Step-by-step instructions to set up a Radius-based captive portal with Huawei iMaster NCE-Campus controller and Cloudi-Fi for user authentication.
Use Case
This guide provides step-by-step instructions for integrating the Cloudi-Fi captive portal with Huawei iMaster NCE-Campus. This setup enables Radius-based user authentication, ensuring a secure and seamless network access experience.
Cloudi-Fi captive portal SSID and Radius configuration diagram
Prerequisites
Before starting, ensure that you have the following prerequisites:
- Access to the Huawei iMaster NCE-Campus.
- Access to Cloudi-Fi’s admin console
- Cloudi-Fi Radius IPs and Secret
- Knowledge of your network’s IP addressing scheme.
- Firewall ports allowed:
- HTTP, HTTPS
- DNS
- RADIUS: UDP 1812, 1813
1. Get the Cloudi-Fi required URL
To create a new location in the Cloudi-fi Admin interface if it doesn't already exist, follow these instructions:
Go to the "Location" section in the Cloudi-fi Admin interface.
Create New Location and enter the required details for the new location:
- Location Name
- Type (Redirect URL)
- Portal template
- Country
Location URL: this URL will be used to configure an External Captive Portal
- Access the Cloudi-Fi administration console
- Select the location
- Click on the menu button for the location
- Select "Copy Splash page URL"
Transform the URL as follows:
Cloudi-Fi
https://login.cloudi-fi.net/start/ch/ebd2egzrfgrgq2/lh/qgrzqrgegs/sp/spsomething.com
Huawei iMaster NCE-Master
https://login.cloudi-fi.net/start/ch/ebd2egzrfgrgq2/lh/qgrzqrgegs/sp/sphuaweiap.com
2. Get Radius information
To set up, you will need the Radius information (Server IPs, Secret, Ports).
- IPs address of the Radius servers
- Ports: UDP 1812 (Authentication) & 1813 (Accounting)
- The Secret (provided by Cloudi-Fi Support)
You can get the Secret by asking in the Chatbot, Cloudi-Fi’s Support team will provide you with the necessary information.
What shared secret is used for the Radius server? (Please save this confidential information securely, and do not share it publicly).
3. Create a Radius relay server
- Go to the Plan section
- Under Design > Network Design > Template Management.
- Find and choose the Radius Relay server section.
- Create a new server and configure it as follows.
- Name: Give it a name, for instance, "Cloud-Fi-Radius".
- Authentication service: Portal authentication
- Authentication server address: Add Cloudi-Fi Radius servers
- Authentication protocol: PAP Protocol
- NAS identifier: Device MAC
- Timeout period: 20 seconds
- After entering all the details, save your settings to finalize the setup.
4. Create ACL
- Go to the Plan section
- Under Design > Network Design > Template Management.
- Find and choose the ACL section.
- Create a new ACL and configure it as follows.
- Name: Give it a name, for instance, "Cloud-Fi-ACL".
- ACL Type: User
- Rule list: add the following
- Cloudi-Fi captive portal domain : *.cloudi-fi.net
- DNS
- Huawei domain : *.huawei.com
- After entering all the details, save your settings to finalize the setup.
5. Configuring an SSID
- Go to the Plan section
- Under Provision > Device Configuration > Site Configuration.
- Go to AP section and create a new SSID
- Give a unique name to your SSID.
- Choose the VLAN that will be used for this SSID.
- Opt for Open Network and select Open+Portal authentication.
- Set the authentication type to Relay authentication by cloud platform.
- Select Radius relay as the interconnection mode.
- Choose HTTPS for the page push protocol.
- Set third-party portal authentication parameters as follows:
- Username: username
- Password: password
- Redirect URL matching rule: Redirect URL
- Redirect URL upon authentication success: https://login.cloudi-fi.net/success.php
- Radius relay server, select "Cloudi-Fi-Radius".
- Ensure Portal authentication-free is unchecked.
- Select Cloudi-FI-ACL for the default permit rule.
After reviewing all the settings, save the configuration to apply the changes.
6. Create URL template
- Go to the Plan section
- Under Design > Network Design > Template Management.
- Find and choose the URL Template section.
- Create a new URL Template and configure it as follows:
Name: Give it a name, for instance, "Cloudi-Fi-URL-Template".
Template Type: Cloud platform-based relay authentication
Parameters in template: Configure as follows:
Parameter | Parameter Name |
redirect-url | redirect-url |
loginurl | login-url |
device-mac | ap-mac |
user-ip | uaddress |
user-mac | umac |
ssid | ssid |
7. Configure portal page push policy
- Go to the Policy section
- Under Admission > Admission Ressources > Page Management.
- Go to Portail Page Push Policy and create a new Policy.
- Give a unique name to your Policy
- Select the desired Site(s) where the Captive Portal will be deployed
- Access Mode: Wireless
- Authentication mode: Cloud platform-based relay authentication
- Interconnection mode: RADIUS Relay
- URL Template: Select Cloudi-Fi-URL-Template
- Third-party authentication URL: Paste your captive portal URL
- To finalize your settings, click on Apply.
Troubleshooting
Firewall problem
- Before beginning, please check that the following Firewall rules are active, as mentioned in the Solution prerequisites section.
- If you still encounter problems after following all the configuration steps, follow the steps below and provide it to the Cloudi-Fi support team:
- Make a web capture of your browser
- Share with the Cloudi-Fi support team
- The URL of the captive portal configured on Huawei
- User ID facing the error page Aruba troubleshooting command lists
Captive portal display issue before or after authentication
- The problem may be related to DHCP or DNS.
- Check that your IP private address is valid.
- Check that login.cloudi-fi.net is resolved.
- Type http://neverssl.com on your browser to apply the redirection on the portal.
- If the captive portal still does not appear, check the ACL
Error after authentication on the page
Once connected to the SSID, if you notice a Cloudi-Fi error page instead of your captive portal
- Check the configuration of the Radius server:
- The IP address of RADIUS
- RADIUS port (default port 1812)
- The pre-shared key
Following these actions, you can enable the Cloudi-Fi captive portal into your Huawei iMaster NCE-Campus environment and provide a seamless and hassle-free experience for your network users when connecting to the SSID.
Don't hesitate to contact our team (How to contact your support? ) to make the necessary changes to your captive portal or consult the articles in our online knowledge base.