Externally Hosted Splash Page with RADIUS Authentication on 5xx and later firmware

Follow

Overview

Using an externally-hosted splash page allows you full control over the sequencing and presentation of a splash page, similar to the functionality of CoovaChilli in 4xx firmware. Alternatively, internally-hosted splash pages are simpler, but provide less flexibility.

Externally-hosted splash pages are stored and executed on a web server that you define, and must respond appropriately to certain messages from the Access Point in order to present appropriate user-interface to the user at various stages of the authentication process.

When combined with RADIUS Authentication, CloudTrax will consult an external RADIUS server that you specify in order to determine whether to authenticate the user. The user interface presented to the user will be determined by the external splash page.

This walk-through shows you how to configure CloudTrax to use an externally-hosted splash page with an external RADIUS server to handle authentication. A minimal external splash page implementation, written in php, is presented as an example, but you will need to customize the generated HTML for your purpose, or perhaps re-implement the external splash page in a manner and language of your choice.

Configure the RADIUS Server

The first step is to configure a RADIUS server that will be accessible from the Access Points on your network.  The following steps will be required; the particular details will depend on which RADIUS server you are using.

  1. Setup the RADIUS server. If you already have a configured RADIUS server than you may use it without configuring another server. Common RADIUS servers are available from the FreeRADIUS project, and with Microsoft Windows Server.
  2. Configure the RADIUS server to provide access for the Users that you wish to be able to authenticate. At minimum, you'll need to provide a User Name and Password for each. Optionally, for each user, you may configure the maximum upload and and download bandwidth and a session timeout; these are set using the attributes WISPr-Bandwidth-Max-Up, WISPr-Bandwidth-Max-Down, and SESSION_TIMEOUT, respectively.
  3. Note the IP address (or Hostname) and the secret of the RADIUS server. These will be needed in the steps below.

Configure the External Splash Page Server

The external splash page must be hosted on a web server that will be accessible from the Access Points on your network. The following must be accomplished, but the particular details will depend very much on your web hosting environment.

  1. Setup the Web Server
  2. Install the attached PHP file (splash.php) so that it will be served by the web server in response to a given URL.
  3. Note the URL from step two: it will be needed in the steps below.
  4. You may edit the PHP to meet your needs. You may want to do this only after you have a successfully operating solution.
  5. The PHP code contains a secret that's shared with the CloudTrax server, and which helps to protect the user's login information. You should change that secret, and note it for use in the steps below.

Configure CloudTrax

The splash page and authentication are specified separately in CloudTrax for each SSID.

  1. Select Configure -> SSID 1 (or specify a different SSID number if you want to use a different SSID.
  2. Select "Hosted Remotely" for the type of Splash Page
  3. Enter the URL of the hosted splash page.
  4. Enter the shared secret for the splash page.
  5. Select RADIUS for Splash Page Authentication
  6. Enter the IP Address or Hostname of your RADIUS server under Server Address 1. If you have a secondary/backup RADIUS server you may enter it for Server Address 2.
  7. Enter the server secret for your RADIUS server under Server Secret. A RADIUS server limits access to only those knowing its secret.
  8. If a NAS ID is required in your usage, enter it as well. A NAS ID may be used to pass additional information about an authentication request to the RADIUS server.
  9. Normally, after a user is successfully authenticated they will be taken to the web-page that triggered the splash page. If instead you would like them to be taken to a common completion page, you may enter an explicit Redirect URL.
  10. Save changes to the SSID configuration.

 

 

Test the Configuration

The splash page and RADIUS configuration are now complete. Unauthenticated users should be presented with the splash page. The User Name and Password they enter into the splash page form will be evaluated by the RADIUS server. Only those users successfully authenticated by the RADIUS sever will be allowed access to the Internet.

Fail-Safe Behavior

Note that in the case of a server configuration or runtime error, CloudTrax is designed to fail-safe: if the specified Splash Page or RADIUS server cannot be reached, or are not configured correctly, the user will be given access for a period of time.

 

Have more questions? Submit a request

Comments

  • Avatar
    Ben West

    Since the announcement about v5xx firmware mentions that CoovaChilli is not yet included, am I correct in assuming only the v4xx firmware supports RADIUS authentication via an external splash page?
    https://help.cloudtrax.com/hc/en-us/articles/202467164-New-in-CloudTrax-firmware-5xx

  • Avatar
    Ryan Detwiller

    Hi Ben - This article is specifically for 5xx firmware and a CoovaChilli alternative we've developed. So while CoovaChilli specifically isn't supported, most of the functionality is. We're working with partners who interfaced with us using CoovaChilli to test and roll out their services with this new architecture.

  • Avatar
    Nunya Bidnez

    Our Openwrt / Coovachilli (1.3.0) solution that is at present configured with an external splash page (chilli's 'uamformat' value) authenticates against the Radius server(s) of a 'social' read, 'free', HSP.

    It should be possible to redirect from our splash page to CloudTrax whilst using the Radius server(s) of the current HSP, correct?

  • Avatar
    Contact

    Ryan, can you elaborate on that? Do you mean this firmware offers similar functionality or would CoovaChilli work but not to it's fullest extent?

  • Avatar
    Ryan Detwiller

    ^ It is similar functionality.

  • Avatar
    David Pankros

    Quote "Note that in the case of a server configuration or runtime error, CloudTrax is designed to fail-safe: if the specified Splash Page or RADIUS server cannot be reached, or are not configured correctly, the user will be given access for a period of time."

    Doesn't this seem incorrect? I mean, if the radius is accessible from the net, I could potentially launch a DOS on the radius (i.e. to make it unavailable) to gain access to wifi? Yikes. Seems like a big hole.

  • Avatar
    Bryan Patterson

    @ David - we're looking at making the fail safe a configurable option to avoid issues like that.

Powered by Zendesk