Setting up WiFi-based check-in using RADIUS servers

How to integrate Radius server controllers
Before you configure the controller make sure you have set up your RADIUS server and have purchased a license. You can contact support@nexudus.com to receive a licence.

 

Aruba Controller

How to set up Aruba Controller

Sign in to the Aruba Administration console at https://instant.arubanetworks.com:4343 and type your email and pin-code.
aruba01.png
Accessing the administration console
 

Go to Network > Edit and open the settings of a network that you should configure to use the Captive Portal with RADIUS authentication. Our example network is aruba qa.

aruba02.png
Configuring WLAN
 

Configure Client IP & VLAN Assignment. In our example, we keep the default settings.

aruba03.png
Configuring Client IP & VLAN Assignment
 
 

To configure the Security Level

  1. From the Splash page type drop-down list, select External.

  2. From the Captive portal profile drop-down list, select your network. In our example, the network is qa.

  3. From the Auth server 1 drop-down list, select your network.

  4. Set Accounting to Use authentication servers.

  5. Set Encryption to Disabled.

To edit the Captive portal profile

 
aruba04.png
Editing Captive portal profile
 

Number

Description

1

The Captive portal profile Edit button

  1. Next to Captive portal profile, click Edit.

  2. From the Type drop-down list, select Radius Authentication.

  3. In the IP or hostname text box, type http://XYZ.spaces.nexudus.com, where XYZ is the default domain name you can find in Settings > Website > General on your Nexudus account.

  4. In the URL text box, type /en/splash.

  5. In the Port text box, type 443.

  6. From the Use https drop-down list, select Enabled.

  7. From the Captive Portal failure drop-down list, select Deny internet.

  8. From the Automatic URL Whitelisting drop-down list, select Enabled.

  9. Leave the Redirect URL text box empty.

To edit the Auth server 1

aruba04b.png
Editing Auth server 1
 

Number

Description

1

The Auth server 1 Edit button

  1. Next to Auth server 1, click Edit.

  2. In the IP address text box, type the IP address you want to allow access to.

  3. In the Auth port text box, type 5701.

  4. In the Accounting port text box, type 5702.

  5. In the Shared key text box, type your personal key.

Adding required IP addresses and host names to the whitelist

Click the Walled garden tab and enter the values from the RADIUS server.

aruba05.png
Whitelisting IP addresses and host names
 

Number

Description

1

The Walled Garden tab

2

The Whitelist section

Add all IP addresses and host-names above, including http://XYZ.spaces.nexudus.com/ to the whitelist.

Creating new roles

By default, your Aruba controller intercepts HTTPS traffic to all external servers breaking SSL connections. To prevent this, we need to create a new role permitting TCP connections to port 443 on external servers, for example, splash.ironwifi.com, google.com, or facebook.com.

To create a new role

  • Select the Assign pre-authentication role checkbox.

  • From the drop-down list, select create role.

  • Create new roles that you can see in the screenshots.

  • Click Finish to apply new settings.

aruba06.png_.png
Allowing access to https
 

Number

Description

1

New role added

2

Defining access rules for a role

3

Assigning pre-authentication role

aruba07.pngAllowing TCP on port 443

 
 

Number

Description

1

New role added

2

Defining access rules for a role

3

Assigning pre-authentication role

4

The Finish button

Replacing the SSL certificate

To fix the SSL error, you need to replace the default invalid certificate.

You can generate a valid SSL certificate for free here. You can let the page generate a request to sign a certificate for you. You can also visit this page for detailed instructions on how to generate a request manually. Don't use a wildcard SSL certificate.

Copy the content of the downloaded files certificate.crt, ca_bundle.crt and private.key to a single file: aruba.pem.

Upload this file to your Aruba IAP and then do the following:

  • Click on Maintenance > Certificates.

  • From the Certificate type drop-down list, select Captive portal server.

  • From the Certificate format drop-down list, select PAM.

  • Click Upload Certificate to apply new settings.

aruba08.png
Entering a valid SSL certificate
 

Number

Description

1

The Certificates tab

2

Certificate type and format drop-down lists

3

The Upload Certificate button

Cisco WLC

Before you configure the controller make sure you have set up your RADIUS server and have purchased a license.
 

To configure Access Control rules for the WLC controller

  1. Log in the Cisco WLC web browser interface and go to Advanced Settings by clicking the configuration icon on top of the screen.

  2. Go to Security>Access Control Lists and add two new ACL rules to allow connections to the captive portal:

    • Source IP: any; Destination IP: 107.178.250.42, Mask: 255.255.255.255; Protocol: TCP; Dest Port: 443, Action: Permit.

    • Source IP: 107.178.250.42, Mask: 255.255.255.255; Destination IP: any; Protocol: TCP; Source Port: 443; Action: Permit.

  3. You may also want to add the following IPs to your rules:

    • XYZ.spaces.nexudus.com, where XYZ is the default domain name you can find in Settings>Website>General on your Nexudus account.

    • 107.178.250.42/32

    • 216.239.32.0/19

    • 64.233.160.0/19

    • 72.14.192.0/18

    • 209.85.128.0/17

    • 66.102.0.0/20

    • 74.125.0.0/16

    • 64.18.0.0/20

    • 207.126.144.0/20

    • 173.194.0.0/16

assets_-LZFtxNPXnGfu3w0vzug_-LaPIz_72mGQIAZeA9Ss_-LaPk7GcX67xvasLdWQw_wlc_access_control_config.png
Configuring Access Control rules
 
 

Configuring RADIUS Authentication

Go to Security > Web Auth > Web Login Page and change Web Authentication Type to External (redirect to external server). Add the External Webauth URL. The URL here should be http://XYZ.spaces.nexudus.com/en/splash. XYZ is the default domain name you can find in Settings > Website> General on your Nexudus account.

Go to Security > AAA > RADIUS>Authentication, add a new RADIUS Authentication server and enter the following:

  • IP address in the Server Address(Ipv4/Ipv6) text box.

  • In the Shared Secret text box, the Shared Secret from the details of the RADIUS server that you received when you created the server.

  • Your RADIUS ports in the Port Number text box.

assets_-LZFtxNPXnGfu3w0vzug_-LaPIz_72mGQIAZeA9Ss_-LaPkhgjMkMmE8WCRDIP_wlc_radius_auth_config.png
Configuring RADIUS Authentication Servers
 

Configuring RADIUS Accounting

Go to Security > AAA > RADIUS > Accounting, add a new RADIUS Accounting server and enter the following:

  • IP address in the Server Address(Ipv4/Ipv6) text box.

  • In the Shared Secret text box, the Shared Secret from the details of the RADIUS server that you received when you created the server.

  • Your RADIUS ports in the Port Number text box.

assets_-LZFtxNPXnGfu3w0vzug_-LaPIz_72mGQIAZeA9Ss_-LaPlF-gnjVqqmoHD-Ht_wlc_radius_accounting_config.png
Configuring RADIUS Accounting Servers
 

Configuring WLAN

Go to WLANs, select existing or create a new WLAN and then open the WLAN settings.

assets_-LZFtxNPXnGfu3w0vzug_-LaPIz_72mGQIAZeA9Ss_-LaPmCsdNotsSdTCquXC_wlc_wlan_config.png
WLAN General Settings
 

Click Security>Layer 2 and set Layer 2 Security to None.

assets_-LZFtxNPXnGfu3w0vzug_-LaPIz_72mGQIAZeA9Ss_-LaPnUqOcIt0j6xlCUYH_wlc_wlan_layer2.png
WLAN Security Settings
 

Click Layer 3, select Web Policy from the Layer 3 Security drop-down list and then select Authentication. Select your new ACL from the Preauthentication ACL drop-down list.

assets_-LZFtxNPXnGfu3w0vzug_-LaPIz_72mGQIAZeA9Ss_-LaPnwRwIXwGNz84WTcA_wlc_wlan_layer3.png
Layer 3 Security
 

Click AAA Servers and select RADIUS authentication and accounting servers. You can also set Interim Interval to 180 seconds or higher. To save and apply new settings, click Save Configuration.

assets_-LZFtxNPXnGfu3w0vzug_-LaPIz_72mGQIAZeA9Ss_-LaPpgnpcyHK2zGF8XYw_wlc_aaa_config_and_save.png
AAA Servers setting
 

Number

Description

1

Authentication and Accounting Servers

2

Interim Interval

3

Save Configuration

Cisco Meraki

Learn how to set up WiFi-based check-in: Cisco Meraki

What do I need?

