Legacy Open Mesh: Externally Hosted Splash Page with RADIUS Authentication on 5xx and later firmware

Overview

Using an externally-hosted splash page allows you full control over the sequencing and presentation of a splash page, similar to the functionality of CoovaChilli in 4xx firmware. Alternatively, internally-hosted splash pages are simpler, but provide less flexibility.

Externally-hosted splash pages are stored and executed on a web server that you define, and must respond appropriately to certain messages from the Access Point in order to present appropriate user-interface to the user at various stages of the authentication process.

When combined with RADIUS Authentication, CloudTrax will consult an external RADIUS server that you specify in order to determine whether to authenticate the user. The user interface presented to the user will be determined by the external splash page.

This walk-through shows you how to configure CloudTrax to use an externally-hosted splash page with an external RADIUS server to handle authentication. You will need to customize the generated HTML for your purpose, or perhaps re-implement the external splash page in a manner and language of your choice.

Configure the RADIUS Server

The first step is to configure a RADIUS server that will be accessible from the Access Points on your network. The following steps will be required; the particular details will depend on which RADIUS server you are using.

  1. Setup the RADIUS server. If you already have a configured RADIUS server than you may use it without configuring another server. Common RADIUS servers are available from the FreeRADIUS project, and with Microsoft Windows Server.
  2. Configure the RADIUS server to provide access for the Users that you wish to be able to authenticate. At minimum, you'll need to provide a User Name and Password for each. Optionally, for each user, you may configure the maximum upload and and download bandwidth and a session timeout; these are set using the attributes WISPr-Bandwidth-Max-Up, WISPr-Bandwidth-Max-Down, and SESSION_TIMEOUT, respectively.
  3. Note the IP address (or Hostname) and the secret of the RADIUS server. These will be needed in the steps below.

Configure the External Splash Page Server

The external splash page must be hosted on a web server that will be accessible from the Access Points on your network. The following must be accomplished, but the particular details will depend very much on your web hosting environment.

  1. Setup the Web Server
  2. Install the attached PHP file (splash.php) so that it will be served by the web server in response to a given URL.
  3. Note the URL from step two: it will be needed in the steps below.
  4. You may edit the PHP to meet your needs. You may want to do this only after you have a successfully operating solution.
  5. The PHP code contains a secret that's shared with the CloudTrax server, and which helps to protect the user's login information. You should change that secret, and note it for use in the steps below.

Configure CloudTrax

The splash page and authentication are specified separately in CloudTrax for each SSID.

  1. Select Configure -> SSID 1 (or specify a different SSID number if you want to use a different SSID.
  2. Select "Hosted Remotely" for the type of Splash Page
  3. Enter the URL of the hosted splash page.
  4. Enter the shared secret for the splash page.
  5. Select RADIUS for Splash Page Authentication
  6. Enter the IP Address or Hostname of your RADIUS server under Server Address 1. If you have a secondary/backup RADIUS server you may enter it for Server Address 2.
  7. Enter the server secret for your RADIUS server under Server Secret. A RADIUS server limits access to only those knowing its secret.
  8. The setting "Block duration of XX minutes" within CloudTrax specifies how often the password challenge is cycled. We suggest setting this to at least 10 minutes, otherwise you may experience passwords that are decrypted incorrectly.
  9. If a NAS ID is required in your usage, enter it as well. A NAS ID may be used to pass additional information about an authentication request to the RADIUS server.
  10. Normally, after a user is successfully authenticated they will be taken to the web-page that triggered the splash page. If instead you would like them to be taken to a common completion page, you may enter an explicit Redirect URL.
  11. The setting "Block duration of XX minutes" specifies how often the password challenge is cycled. We suggest setting this to at least 10 minutes, otherwise you may experience passwords that are decrypted incorrectly.
  12. Save changes to the SSID configuration.

Test the Configuration

The splash page and RADIUS configuration are now complete. Unauthenticated users should be presented with the splash page. The User Name and Password they enter into the splash page form will be evaluated by the RADIUS server. Only those users successfully authenticated by the RADIUS sever will be allowed access to the Internet.

Fail-Safe Behavior

Note that in the case of a server configuration or runtime error, CloudTrax is designed to fail-safe: if the specified Splash Page or RADIUS server cannot be reached, or are not configured correctly, the user will be given access for a period of time.