Third-Party Hosted Captive Portal with RADIUS Authentication

Applies To: Wi-Fi Cloud-managed Access Points (AP120, AP125, AP225W, AP320, AP322, AP325, AP327X, AP420)

With this third-party hosted option with RADIUS authentication, a guest user is redirected to a portal hosted on an external server. The guest user is authenticated by a RADIUS server when the user logs in to the external portal.

These steps describe the work flow for guest user authentication to a portal using RADIUS:

  1. A Wi-Fi user connects to the guest SSID and opens a URL from any web browser using the HTTP protocol.
  2. The AP intercepts this request and redirects the browser to the configured external portal page, including these request parameters as the GET parameters of the redirected URL. For example:

https://www.example.com/guest-login.php?res=notyet&challenge= b22bc0c9da62277a4138b5d0d686bf2c&service_id=&login_url=http://172.17.30.54:5282/logon&logoff_url=http://172.17.30.54:5282/logoff&ap_id=00:11:74:96:57:BF&uamip=172.17.30.54&uamport=5282&ap_ssid=Guest-Wi-Fi&client_mac=8C:FA:BA:89:07:8C&blackout_time=0&userurl=http://www.watchguard.com/&failure_count=0

  • Challenge (challenge) — A random sequence of bytes in the hexadecimal format provided to the portal for encoding the plain text password.
  • Login URL (login_url) — Portal redirects the web browser to this URL after accepting the username and password from the user.
  • AP MAC address (ap_id) — MAC address of the AP.
  • AP IP address (uamip) — IP address of the AP.
  • AP Port Number (uamport) — Port number on which the HTTP service is available on the AP.
  • Failure Count (failure_count) — Number of previous failed attempts by the client.
  • Requested URL (userurl) — Original URL requested by the browser that was intercepted by the AP.
  • Logoff URL (logoff_url) — URL to which the client needs to be redirected for the purpose of logging off from the AP.
  • Blackout Time (blackout_time) — Remaining blackout time.
  • Request Type (res) — Type of request to the portal. This is provided if the portal supports more than one kind of work flow.
  • Client MAC (client_mac) — MAC address of the Wi-Fi client.
  1. The client web browser is redirected to the external splash page for the portal and the user is prompted to type their user name and password.
  2. The captive portal on the external web server encodes the password with a key generated with the shared secret for the portal that is configured in the SSID Profile and the challenge generated and sent by the AP in the redirected URL in Step 2.
  3. The web server uses the login_url parameter from step 2 and appends these GET parameters to the UR L. The portal then redirects the client web browser to this new generated URL (new login URL). For example: http://172.17.30.54:5282/logon?res=success&username=guest&password=a2b89067c1d0781d
  • User name (username) — User name provided by the user in plain text.
  • Password (password) — An encoded form of the password provided by the user.
  • Response Type (res) — Set to "success" or "failure" based on the authentication credentials provided by the user.
  • Login Time (session_timeout) — Optionally, the portal can append the time in seconds for which the Wi-Fi client can access the guest network. After this timeout, the client is redirected to the portal again. If not appended, the client session times-out after the default login timeout configured in the SSID Profile.
  • Redirect URL (redirect) — Optionally, the portal can append the URL to which the web browser is redirected after successful authentication. If not appended, the client is redirected to the redirect URL configured in the SSID Profile or the original requested URL.
  1. The client requests access to the new login URL (redirected from the portal) to the AP.
  2. The AP decodes the password using the shared secret for the portal configured in the SSID profile and the challenge that it originally sent in step 2.
  3. The AP sends the user credentials (user name in plain text) from Step 5 and a re-encoded password using the RADIUS shared secret to the RADIUS server for authentication.
  4. The RADIUS server decodes the password and authenticates the user. if successfully authenticated , the AP allows the client to access the Internet.
  5. The AP redirects the client web browser to the URL sent by the portal (redirect parameter). If the portal did not include the redirect parameter in the login URL in step 5, then the client browser is redirected to the URL configured in the Redirect URL field in the Captive Portal settings of the SSID Profile. If the redirect URL is not configured in the SSID Profile, the client web browser is redirected to the original URL accessed from the client in step 1.

How the Encoded Password is Generated

After the user enters the username and password on the captive portal splash page and submits it for login, the captive portal must perform these tasks:

  1. Encode the password.
  2. Regenerate a login URL using the login_url parameter it received in the request and append the username and encoded password to the URL.
  3. Redirect the client to this new login URL.

