Académique Documents
Professionnel Documents
Culture Documents
Table of Contents
Background............................................................................................................................... 3 Description ................................................................................................................................ 3 Benefits...................................................................................................................................... 3 Theory of Operation ................................................................................................................. 4 Internal Login/Splash.............................................................................................................. 4 External .................................................................................................................................. 5 Configuration ............................................................................................................................ 5 Web Page Redirect Configuration Using the Web Management Interface (WMI) ................. 6 Tips and Recommendations.................................................................................................. 15
Rev 011810
Background
Web Page Redirect (WPR) is an authentication technique which forces a client to view a special web page before accessing the network or Internet. This special web page can be used for several purposes: Authentication device wherein a user must enter a username and password before accessing network resources. To inform the user about the Terms and Conditions of using the network before allowing access. Captive Portal that can intercept a web page request by the client device and redirect them to a specific web page before accessing the network.
The most well known examples of WPR are in Wi-Fi hotspots such as a hotels or coffee shops. At a hotspot a user will typically associate to the wireless network, type the URL of a website, and then the service provider will redirect the user to special web page. This page will request the user to select a service plan, create a username and password, and enter a means to pay for the service. Once the user has been authenticated, the user can then be redirected back to the originally requested URL. Another common example is at a university where there are a large number of guest users. When a guest user accesses the network, a page may be presented describing the regulations of accessing the network as well as presenting key information such as a campus map and university phone numbers.
Description
The Xirrus Wi-Fi Array implements Web Page Redirect (WPR) as a web-based means of authenticating users into the Wi-Fi network. The Array intercepts a users request for access and redirects the user to an authentication page or a splash screen. The Array provides a simple and free means of creating a captive portal. Web Page Redirect can be uniquely configured on a per SSID basis. With the Xirrus Array, the screen presented to the user (e.g. the splash screen) can reside on the Array itself, or the Array can point a user to an external web server that hosts the landing page. Additionally, user authentication can be controlled by an internal RADIUS server that resides on each Array, or can be controlled by an external server on the network.
Benefits
The main goal of WPR is to provide a secure mechanism for accessing an open wireless network and to provide a layer of security for guest access in wireless hotspot locations. Some of the key benefits of WPR are as follows: Home Page Redirection Once connected to the public access network, the Xirrus WPR feature intercepts the users requested URL and then directs the user to a web site to either securely sign up for service or 3
Rev 011810
Theory of Operation
WPR displays a splash or login page when a user associates to the wireless network and opens a browser to any URL. The user-requested URL is captured, the users browser is redirected to the splash or login page, and then the browser is redirected either to the specified landing page, if any, or back to the captured URL. The users can be directed to a splash/login page that resides internally on the Array or externally on a web server.
Internal Login/Splash
The internal login feature displays a login page or splash screen residing on the Array instead of the first user requested URL. For Internal there are two modes: Internal Splash Displays a splash page instead of the first user-requested URL. The splash page files reside on the Array. This mode can also be configured to simply redirect the user to a specified landing page without presenting the splash page. Internal Login Displays a login page instead of the first user-requested URL. The login page resides on the Array. Internal Login requires the use of a RADIUS server to authenticate the user. The RADIUS server can reside internally on the Array or can be an external server that is reachable from the Array. Rev 011810 4
External
The external login feature redirects the user to a login page that resides on an external web server for authentication, instead of the first user-requested URL. The external login page will collect the username and password and then pass the credentials back to the Array for authentication. The Array then sends the username and password to the internal or external RADIUS server to verify user authentication. If authentication is successful, the browser is redirected back to the user-requested URL or to a specific landing page instead (entered in the WMI as the WPR Landing Page URL).
Configuration
Rev 011810
Web Page Redirect Configuration Using the Web Management Interface (WMI)
(Note: In order for WPR to work correctly, the Array must be able to resolve DNS. Please make sure that a DNS server is defined and reachable from the Array.) 1. Web Page Redirect can be set for a specific SSID or for just for a specific User Group. Each User Group will use the Internal Splash/Login screen of its associated SSID, however each SSID can have its own Landing Page. WPR is enabled under the SSID / SSID Management screen.
2. Enable WPR by selecting the WPR check box for the appropriate SSID. In most cases you will uncheck the Global setting to configure authentication on a per SSID basis.
When enabled, a new WPR section appears at the bottom of the configuration screen.
3. For Internal Login, the login page obtains the user name and password and authenticates the credentials. The login page resides internally on the Array, however the authentication can take place against either an internal or external RADIUS server. You can create a single Guest Rev 011810 6
Select Internal Login Define a landing page to redirect user to after login is successful. (Optional) Choose HTTPS On or Off (Note: if this is turned off, the username and password will be sent as clear text). Select Internal Radius Server Click Apply Configure username and password on Array Internal Radius server settings under Security -> Internal Radius b. External RADIUS Server:
Select Internal Login Define a landing page to redirect user to after login is successful. (Optional) Choose HTTPS On or Off (Note: if this is turned off, the username and password will be sent as clear text). Select External Radius Server Enter the External Radius Server settings Select RADIUS Authentication Type Click Apply 4. For Internal Splash screen, the Array presents the user with a web page containing Terms of Usage, advertising, or simply redirects the user to another web page. Following steps present the user with a default splash page. To customize the splash page, see Customizing WPR Files. a. Internal Splash with no timeout (splash page is presented until user clicks proceed): Rev 011810 7
Select Internal Splash Set Timeout to Never Define a landing page to redirect user to after login is successful (Optional) Click Apply
b. Internal Splash with timeout (splash page is presented for defined number of seconds, user is then redirected to landing page):
Select Internal Splash Set Timeout to desired value Define a landing page to redirect user to after login is successful Click Apply
c. No Splash, Landing page only (user is redirected to landing page without presenting a splash page beforehand):
Select Internal Splash Set Timeout value to 1 Define a landing page to redirect user to Click Apply
5. For External mode, the login page resides on an external web server. The external web server must be capable of executing perl scripts and the Xirrus provided wpr.cgi, wpr.pl, and hs.css files need to be loaded. See External Web Server Setup and Customizing WPR Files.
Rev 011810
Select External Enter Redirect URL. This is the URL or IP address of the external web server. Enter the Redirect Secret. This is the secret passphrase defined in the .cgi file that resides on the external web server. This is NOT the Radius Secret. Select Radius Authentication Type Select Internal Radius Server Click Apply Configure username and password on Array Internal Radius server settings under Security -> Internal Radius b. External Redirect with External Radius (Web page resides on external server, authentication is handled by external Radius server):
Select External Enter Redirect URL. This is the URL or IP address of the external web server. Enter the Redirect Secret. This is the secret passphrase defined in the .cgi file that resides on the external web server. This is NOT the Radius Secret. Select Radius Authentication Type Select External Radius Server Click Apply 6. For customizing WPR Files, there are three main files used by the Array to display the WPR splash and login pages. Two of these files are used in adjusting the look and feel of each page. Users can edit these files to customize their splash and login pages to fit the clients needs and then upload them to the Array. Some knowledge of html is preferred before attempting to edit these files. Rev 011810 9
c. $html_body_bottom This variable defines the html code that is responsible for displaying the bottom of the splash/login page. d. $html_splash This variable defines the html code that will be presented between the body top and the body bottom when in Internal Splash mode, e.g., terms and conditions, proceed button.
Rev 011810
10
hs.css The hs.css file is a cascading style sheet that can be used to set default html settings that are applied to the entire splash/login page. A cascading style sheet (css) is typically used in defining global setting that would apply to any page in which the css is called. For instance, a user may choose to have a default text or background color that would apply to the body section of a web page. You may also modify the default font size for certain head types or title lines. 7. After customizing files to change the look and feel of the Splash or Login page, you must load the pages on the Array in order for your changes to take effect. These files can be uploaded in the Tools/System Tools page. From this page you can also list all WPR files that currently reside on the Array and remove them as well.
Each SSID that has WPR enabled may have its own page. Custom files for a specific SSID must be named-based on the SSID name. For example, if the SSID is named Public, the default wpr.pl should be modified as desired and renamed to wpr-Public.pl. If you modify and upload files named wpr.pl and hs.css, they will replace the factory default files and will be used for any SSID that does not have its own custom files, per the naming convention just described. Uploading Files a. Enter the filename and directory location (or click Browse to locate the splash/login page files). b. Click on the Upload button to upload the new files to the Array. c. In order for your changes to take effect, you must reboot the Array. Removing Files a. Use the List Files button to show you a list of files that have been saved on the Array for WPR. b. Enter the name of the WPR file you want to remove. Rev 011810 11
Integrating with IIS 7 on Windows 2008 Server 1. Add IIS as a role through Server Manager if it has not been enabled already.
2. Download and Install ActivePerl for Windows: http://www.activestate.com/activeperl/ 3. Create a handler mapping that associates "*.pl" requests with ActiveState's perlex30.dll extension using the following steps: a. Open Internet Information Services (IIS) Manager
Rev 011810
12
For Request Path, enter "*.cgi" (without the quotes). For Module, select "IsapiModule" from the dropdown list. Note that the ISAPI module is a prerequisite. If it does not show up on this list, it will need to be installed as an IIS optional component. For Executable, enter "c:\perl\bin\perl.exe %s %s" (without the quotes.) Note that this assumes that you've installed ActiveState Perl using its default location. If you installed it in another location, you will need to look there for perl.exe. For Name, enter "ActiveState Perl for .cgi" (without the quotes). Note that this name is just a label and does not affect functionality. It does need to be unique, though. If you are going to be associating other file extensions with ActiveState Perl, the names for those mappings will need to be different.
4. IIS by default creates a folder C:\inetpub\wwwroot. This is the directory where you will place the wpr.cgi and all dependant files to demonstrate basic functionality. In most cases you will want to create a virtual directory under the Default Web Site in IIS Manger. Do this by right clicking on the Default Web Site in the left hand side of the IIS Manger and choose Virtual Directory. Create an alias for this directory and define a physical path where the cgi files are located.
Rev 011810
13
5. Place the wpr.cgi, wpr.pl, hs.css, and any image files in the folder pointed to by your new virtual directory. Sample files can be found: http://support.xirrus.com 6. By default, the wpr.cgi file is written to support Linux based operating systems. There are 3 items in the wpr.cgi file that need to be adjusted to support IIS 7. Change the first line in the file, #!/usr/bin/perl, to the path in which the perl.exe file resides on you server #!c:\perl\bin\perl.exe. Change the image path to reflect the image path in your virtual directory: $imagepath = "../icons/"; Change the location of the wpr.pl file to match where you have placed it on your server: require '../htdocs/icons/wpr.pl'; Please note that the $imagepath and require elements are relative to the directory in which the wpr.cgi file is located. For example, if the wpr.cgi file is located in C:\inetpub\wwwroot\iiswpr\, then $imagepath=../icons/ would refer to images that have been placed in C:\inetput\wwwroot\icons. The wpr.cgi file is the main perl script that is responsible for building the splash/login page. This script also handles all of the backend data execution such as presenting a splash or login page to the user, gathering username/password parameters, and passing a users response to the Array for authentication and network access.
7. Restart IIS.
Rev 011810
14
Rev 011810
15