Step-by-step instructions to set up a captive portal with Cambium and Cloudi-Fi for user authentication.
Use case
The following sections will specifically discuss External Hotspot integrating with on-premise cnMaestro to securely POST the user credentials to authenticate the user using External RADIUS.
Since the secure POST needs the installation of a certificate and a certificate in each AP in a big deployment is not straightforward, we provide the option to install the certificate in a single point(cnMaestro) for the whole network. Another benefit is that this option also opens up the flow where the external portal can directly POST to cnMaestro and have the login flow completely done between the client and the external portal, which solves the issues with cross-origin requests that are getting slowly blocked on browsers.
Customers who want a secure communication channel to authenticate the user securely should choose to POST the user credentials to cnMaestro. To enable this feature, one must enable External Portal Post Through cnMaestro, which is available in Guest Access.
A general workflow is when an external web server and cnMaestro are configured to accept HTTPS POST messages from the client.
This setup consists of the main parts:
- Supplicant (Wireless clients- Laptops, mobile phones, etc.)
-
Cloudi-Fi Portal
-
DNS server
-
On-Premise cnMaestro
-
Authenticator (Cambium Access Point)
-
HTTPS POST by client
-
Authentication Server (RADIUS)
1. Get Cloudi-Fi required URL
To create a new location in the Cloudi-fi Admin interface if it doesn’t already exist, follow these instructions:
Go to Admin UI > Location and create New Location and enter the required details for the new location:
- Location Name
- Type (Redirect URL)
- Portal template
- Country
Location URL: this URL will be used to configure an External Captive Portal
Access the Cloudi-Fi administration console > Location, click on the menu button for the location and select "Copy Splash page URL"
Transform the URL as follows:
Cloudi-Fi
https://login.cloudi-fi.net/start/ch/ebd2egzrfgrg/lh/qgrzqrgegs/sp/spsomething.com
Cambium
https://login.cloudi-fi.net/start/ch/ebd2egzrfgrg/lh/qgrzqrgegs/sp/spcambiumct.com
2. Load the certificate on cnMaestro
First of all, you have to choose a hostname on a domain name you own to purchase a public certificate.
Let's take guest.3wi.fi as an example. You must purchase a public server certificate with a CN ( Common Name ) attribute equal to guest.3wi.fi in our example.
In cnMaestro > Application > Server > SSL Certificates > Import, import your certificate.
Select "Import Signed Certificate and new Key.”
After loading the certificate, change the guest portal’s URL to reflect the new hostname under Services Guest Access Portal Guest Portal Hostname / IP.
Note: DNS Server forward zone should be updated with an entry to point to the cnMaestro hostname. This will ensure that external DNS can send a query response when a client tries to contact the redirected URL (which AP provides to contact cnMaestro).
3. Configure the external captive portal in Cambium
First, on cnPilot > Access Points, Configure WLAN
Then, on cnMaestro > Shared Settings > WLANs > AP Groups WLANs
WLAN: Key in the WLAN name and description. By default, WLAN Name is taken as SSID Name.
AAA Server: Key in the AAA server setting, like IP address (RADIUS server) and shared secrets. Radius Secret: You can get the Secret by asking the Chatbot. Cloudi-Fi’s Support team will provide you with the necessary information.
Guest Access: Enter the URL of the captive portal hosted on an external web server and select other required parameters.
What's Next?
Congratulations on enabling the captive portal with Cambium!
You can visit our partner page for additional information on Cambium Networks’ solution partnership.