These steps describe how the password is encoded:

  1. Convert the challenge parameter sent by the AP from hexadecimal to a byte value.
  2. Generate the key using an MD5SUM of the portal shared secret. If the key length is smaller than the password length, repeat the process until the key is long enough to hide the password.
  3. Encode the plain text password by XOR with the key and convert it to hexadecimal string.

This example code snippet shows how to encode the password using PHP:

<?php 
class RADIUSPortal{ 
	/* These must be initialized from the get parameters provided by AP while redirecting to the portal URL. */
	public $logonURL = ''; 
	public $challenge = ''; 
 
	/* The configured shared secret value must be assigned here (same as 
	that in the SSID profile portal settings). */ 
	public $sharedSecret = null; 
 
	/* username and password submitted by the user in the login form */ 
	public $username; 
	public $password; 
 
	/* Get logon Url. Redirect to this URL from caller. 
	@return string */ 
	public function getApLogonUrl() { 
	$encodedPassword = $this->encodePassword($this->sharedSecret); 
	$responseParam = "res=success&challenge=" . $this->challenge . "&password=" . 
	$encodedPassword[1] . "&username=" . $this->username; 
	return sprintf('%s?%s', $this->logonURL, $responseParam);
 	} 
 
	/* Encode the password using challenge and shared secret 
	* @param type $sharedSecret 
	* @return string */ 
	protected function encodePassword($sharedSecret) { 
 
	/* Convert the challenge from HEX (40bytes) to binary(20bytes) */ 
	$asciiChallenge = pack("H*", $this->challenge); 
 
	$key = md5($asciiChallenge . $sharedSecret, true); 
	# If key isn't long enough, repeat it until it is 
	while (strlen($key) < strlen($this->password)) { 
	$key .= $key; 
	} 
	$encodedPassword = unpack("H*", substr($this->password ^ $key, 0, 
	strlen($this->password))); 
	return $encodedPassword
	}
}	 
?>

Configure Third-Party Hosted Captive Portal with RADIUS Authentication

To configure a third-party hosted captive portal with RADIUS authentication:

  1. In the Splash Page URL and Shared Secret text boxes, type the URL for the splash page and type the shared secret.

For WatchGuard Wi-Fi Cloud portals created with Engage and Analyze, you can find this value in Analyze from the Analyze > Portals page. Click Show for the required portal.

WatchGuard Analyze Portals page

The portal shared secret is used to encode the user password. For more information, see How the Encoded Password is Generated.

Make sure you add your splash page URL to the list of Websites that users can access before login (Walled Garden) entries in your Captive Portal settings so that clients can access the splash page.

  1. Click the RADIUS Settings hyperlink to configure RADIUS server settings that the AP uses to authenticate the wireless user.
  2. From the Interval drop-down list, select a time period for when accounting messages are sent to the RADIUS server. You can configure a value from 1 to 60 minutes. The default is 10.
  3. Configure the Called Station ID and NAS ID options as required. In most cases, you can use the default values.
  • Called Station ID — A free-form text parameter that the AP passes to the RADIUS server in the standard RADIUS parameter, Called-Station-Id, during the authentication or accounting process. You can use one or more of the special format specifiers, %m, %n, %l or %s, to represent the called station ID. The AP replaces %m with the Ethernet MAC address of the AP. The AP replaces %s with the SSID. The AP replaces %l with the location tag. The AP replaces %n with the device name. You can repeat the format specifiers. You can enter text instead of using the format specifiers. The AP uses only the first 255 characters if the length of this parameter exceeds 255 characters.
  • NAS ID — This field is used when a network access server (NAS) serves as a single point to get access to network resources. Usually, a NAS supports hundreds of simultaneous users. When a RADIUS client connects to a NAS, the NAS sends access request packets to the RADIUS server. These packets must contain either the NAS IP address or the NAS identifier. The NAS ID or the NAS-Identifier is used to authenticate RADIUS clients with the RADIUS server. You can specify a string for the NAS ID. You can use one or more of the special format specifiers, '%m, %n, %l and/or %s, to represent the NAS ID. The AP replaces %m with the Ethernet MAC address of the AP. The AP replaces %s with the SSID. The AP replaces %l with the location tag. The AP replaces %n with the device name. You can repeat the format specifiers. The default value of NAS ID is %m-%s. The NAS ID corresponds to the NAS-Identifier attribute on the RADIUS server. The attribute ID for the NAS-Identifier RADIUS attribute is 32. Make sure that the NAS ID is not the same as the shared secret configured for the RADIUS server in the RADIUS Authentication section. The AP uses the first 255 characters if the length of this parameter exceeds 255 characters.