  Before you configure the controller make sure you have set up your RADIUS server and have purchased a license. You can contact support@nexudus.com to receive a licence.
   A Radius server license for specific Wifi routers incurs a charge of $/£/€6 per Access Point per month. Mikrotik can be integrated for free.
 

Configuring a Meraki controller to use the external Captive Portal authentication

Use the guide below to configure your Meraki virtual controller and the external Captive Portal with RADIUS authentication. When users connect to it and open their browser, a login screen appears where users can type their email and pin-code to connect to your network.‌


To configure your Meraki controller

  1. Sign-in to the Meraki cloud portal.

  2. Go to Wireless > Configure > SSIDs and define a network that you should configure to use the Captive Portal with RADIUS authentication.

  3. In the Association requirements section, select Open (no encryption).

  4. In the Splash page section, select Sign-on with and then select my RADIUS server from the drop-down list.

  5. Add new RADIUS authentication servers by clicking Add a server and enter the following:

    • IP address in the Host section.

    • Your RADIUS ports in the Port section.

    • In the Secret section, the shared Secret from the details of the RADIUS server that you received when you created the server.

  6. In the Walled garden section, type the following ranges:

    • XYZ.spaces.nexudus.com, where XYZ is the default domain name you can find in Settings > Website> General on your Nexudus account.

    • 107.178.250.42/32

    • 216.239.32.0/19

    • 64.233.160.0/19

    • 72.14.192.0/18

    • 209.85.128.0/17

    • 66.102.0.0/20

    • 74.125.0.0/16

    • 64.18.0.0/20

    • 207.126.144.0/20

    • 173.194.0.0/16

  7. Go to Wireless > Configure > Splash page and add http://XYZ.spaces.nexudus.com/en/splash to the Custom splash URL section. XYZ is the default domain name you can find in Settings > Website> General on your Nexudus account.

You need to contact Meraki support to enable adding domain names to the Walled garden section.‌

You can use the screenshot below to help you with steps three, four, five and six

access_control.png
Configuring Meraki network access
 

Number

Description

1

Step 3

2

Step 4

3

Step 5

4

Step 6

You can use the screenshot below to help you with step seven

custom_splash_url.png
Configuring the splash page‌
 

The default splash page:

meraki_splash.png
Default splash page‌
 
 

Configuring A Meraki Controller for WPA-Enterprise 

Accounting servers are disabled by default when using splash pages for Meraki devices. This means that Nexudus does not receive regular updates when users are in the space. Use WPA-Enterprise authentication to support RADIUS accounting. You can also contact Meraki support to enable this feature when using splash pages.‌

Users need to type their email and pin-code to connect to your WiFi network when using this authentication method. Otherwise, they cannot gain network access.‌

Sign-in to the Meraki cloud portal and go to Wireless > Configure > SSIDs and define a network that you should configure to use the Captive Portal with RADIUS authentication.‌

In the Association requirements section, select WPA2-Enterprise with and then select my RADIUS server from the drop-down list.

network_access_meraki.png
Configuring network access requirements‌
 

In the Splash page section, select None (direct access).

splash_page_direct_access_none.png
Configuring access to the splash page‌
 

Add new RADIUS authentication servers by clicking Add a server and enter the following:‌

  • IP address in the Host section.

  • Your RADIUS ports in the Port section.

  • In the Secret section, the shared Secret from the details of the RADIUS server that you received when you created the server.

meraki_enable_radius_and_accounting.png
Enabling Radius Serves and Accounting

 

Ruckus Controller

Configuring Ruckus Controller

This section describes the configuration of Ruckus Cloud for external Captive Portal and RADIUS server authentication.

Sign-in to the Ruckus Cloud portal and create a new Network. Select Cloudpath as the authentication method.

assets_-LZFtxNPXnGfu3w0vzug_-La-u3g53TvSMnHhyEc__-La02B_MbDhBWbwOHojS_image.png

Selecting Cloudpath

Configure RADIUS server details, Splash page URL, and Walled Garden list, then add the following IPs to your walled garden:

* example.spaces.nexudus.com

107.178.250.42/32

216.239.32.0/19

64.233.160.0/19

72.14.192.0/18

209.85.128.0/17

66.102.0.0/20

74.125.0.0/16

64.18.0.0/20

207.126.144.0/20

173.194.0.0/16

* You can find the subdomain of your account in Settings > Website > General > Default web address

assets_-LZFtxNPXnGfu3w0vzug_-La-u3g53TvSMnHhyEc__-La02MZ5RWBMkW4X4Wth_image.png
Cloudpath settings

 

SonicWall 

Assumptions

  1. SonicWall Access Point is setup and running the latest firmware.

  2. 802.1x SSID is already configured.

  3. DHCP and DNS are appropriately configured.

  4. SonicWall Access Point can communicate with the Radius servers.

  5. The Guest SSID VLAN can communicate with Radius servers.

  6. All systems are appropriately licensed.

Instructions

  • Sign in to SonicWall Administration Interface. Go to Network > Zones > WLAN.

image__34_.png
SonicWall Interface
 
  • Leave the "General" options default and click Guest Services

image__35_.png
SonicWall WLAN options
 
  • Check Enable Guest Services and Enable External Guest Authentication. Change the Max Guests value to 255.

image__36_.png
Enabling Guest Services
 
  • Select Auth Pages tab and enter "/api/pages/xxxxxx/" to all input fields. "xxxxxx" is your Splash page identifier as provided by us.

image__37_.png
Auth Pages
 
  • Review other settings and click OK to save changes.

image__38_.png
Advanced Settings
 

The last step is to allow remote connections on your Firewall. We need to be able to connect to the SonicWall Guest Services to authorize connected clients. Guest Services are listed on port 4043 and the radius server will try to connect to the URL in this format:‌

https://SOURCE_IP_ADDRESS:4043​‌

* SOURCE_IP_ADDRESS - IP address that we have received the authentication request from‌

We will be connecting directly from the web server, so no further changes are required in your SonicWall firewall rules.‌

Common Errors

We need to be able to connect to your Access Point to authorize connecting device. If not successful, the Captive Portal will return different error codes in the error_message parameter.‌

  • sonicwall_gw_connection_failed - our servers could not connect to your SonicWall AP. Make sure the Access Point Guest Services port is reachable over the internet, check your firewall settings and port forwarding rules if necessary. Guest Services are listed on port 4043/TCP by default and you can override this value using the Controller URL parameter in the Captive Portal settings in our Console.

UniFi Controller

Configuring UniFi Controller for external Captive Portal authentication

This option will present users with a splash page. It relies on your WiFi network to be open or to use a shared WiFi password. When users connect to it and open their browser, they will be presented with a login screen where to type their email and PIN code to connect to your network. You can also configure this appliance to use Enterprise Authentication using the instructions in the section below.‌

  1. Provide the public IP of your UniFi controller. The RADIUS servers need to be able to directly connect to your Controller (SW, Cloud Key) to authorise connecting devices. Controller URL is usually in format like this https://your_public_static_ip:8443. Make sure it is the PUBLIC IP address and it's reachable through the Internet (not internal address like 192.168.*.*, 172.16.*.*, or 10.*.*.*).

  2. You might need to configure port forwarding on your Internet router and firewall. If you are not sure, please contact your ISP provider. This article may help you doing this. The source IPs connecting to your controllers are 35.184.225.240, or 35.201.240.80, or 35.195.230.167.

  3. Sign in to your UniFi Controller.

  4. In Wireless network settings change the Security to Open and enable Guest services.

  5. Navigate to Guest services settings.

  6. Select External Captive Portal.

  7. Enter 107.178.250.42 in the IP address input field.

  8. Check the redirect using hostname checkbox and enter the Splash pageURL here. You should have been provided the URL by the Nexudus team together with a license. The page looks by default like this:

image__39_.png
Splash page

  • Add 107.178.250.42/32 to the Pre-Authorization Access list

  • Apply settings and try with your phone or computer

image__40_.pngUnifi Devices 

image__41_.png
image__42_.png
Unifi Settings
 

Configuring UniFi Controller for WPA-Enterprise

  1. Navigate to Wireless Networks and change Security to WPA-Enterprise. Add new RADIUS Authentication Servers and enter IP Address, Port and Shared Secret from the details of the Radius Server provided when you created the Radius Server above.

  2. Make sure you use the same IP for both the Auth and Accounting servers. If you add a secondary Auth and Accounting servers then use the secondary IP provided.

  3. Optional: Enable Interim Update.

image__43_.png
Wireless Networks settings
 
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Please sign in to leave a comment.