This article created to share the case that user might be able to face when they use captive portal as an authentication method on one of WLAN configured on WiNG 5 product. One of customer was having a problem on the WLAN on which captive portal enabled, they described the problem as a DHCP problem. But with some investigation in the lab, I could find that it was expected behavior on WiNG 5. Details are as follows.
Firewall policy should be enabled for the hotspot enabled WLAN to enable captive portal service on public access WLAN
Firewall policy should be enabled for the hotspot enabled WLAN to enable captive portal service on public access WLAN
Software:
WiNG 5.3.1.0-009R
Symptoms:
When captive portal service is enabled on the WLAN, wireless client cannot get the ip address from DHCP server.
customer have used default firewall policy, but it has been disabled.
firewall-policy default
no ip dos tcp-sequence-past-window
no firewall enable
Customers are using captive portal service named Cust_Guest.
captive-portal Cust_Guest
server host 10.100.5.5
server mode centralized
terms-agreement
webpage internal org-name Custl
use aaa-policy local
use dns-whitelist Guest_Access
Customer have configured wlan named Cust_Guest for Public access purpose, and enabled captive portal on this WLAN.
wlan Cust_Guest
ssid Cust_Guest
vlan 102
bridging-mode tunnel
encryption-type none
authentication-type none
no client-client-communication
use captive-portal Cust_Guest
captive-portal-enforcement
What Is captive portal ?
The Motorola Hotspot authentication feature offers a simple way to provide secure authenticated access on a WLAN for users and devices using a standard web browser. Hotspot authentication allows enterprises to offer authenticated access to the network by capturing and re-directing a web browser’s session to a captive portal login page where the user must enter valid credentials to be granted access to the network.
Description:
AP block the dhcp request from wireless client if firewall policy is disabled on the public access WLAN. Captive portal is for public access service, so if firewall policy is not enabled on the AP, then default action for the dhcp request through the HOTSPOT enabled WLAN is block.
Solution:
Enable the default firewall policy.
firewall-policy default
firewall enable
firewall policy has 3 category. ( Denial of service, storm control, advanced settings)
and tuning is possible according to customer site’s environment.
No comments:
Post a Comment