quarta-feira, 7 de outubro de 2015

Meraki - External Captive Portal e Radius Server

Captive portal, splash pages and externally hosted RADIUS Server


Many customers are requesting Tanaza to support "Captive Portal". We understood that there is definitely a need to clarify what Captive Portal capability is and how it is implemented in a cloud managed Wi-Fi Network.
We think that the best article that can clarify the relationship between hardware, cloud infrastructure, Radius server, captive portal capability, splash pages, accounting and client management comes from... Meraki! 
So... here it is. Enjoy the precision of each single word of this article.
* * *


Many organizations have an existing user authentication or directory server that they would like to use to control access to the wireless LAN. Common server types include LDAP or Active Directory. Any type of authentication server with a RADIUS interface can be integrated with a Meraki wireless network. The cloud allows an administrator to configure multiple RADIUS servers for failover.
When an externally hosted RADIUS server is used with either MAC-based access control or WPA2-Enterprise with 802.1x authentication, the cloud managed APs must be able to reach the RADIUS server. The Meraki cloud offers a test tool that enables an administrator to verify connectivity of all of the APs to the RADIUS server, and to check a particular set of user credentials against the RADIUS server. The test tool appears under the Configure tab on the Access Control page.
captive portal
When an externally hosted RADIUS server is used with sign-on splash page, an administrator can configure the Meraki wireless network to use an externally hosted RADIUS server for user authentication. The Meraki cloud acts as an intermediary in this configuration to provide (1) a consistent end user experience (e.g., the wireless user is not presented with the splash page again if he re-associates to another AP) and (2) RADIUS accounting features.
If the sign-on splash page is hosted by the Meraki cloud, the conversation is a straightforward RADIUS exchange between the Meraki cloud and the external RADIUS server. 
If the sign-on splash page is itself externally hosted, the conversation involves exchanges between the splash page server, the Meraki cloud, and the RADIUS server. Specifically:
  1. The wireless client associates with the Meraki wireless network.
     
  2. The user makes an initial request for a URL in his web browser.
     
  3. The Meraki AP redirects the user to a URL on the splash page server. (The administrator configures this URL in the Meraki cloud, under the Configure tab on the Splash Page page.) When the Meraki AP redirects the user to the splash page server, it includes the following HTTP parameters in the HTTP redirect:
    1. continue_url: The URL that the user originally requested. This parameter may be interpreted by the splash page server to decide where the user should be redirected if he authenticates successfully.
    2. login_url: The URL at the Meraki cloud to which the splash page server should send an HTTP POST with collected user credentials (see Step 4). This parameter is escaped to include the continue_url embedded within it, and should not be interpreted by the splash page server.
    3. ap_mac: MAC address of the Meraki AP to which the user is associated.
    4. ap_name: Name (if configured) of the Meraki AP to which the user is associated.
    5. ap_tags: Tags (if configured) applied to the Meraki AP to which the user is associated.
    6. mauth: An opaque string used by the Meraki cloud for authentication and security.

  4. The external splash page server presents the user with a web form that captures the user’s credentials and causes the user to send an HTTP POST to the Meraki cloud, using the URL specified in login_url (see Step 3). In this HTTP POST, the server includes the following parameters:
    1. username: The username that the wireless user provided to the splash page server.
    2. password: The password that the wireless user provided to the splash page server.
    3. success_url (optional): The URL to which the wireless user is redirected if he passes authentication. The splash page server can use this parameter to override the continue_url that the user originally requested.

  5. The Meraki cloud receives the HTTP POST from the splash page server, and in turn, sends a RADIUS Access-Request to the external RADIUS server with the username and password.

  6. The RADIUS server processes the RADIUS Access-Request from the Meraki cloud, and responds to the Meraki cloud with a RADIUS Access-Accept or Access-Reject. The RADIUS server may optionally send RADIUS attributes to the Meraki cloud to enforce over the wireless user.
  7. The Meraki cloud processes the response from the RADIUS server and redirects the wireless user accordingly.
    1. If the Meraki cloud receives an Access-Accept message from the RADIUS server, the user has successfully authenticated. The Meraki cloud redirects the user to the original URL he requested (continue_url), or the URL specified by the splash page server in the (optional)success_url (see Step 4).
    2. If the Meraki cloud receives an Access-Reject message from the RADIUS server, the user has failed authentication and is redirected back to the splash page server’s URL (in Step 3).



      Because the Meraki cloud needs to contact an external RADIUS server, the Meraki cloud must be able to reach the RADIUS server. This requirement may necessitate firewall changes that allow inbound connections to the RADIUS server. If the RADIUS server becomes temporarily unavailable, existing wireless clients (already authenticated) remain connected, but new wireless clients are unable to authenticate to access the network.
* * *
Original article available here.

0 comentários: