Application NoteWeb Page Redirect ................................................................................................................................................ Application Note – Web Page Redirect Table of Contents Background.......................................... 3 Description ... 6 Tips and Recommendations... 4 External ............................................................................................................................................................... 15 Rev 011810 2 .............. 3 Theory of Operation ................................................................................................................ 5 Configuration ............................................................................................................................... 3 Benefits........................................................................... 5 Web Page Redirect Configuration Using the Web Management Interface (WMI) ............................................................................................................................................................................................. 4 Internal Login/Splash.................................................................................................................. user authentication can be controlled by an internal RADIUS server that resides on each Array. This special web page can be used for several purposes: • Authentication device wherein a user must enter a username and password before accessing network resources.g. the splash screen) can reside on the Array itself. Description The Xirrus Wi-Fi Array implements Web Page Redirect (WPR) as a web-based means of authenticating users into the Wi-Fi network. the screen presented to the user (e. Once the user has been authenticated. Additionally. At a hotspot a user will typically associate to the wireless network. and enter a means to pay for the service. To inform the user about the Terms and Conditions of using the network before allowing access. a page may be presented describing the regulations of accessing the network as well as presenting key information such as a campus map and university phone numbers. the Xirrus WPR feature intercepts the user’s requested URL and then directs the user to a web site to either securely sign up for service or 3 Rev 011810 . Some of the key benefits of WPR are as follows: • Home Page Redirection Once connected to the public access network. type the URL of a website. or can be controlled by an external server on the network. the user can then be redirected back to the originally requested URL. When a guest user accesses the network. The Array intercepts a user’s request for access and redirects the user to an authentication page or a splash screen. The Array provides a simple and free means of creating a captive portal. Benefits The main goal of WPR is to provide a secure mechanism for accessing an open wireless network and to provide a layer of security for guest access in wireless hotspot locations. Application Note – Web Page Redirect Background Web Page Redirect (WPR) is an authentication technique which forces a client to view a special web page before accessing the network or Internet. or the Array can point a user to an external web server that hosts the landing page. Web Page Redirect can be uniquely configured on a per SSID basis. This page will request the user to select a service plan. • • The most well known examples of WPR are in Wi-Fi hotspots such as a hotels or coffee shops. Another common example is at a university where there are a large number of guest users. and then the service provider will redirect the user to special web page. Captive Portal that can intercept a web page request by the client device and redirect them to a specific web page before accessing the network. With the Xirrus Array. create a username and password. the user’s browser is redirected to the splash or login page. the original URL is passed as a parameter so the customer can still be directed to the requested URL after the local or personalized landing page has been presented. network administrators can control the types of traffic that each user can send and receive. Rev 011810 4 • . Application Note – Web Page Redirect login if they have a pre-existing account.1x. or back to the captured URL. administrators have complete control over the end-user’s quality of experience. Service Branding By allowing network owners to create a splash screen to promote their services. Traffic shaping By using WPR in conjunction with Filter Lists. The user-requested URL is captured. the Xirrus Array allows companies to better brand their name and create a stronger association with the customer. The users can be directed to a splash/login page that resides internally on the Array or externally on a web server. The splash page files reside on the Array. The login page resides on the Array. • • • Theory of Operation WPR displays a splash or login page when a user associates to the wireless network and opens a browser to any URL. and then the browser is redirected either to the specified landing page. By setting Filter Lists. Internal Login/Splash The internal login feature displays a login page or splash screen residing on the Array instead of the first user requested URL. Service Tiering By using the WPR function in conjunction with User Groups. Internal Login requires the use of a RADIUS server to authenticate the user. administrators can be assured that only appropriate traffic types are being sent across the network. When redirecting the customer to a new landing page. if any. This mode can also be configured to simply redirect the user to a specified landing page without presenting the splash page. The RADIUS server can reside internally on the Array or can be an external server that is reachable from the Array. • Multiple Types of Authentication In addition to supporting secure access method via SSL. For Internal there are two modes: • Internal Splash Displays a splash page instead of the first user-requested URL. Xirrus products enable multiple authentication methods providing the maximum amount of flexibility to the end user and to the network administrator. the Xirrus Array simultaneously supports Authentication using IEEE 802. By setting bandwidth limits and restrictions on when users can access the network. network administrators can offer different qualities of service to each user. Internal Login Displays a login page instead of the first user-requested URL. The Array then sends the username and password to the internal or external RADIUS server to verify user authentication. the browser is redirected back to the user-requested URL or to a specific landing page instead (entered in the WMI as the “WPR Landing Page URL”). The external login page will collect the username and password and then pass the credentials back to the Array for authentication. If authentication is successful. Application Note – Web Page Redirect Figure 1: WPR operation diagram External The external login feature redirects the user to a login page that resides on an external web server for authentication. instead of the first user-requested URL. Figure 2: External Login Configuration Rev 011810 5 . In most cases you will uncheck the Global setting to configure authentication on a per SSID basis. 6. refer to the step numbers under the feature. 3a or 3b. 6. 4c 1. 8 Web Page Redirect Configuration Using the Web Management Interface (WMI) (Note: In order for WPR to work correctly. 2. 3. follow steps 1. 2. 2. Enable WPR by selecting the WPR check box for the appropriate SSID. 2. 7 1. 4a or 4b 1. however each SSID can have its own Landing Page. 4a or 4b 1. a new WPR section appears at the bottom of the configuration screen. 7 1. the login page obtains the user name and password and authenticates the credentials. 6. Web Page Redirect can be set for a specific SSID or for just for a specific User Group. 3a or 3b 1. 2. 7. 5b Internal RADIUS 1. 3. When enabled. 2. 5a 1. Application Note – Web Page Redirect The following chart contains a list of possible use cases and features that are supported in each case. 2. 2. 2. 2. 2. The login page resides internally on the Array. For Internal Login. 4c 1. 3b Landing Page 1. You can create a single Guest Rev 011810 6 . 2. 2. For example. 2. Each User Group will use the Internal Splash/Login screen of its associated SSID. the Array must be able to resolve DNS. 3b 1. To configure a feature on a particular use case. 5a or 5b. 2. 2. to configure registered user login with external radius. and 3b. Guest Login Registered User Login Splash Page Landing Page Only External Web Server 1. 3a External RADIUS 1. WPR is enabled under the SSID / SSID Management screen.) 1. 3a 1. 2. 3a or 3b 1. however the authentication can take place against either an internal or external RADIUS server. 3a or 3b. 5a or 5b Custom Redirect Page (see Customizing WPR Files) 1. Please make sure that a DNS server is defined and reachable from the Array. see Customizing WPR Files. or simply redirects the user to another web page. (Optional) • Choose HTTPS On or Off (Note: if this is turned off. the username and password will be sent as clear text). or create a username for individual users. a. To customize the login page. Following steps present the user with a default splash page. • Select External Radius Server • Enter the External Radius Server settings • Select RADIUS Authentication Type • Click Apply 4. Application Note – Web Page Redirect username/password. External RADIUS Server: • Select Internal Login • Define a landing page to redirect user to after login is successful. the Array presents the user with a web page containing Terms of Usage. Internal RADIUS Server: • Select Internal Login • Define a landing page to redirect user to after login is successful. the username and password will be sent as clear text). To customize the splash page. • Select Internal Radius Server • Click Apply • Configure username and password on Array Internal Radius server settings under Security -> Internal Radius b. (Optional) • Choose HTTPS On or Off (Note: if this is turned off. a. Internal Splash with no timeout (splash page is presented until user clicks proceed): Rev 011810 7 . advertising. see Customizing WPR Files. For Internal Splash screen. Landing page only (user is redirected to landing page without presenting a splash page beforehand): • • • • Select Internal Splash Set Timeout value to 1 Define a landing page to redirect user to Click Apply 5. wpr. No Splash. The external web server must be capable of executing perl scripts and the Xirrus provided wpr. Internal Splash with timeout (splash page is presented for defined number of seconds. For External mode. See External Web Server Setup and Customizing WPR Files.cgi. the login page resides on an external web server. Application Note – Web Page Redirect • • • • Select Internal Splash Set Timeout to Never Define a landing page to redirect user to after login is successful (Optional) Click Apply b.css files need to be loaded. Rev 011810 8 . user is then redirected to landing page): • • • • Select Internal Splash Set Timeout to desired value Define a landing page to redirect user to after login is successful Click Apply c. and hs.pl. Rev 011810 9 . • Enter the Redirect Secret. Application Note – Web Page Redirect a. External Redirect with External Radius (Web page resides on external server. For customizing WPR Files. authentication is handled by external Radius server): • Select External • Enter Redirect URL. This is NOT the Radius Secret. External Redirect with Internal Radius (Web page resides on external server. • Select Radius Authentication Type • Select Internal Radius Server • Click Apply • Configure username and password on Array Internal Radius server settings under Security -> Internal Radius b. Users can edit these files to customize their splash and login pages to fit the client’s needs and then upload them to the Array. This is the secret passphrase defined in the . This is the URL or IP address of the external web server.cgi file that resides on the external web server. there are three main files used by the Array to display the WPR splash and login pages. This is the URL or IP address of the external web server. This is NOT the Radius Secret. • Enter the Redirect Secret. • Select Radius Authentication Type • Select External Radius Server • Click Apply 6. This is the secret passphrase defined in the . Two of these files are used in adjusting the look and feel of each page. Some knowledge of html is preferred before attempting to edit these files. authentication is handled by Array’s Internal Radius): • Select External • Enter Redirect URL.cgi file that resides on the external web server. The file is actually a list of variables that are accessed by a perl cgi script that is executed on the Array when a user is redirected to a splash or login screen. the cgi file looks into this file to build the html page