secret: Enter the shared secret again to confirm accuracy.

  • See the amigopod product documentation for further details and for the configuration of features such as RADIUS services and hotspots, which are necessary for the VMA to perform user authentication.

6.1r3 New Features Guide | 6.1r3 Release Notes | www.aerohive.com | Aerohive Blogs

Click or Scan QR code below for Mobile Help system:

QRcode


Copyright © 2014 Aerohive Networks, Inc.


Photo of Stavros Charitidis

Stavros Charitidis

  • 7 Posts
  • 0 Reply Likes
I am going to try it and get back with the results as i am assigned to do this remotely.
Thank you for your detailed response.
Photo of Stavros Charitidis

Stavros Charitidis

  • 7 Posts
  • 0 Reply Likes
Hi, i would like some extra information if anyone can help.

After sending the user to the external page where he is requested to input the username/password and after the external page successfully authenticates the user credentials (using a mysql database), what is needed to be done in order to inform the AP to give internet access to that user?

Thank you.
Photo of David Simon

David Simon, Employee

  • 9 Posts
  • 1 Reply Like
When CWP server (external CWP) finished auth for the client, it should send an HTML page to client. This page can send a POST request to AP automatically. Some necessary information should be included in the POST request. Following code can send POST request automatically:

;

;

Client completes form and submits. HTTP response is generated containing a HTML login message, contains "url", "ssid", "username", "password", and "autherr" variables. Client is redirected automatically to NAS login which will be a HTTP POST.

The HiveAP receives the request. Fetch the username and password from the HTTP request, HiveAP generate a RADIUS request to RADIUS server to do authentication.
If receive the access-accept, let the client access the network;
else if receive the access-reject, redirect to eCWP login page.
Photo of David Simon

David Simon, Employee

  • 9 Posts
  • 1 Reply Like
When CWP server (external CWP) finished auth for the client, it should send an HTML page to client. This page can send a POST request to AP automatically. Some necessary information should be included in the POST request. Following code can send POST request automatically:

<form name="weblogin_form" method="POST" action="http://1.1.1.1/reg.php">;
<input type="hidden" name="Submit2" value="Submit">
<input type="hidden" name="autherr" value="0">
<input type="hidden" name="username" value="00-1D-D9-6B-17-48">
<input type="hidden" name="password" value="00-1D-D9-6B-17-48">
<input type="hidden" name="ssid" value="e-cwp">
<input type="hidden" name="url" value="http://www.aerohive.com">;
</form>

<script language="JavaScript" type="text/javascript"><!-- window.setTimeout('document.weblogin_form.submit();', 0.5 * 1000); // -->
</script>

Client completes form and submits. HTTP response is generated containing a HTML login message, contains "url", "ssid", "username", "password", and "autherr" variables. Client is redirected automatically to NAS login which will be a HTTP POST.

The HiveAP receives the request. Fetch the username and password from the HTTP request, HiveAP generate a RADIUS request to RADIUS server to do authentication.
If receive the access-accept, let the client access the network;
else if receive the access-reject, redirect to eCWP login page.

Photo of Stavros Charitidis

Stavros Charitidis

  • 7 Posts
  • 0 Reply Likes
Hi again, the address 1.1.1.1 is not accessible from the external page. So where exactly do i have to post these data? To the public ip of the AP?
I would also like to know if the values in the form submit are some default values that need to change based on my configuration or they have to be as they are.
Thank you very much for your help.
Photo of David Simon

David Simon, Employee

  • 9 Posts
  • 1 Reply Like
Hi,

the IP 1.1.1.1 is the virtual IP for one of the APs interfaces:

Example:
Use default network settings: Select the check box to use the default network settings for the subinterface hosting the SSID and for the clients associated with the AP. By default, the AP assigns IP addresses to subinterfaces for captive web portal use as follows:
  • Eth0 — 1.2.1.1/24
  • Eth1 — 1.2.2.1/24
  • Eth2 — 1.2.3.1/24
  • Although the default IP subnet is dependent on the physical port number, such as Eth0, the actual IP addresses appear on subinterfaces of the mgt0 interface. For example, the default IP subnet of a CWP hosted on the Eth4 port is 1.2.5.1/24, but the logical interface on which the IP address appears can be any management subinterface, such as mgt0.2.

... ... ...

  • wifi0.1 — 1.1.1.1/24
  • wifi0.2 — 1.1.2.1/24
  • wifi0.3 — 1.1.3.1/24

... ... ...

  • wifi0.16 — 1.1.16.1/24
  • wifi1.1 — 1.1.101.1/24
  • wifi1.2 — 1.1.102.1/24
  • wifi1.3 — 1.1.103.1/24

... ... ...

  • wifi1.16 — 1.1.116.1/24

The IP needs not to be reachable by the external Webserver, it works over the http request between client and web server.
Photo of Stavros Charitidis

Stavros Charitidis

  • 7 Posts
  • 0 Reply Likes
Hi again do i have to put some other values in username / password in the form post?
other than 00-1D-D9-6B-17-48 / 00-1D-D9-6B-17-48.
The current response is  "Secure Internet portal Login failed"
Does it has to be a valid login from the radius server or something?
Photo of David Simon

David Simon, Employee

  • 9 Posts
  • 1 Reply Like
You must use the user credentials here, the example above shows MAC-Auth. .
It must be an valid login which the radius server in the back grants access for.
Photo of Stavros Charitidis

Stavros Charitidis

  • 7 Posts
  • 0 Reply Likes
I have created a Radius user, and i have put the username and password in the form submit the user in not authenticated and in the url i can see autherr=1. Is this a missconfiguration on where to get the users from?
Photo of David Simon

David Simon, Employee

  • 9 Posts
  • 1 Reply Like
It seems to be an problem in your html code, the user gets no access over your website.
The website also needs to check the username and password in an existing database.

After that, the POST will be realized and the AP proceeds with an normal radius auth. against the radius server with the same username and password.

Also can you please post a screenshot of the CWP configuration in HiveManager?
Photo of Stavros Charitidis

Stavros Charitidis

  • 7 Posts
  • 0 Reply Likes
It was the radius server that was not authenticating the user. Now that it is set correctly, it started working as expected.
Thank you really much for your help.
Photo of Jonas Dekkers

Jonas Dekkers

  • 152 Posts
  • 29 Reply Likes
Hi David can you help me also? I'm also creating a guestmanager and want to integrate an cwp with external authentication. Below you can find some printscreens from my configuration.
Configuration:


CWP Configuration:


Form code:

Error message:
(Edited)
Photo of Jonas Dekkers

Jonas Dekkers

  • 152 Posts
  • 29 Reply Likes
Can someone help me with this?

Regards