Guest access – Extreme WiNG

In this topic, you will learn how to configure Extreme WiNG to work together with the Portnox™ Cloud captive portal for guest user authentication.

Before you begin configuring your controller, you must configure the guest network in Portnox Cloud and note down the values of the fields: IP (for walled garden) and Captive Portal URL. You will need these values later. We recommend that you keep your Portnox Cloud configuration open in another browser tab for easy copying and pasting.

Note: This setup was tested on a WiNG VX 9000 virtualized software-based controller and the WiNG AP 7632 access point. You can set up the captive portal either on the controller, as in this example, or directly on an access point.
  1. In the WiNG web interface, navigate to: Configuration > Services > Captive Portals > Captive Portals and in the Captive Portal Policy field, enter a new captive portal policy name.

  2. In the Basic Configuration tab:

    1. In the Captive Portal Server Mode field, select the Internal (Self) option.
    2. In the Connection Mode field, select the HTTPS option.
  3. In the Security section below, in the AAA Policy field, click on the  🗎+  icon.

    Result: The AAA Policy window opens.

  4. In the AAA Policy field, enter a name for this AAA policy.

  5. In the RADIUS Authentication tab, click on the Add button below to add a new server entry.

    Result: The Authentication Server window opens.

  6. In the Authentication Server window:

    1. In the Server Type field, select the Host option.
    2. In the Host field, select the IP Address option and type the Cloud RADIUS IP displayed in the CLEAR RADIUS instance section of Portnox Cloud (Settings > Services > CLEAR RADIUS SERVICE > CLEAR RADIUS instance > Europe and Asia or United States and North America).
    3. In the Port field, type the Authentication port displayed in the same Portnox Cloud section.
    4. In the Secret field, type the Shared Secret copied from the same Portnox Cloud section using the  ⧉  icon.
    5. In the Request Proxy Mode, select the through-centralized-controller option if you are using a centralized controller (such as the VX 9000 that we used in this example).
    6. Click on the OK button in the bottom-right corner to save the server configuration and close the Authentication Server window.
  7. Optional: Repeat the two steps above to add the second Cloud RADIUS authentication server, if desired.
  8. Click on the RADIUS Accounting tab, then click on the Add button below to add a new server entry.

    Result: The Accounting Server window opens.

  9. In the Accounting Server window:

    1. In the Server Type field, select the Host option.
    2. In the Host field, select the IP Address option and type the Cloud RADIUS IP displayed in the CLEAR RADIUS instance section of Portnox Cloud (Settings > Services > CLEAR RADIUS SERVICE > CLEAR RADIUS instance > Europe and Asia or United States and North America).
    3. In the Port field, type the Accounting port displayed in the same Portnox Cloud section.
    4. In the Secret field, type the Shared Secret copied from the same Portnox Cloud section using the  ⧉  icon.
    5. In the Request Proxy Mode, select the through-centralized-controller option if you are using a centralized controller (such as the VX 9000 that we used in this example).
    6. Click on the OK button in the bottom-right corner to save the server configuration and close the Accounting Server window.
  10. Optional: Repeat the two steps above to add the second Cloud RADIUS authentication server, if desired.
  11. Close the AAA Policy window by clicking on the Exit button.
  12. In the AAA Policy field, select the policy that you have just created.

  13. In the Access section, in the Access Type field, select the RADIUS Authentication option.

  14. Scroll down to the DNS whitelist section, and in the DNS Whitelist field, click on the  🗎+  icon.

    Result: The window for editing DNS whitelist entries opens.

  15. In the whitelist entry list window:

    1. In the Name field, enter the name for this DNS whitelist.
    2. Click on the Add Row button.
    3. In the DNS Entry column, select the IPv4 Address option, and type the first IP (for walled garden) value from Portnox Cloud (Settings > Services > CAPTIVE PORTAL SERVICE > selected captive portal configuration > IP (for walled garden)).
    4. Repeat the two steps above for the second IP address.
    5. Click on the OK button in the bottom-right corner to save the configuration and close the DNS Whitelist window.
  16. In the DNS Whitelist section, in the DNS Whitelist field, select the DNS whitelist that you have just created.

  17. On the top of the Captive Portal Policy pane, click on the Web Page tab and then in the Web Page Source field, select the Captive_Portal_Webpage_External radio button.

  18. In all URL fields, enter the Captive Portal URL from Portnox Cloud (Settings > Services > CAPTIVE PORTAL SERVICE > selected captive portal configuration > Captive Portal URL). In the Welcome URL field, enter a URL that you want to show to the user after the user successfully authenticates.
    Note: WiNG configuration requires you to fill all URL fields, even if most of them are not used by the Portnox Cloud captive portal. That’s why we recommend using the same URL for all those fields.

  19. Click on the OK button in the bottom-right corner of the Captive Portal Policy pane to save the configuration.

  20. In the WiNG web interface, navigate to: Configuration > Wireless > Wireless LANs.

  21. Click on the Add button on the bottom of the table to add a new wireless LAN.

  22. In the Basic Configuration pane:

    1. In the WLAN field, enter a name for this WLAN configuration (it doesn’t have to be the same name as the SSID but we recommend that you use the same name, so that you can easily identify your WLAN later).
    2. In the SSID field, enter a SSID for this WLAN.
    3. In the WLAN Status field, make sure that the Enabled button is selected.
  23. In the left-hand side menu, click on the Security option, and then in the Security pane:

    1. In the Select Authentication section, select the PSK / None radio button.
    2. In the WLAN_Captive_Portal section, activate the Captive Portal Enable checkbox.
    3. In the Captive Portal Policy field, select the captive portal policy that you created earlier.
  24. Click on the OK button in the bottom-right corner to save the WLAN configuration.

  25. In the WiNG web interface, navigate to: Configuration > Profiles > Manage Profiles and then click on the name of the profile for the access point model that you want to work with your WLAN.

    In this example, we selected the AP 7632 profile because we were configuring the AP 7632 model.

  26. In the left-hand side menu, click on the Interface > Radios option and then click on the radio (frequency) that you want to configure with your new WLAN.

    Result: The Radios window opens.

  27. In the Radios window, switch to the WLAN Mapping / Mesh Mapping tab, and use the < button to move your WLAN from the WLANs list on the right-hand side to the Radio list on the left-hand side.

  28. Click on the OK button in the bottom-right corner to save your radio configuration.

  29. Optional: Repeat the steps above for the other radios on the same access point, if needed.
  30. In the left-hand side menu, click on the Security > Services option and then in the Profile_Captive_Portal field, activate the checkbox next to the name of the captive portal policy that you created earlier.

  31. Click on the OK button in the bottom-right corner to save your access point configuration.

  32. Click on the Commit and Save button in the top-right corner to save and commit your changes to your WiNG equipment configuration.