This time I would like to share some thoughts about the local captive portal authentication on the MSM controllers. For this post I will keep it simple and will use the local radius server for authentication. In a later post, will also show the remote authentication capabilities. For small environment it should be OK to use the local radius database for the captive portal. To manage the users on the controller, it is possible to use a small tool, without log into the controller web GUI every time. I will show this toll at the end of this post.
For this test I used the latest and greatest version of the MSM controller software, which is 18.104.22.168-16925.
Prepare the controller for captive portal
When doing captive portal on the controller, all traffic needs to go through the controller, to present the captive portal to the clients. The controller acts as a L2 firewall, restricting all traffic from unauthenticated clients, except DHCP requests and DNS queries. Those packets needs to be forwarded to let the captive portal work.
I will start to disable NAT for the egress interface. Therefore we need to disable it on the internet port:
I will not use the DHCP server on the controller itself, as this will not work when doing teaming. Therefore I will explain how to use the DHCP relay agent. Go to “Network–>Address allocation”:
Just select “DHCP relay agent” and press the “Configure” button:
Enter a dummy server address and make sure that only the Client data tunnel, which is the tunnel carrying the client data traffic, is selected for dhcp relay agent. Also check the check box for “Extend VSC egress subnet to VSC ingress subnet”. This will make sure, that the traffic is bridged on L2 to the egress network and vice versa. Then press “Save”.
I will now create a VLAN, which will be tagged on the internet port and will carrying the user traffic, which already passed the controller. Create a new “Network profile”, go to “Network–>Network profiles” and click “Add New Profile…”:
Click “Save” to create the profile. Afterwards we need to map this profile to the internet port. Go to “Network–>VLANs” and click on the created profile:
After clicking “Save”, the VLAN is mapped to the internet port. On the Switch side, this VLAN needs to be tagged.
To complete the controller configuration, we need to create an IP interface for this VLAN. Go to “Network–>IP interfaces” and add a new interface:
It is important to disable NAT. If the IP address is assigned statically or by DHCP doesn’t matter. Click “Save” and we are done with this part.
Configure A VSC For Captive Portal
As the controller is now ready, we need to create a SSID which will use the captive portal for authentication. The SSID is configured by creating a VSC or Virtual Service Community. The configuration is quite easy.
To create a new VSC go to “VSCs–>Add new VSC profile…”. This will bring you to the configuration screen for the VSC. I will go thought every configuration item, which is important or is different then the default setting.
Please consider a good naming for the VSC, maybe better than my 🙂 The important stuff is below the profile name, which is the check box for “Authentication” and “Access control”. Both boxes needed to be checked, to let the captive portal work. If you miss one of the two, HTML based authentication, which is captive portal, will not be available.
This setting box will configure the SSID name and you have to make sure, that the “Always tunnel client traffic” check box is checked. You can also play with the other settings, but this is not within the scope of this post.
In this settings part you can configure, which VLAN to use for which client. It is for 99% of the environments necessary, to use the created VLAN for both, “Unauthenticated” and Authenticated” clients. I’ve never seen a configuration, which was different, but is good to know, that it is possible to map authenticated clients to another VLAN than unauthenticated ones.
Those settings will enable the captive portal for the SSID. As we will look at local authentication, we use the check box for local. Remote authentication capabilities will be explained in a later post.
The last configuration step is to configure the DHCP relay agent for this VSC. And this one is as easy as the other ones, just enable the agent and select “Forward to egress interface”. This option will send all DHCP packets to the egress network, so you have to make sure, that a DHCP server or relay agent is part of the egress network.
Now you have to save the VSC.
To bind this created VSC on an AP click on the AP group of choice and go to “VSC bindings”. Click on “Add New Binding…”:
On this page you have to select the created VSC and just press “Save”. Synchronize the AP’s in this group and after a short time, the SSID will be available and you are able to connect. If you open your browser on a client device, you should be redirected to the captive portal page:
Great job so far, we now need to create username and password to gain full access.
Create users for captive portal authentication
On the MSM controller, you have two options, when it comes to local authentication.
- create the user via the web GUI
- use the GMS Guest Management Software, which comes for free with the MSM controller
I will create a user via the web GUI first. This is good for testing purpose but not for normal user creation, as it requires full access to the MSM controller web GUI.
Go to “Users–>User accounts” and click on “Add New Account”:
To keep it simple, I will just set the username and password and restrict the user to the captive portal based SSID. After that, click “Save” at the bottom of the page.
You should be able to use those credentials to log into the captive portal.
Next, I will use the GMS (Guest Management Software) to create an account. This little piece of software will connect to the controller, or controller team, and manage all local accounts on the MSM controller. The installation is very easy and beyond the scope of this post. Check my post for MSM best practice to let the GMS tool successfully working with the MSM controller.
You will get the GMS software from the MSM controller support page:
After a successful installation you will see the dashboard of the software:
This dashboard will show you all connected controllers with the list of created user. In my case, there is no created user and we see an empty list. My installation is a German one, but I will use the English words in the explanation.
I will now create a new user via the “New Account(s)” button.
This screen will allow you to set the basic account settings for user. You can also decide to create many accounts as a batch job which is very helpful when you need to create a lot of users at one time, for a convention, for example. Presse “Next” to get to the next screen:
On this screen you can bind the user to a specific VSC, which is not required, but from my point of view a good advise. You can now click “Finish” to keep it simple, but you can also click “Next” for further options, which is not in the scope if this post. On the last page you can print a voucher for the guest. You can also re-print the voucher any time in the GMS tool.
You should now see the created user in the list as an active user and the credentials can be used for the captive portal to gain access.
You successfully created the SSID and the user for gaining access. That’s it for the moment.
We have created the SSID and local users on the MSM controller which will gain access to the network. This is basically the normal guest application for small environments.
For feedback or questions, feel free to use the comment function. I will try to answer every comment.