Deployment Guide
Table Of Contents
- Table of Contents
- Preface
- About Extreme Campus Controller Deployment
- Configuring DHCP, NPS, and DNS Services
- Centralized Site with a Captive Portal
- Centralized Site with AAA Network
- Deploying a Mesh Network
- Configuring an External NAC Server for MBA and AAA Authentication
- Manage RADIUS Servers for User Authentication
- External Captive Portal on a Third-Party Server
- Access Control Rule Admin Portal Access
- Deploying Centralized Web Authentication
- Deploying ExtremeCloud IQ - SE as an External Captive Portal
- Deployment Strategy
- Configuring an External Captive Portal Network
- Editing the Configuration Profile for Network and Roles
- Extreme Campus Controller Default Pass-Through Rule
- Adding Extreme Campus Controller as a Switch to ExtremeCloud IQ - Site Engine
- Editing the Unregistered Policy on ExtremeCloud IQ - Site Engine
- Editing the ExtremeCloud IQ - Site Engine Profile for Policy and Location-Based Services
- Deploying an ExtremeGuest Captive Portal
- Deploying Client Bridge
- Deploying an Availability Pair
- Deploying Universal APs
- Extreme Campus Controller Pair with ExtremeLocation and AirDefense
- ECP Local Authentication
- PHP External Captive Portal, Controller’s Firewall Friendly API
- Index
The parameters in the redirection response are summarized in the table below.
Table 12: Parameters in the Redirection to Extreme Campus Controller, using RADIUS
authentication
Parameter
Name
Parameter Value Mandatory Notes
wlan Numeric String Yes An identifier for the WLAN Service that the client
is using to access the network.
username Alphanumeric
String
Yes The user ID is mandatory even if the URL is
signed. It is used to identify the client in reports
and accounting messages, even if it is not used to
authenticate the client.
password Alphanumeric
String
Yes The password is mandatory if the client is to be
authenticated using RADIUS. It must be the
password that the authenticating RADIUS server
associates with the user ID.
dest URL Conditional The dest parameter is required only if the
appliance is configured to redirect the client to its
original destination. The appliance directs the
client’s browser to an error page if it is configured
to redirect to the original destination and the dest
parameter is not returned to the appliance.
Related Topics
Signing the Redirection to Extreme Campus Controller on page 106
Case 2: When the ECP is the Final Authority on page 108
Case 2: When the ECP is the Final Authority
If the ECP makes the final authentication and authorization decision, it must sign the redirection
response it sends to the client’s browser. If it signs the redirection, it can include options that the
appliance applies to the authorized client’s session, including an access control role and the maximum
duration for the client’s session. Table 11 on page 95 lists all the parameters that can appear in a signed
redirection response from the ECP, and which of them are mandatory in this case.
The syntax of an unsigned ECP redirect to the appliance is:
[http | https]://<controller-IP-address-or-FQDN>{: <port>}/ext_approval.php?
token=<token>&wlan=<wlanid>&username=<userid>{&dest=<dest>}{&role=<rolename>}{&opt27=<max-
seconds-duration>}&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=<Scoped-
Credential>&X-Amz-Date=<YYYYMMDDThhmmssZ>&X-Amz-Expires=<duration>&X-Amz-
SignedHeaders=host&X-Amz-Signature=<signature>
Where
• {…} denotes an optional component of the URL.
• [http | https] is either “http” or “https” depending on how the WLAN service’s captive portal is
configured.
• :// is the literal string.
• <controller-IP-address-or-FQDN> is the appliance’s IP address or Fully Qualified Domain Name.
Case 2: When the ECP is the Final Authority
External Captive Portal on a Third-Party Server
108 Extreme Campus Controller Deployment Guide for version 5.46.03