that is presented to the user. When editing the value of the variables.pl file contains the html code that is responsible for displaying both the login and the splash screens presented by the Array. Application Note – Web Page Redirect wpr.. Changes that need to be made to this section of the splash/login screen can be defined here. There are 5 major sections to pay close attention to when editing this file a. By default this is set to the default hs. d. header styles. remember that all text that is placed inside of quotes denotes the value of the variable. $html_head_css – This variable defines the cascading style sheet (css) that will be used to define the default colors. Rev 011810 10 . For example: $html_head_metatags = "<meta http-equiv=\"Content-Type\" content=\"text/html.pl The wpr. $html_body_bottom – This variable defines the html code that is responsible for displaying the bottom of the splash/login page. Editing the wpr. charset=utf8\">". $html_body_top – This variable defines the html code that is responsible for displaying the top of the splash/login page. e.pl file can customize your splash and login screens. terms and conditions. When the perl script is executed. Quotes inside of the quotes that denote the value of the variable must be escaped.css. proceed button. etc. If you are inserting html that has quotes in it. b. you must escape the quotes with the \ character. fonts. $html_splash – This variable defines the html code that will be presented between the body top and the body bottom when in Internal Splash mode. c.g. pl. per the naming convention just described. 7. Custom files for a specific SSID must be named-based on the SSID name. you must reboot the Array. You may also modify the default font size for certain head types or title lines. Enter the filename and directory location (or click Browse to locate the splash/login page files).pl and hs. Uploading Files a. $html_login – This variable defines the html code that will be presented between the body top and the body bottom when in Internal or External Login mode. A cascading style sheet (css) is typically used in defining global setting that would apply to any page in which the css is called. After customizing files to change the look and feel of the Splash or Login page.pl should be modified as desired and renamed to wpr-Public.g. they will replace the factory default files and will be used for any SSID that does not have its own custom files. e. Use the List Files button to show you a list of files that have been saved on the Array for WPR. Enter the name of the WPR file you want to remove. you must load the pages on the Array in order for your changes to take effect. a user may choose to have a default text or background color that would apply to the body section of a web page. Rev 011810 11 . b. if the SSID is named Public. In order for your changes to take effect. Application Note – Web Page Redirect e. Removing Files a. b. These files can be uploaded in the Tools/System Tools page.css file is a cascading style sheet that can be used to set default html settings that are applied to the entire splash/login page. hs. c. For instance.. Each SSID that has WPR enabled may have its own page. Username/Password boxes. From this page you can also list all WPR files that currently reside on the Array and remove them as well. If you modify and upload files named wpr. For example. the default wpr.css.css The hs. Click on the Upload button to upload the new files to the Array. Reboot to make your changes take effect. 8. External Web Server Requirements • Web server that is capable of executing PERL cgi scripts when using the cgi file provided by Xirrus. Web server must be reachable from the Array.com/activeperl/ 3. Open Internet Information Services (IIS) Manager Rev 011810 12 .pl" requests with ActiveState's perlex30.activestate. Add IIS as a role through Server Manager if it has not been enabled already. IIS. Download and Install ActivePerl for Windows: http://www. d. Also. Create a handler mapping that associates "*. hosting the page on an external web server can give the customer more flexibility and control over the cgi script and even allow for the use of PHP or ASP as the backend scripting language. These are advanced options that may require an advanced level of expertise and knowledge. In some cases it can be advantageous to host the login page on an external web server. (Apache. All commercially available web servers with PERL support should work. etc. 2.) • • Integrating with IIS 7 on Windows 2008 Server 1.dll extension using the following steps: a. Application Note – Web Page Redirect c. Click on the Delete button. you do not need to populate that change to every Array that is performing the WPR. One advantage to this is that if a change is made to the Login page. . In most cases you will want to create a virtual directory under the Default Web Site in IIS Manger. If it does not show up on this list. enter "c:\perl\bin\perl. This will apply the following handler mappings on the entire server. If you installed it in another location. Application Note – Web Page Redirect b. d.) Note that this assumes that you've installed ActiveState Perl using its default location. select "IsapiModule" from the dropdown list. c. For Name. IIS by default creates a folder C:\inetpub\wwwroot. For Module.. double click on the Handler Mappings icon. click on the "Add Module Mapping. Fill out the Add Module Mapping dialog as follows: • • For Request Path. you will need to look there for perl. though. In the left hand pane of IIS Manager. select your server. Rev 011810 13 . If you are going to be associating other file extensions with ActiveState Perl." item in the Actions pane on the right. It does need to be unique.cgi" (without the quotes). enter "ActiveState Perl for . When the Handler Mappings pane is displayed. This is the directory where you will place the wpr. For Executable. • • 4. Note that this name is just a label and does not affect functionality.cgi" (without the quotes). the names for those mappings will need to be different. In the center pane. enter "*. it will need to be installed as an IIS optional component. Create an alias for this directory and define a physical path where the cgi files are located.cgi and all dependant files to demonstrate basic functionality. Note that the ISAPI module is a prerequisite.exe %s %s" (without the quotes. Do this by right clicking on the Default Web Site in the left hand side of the IIS Manger and choose Virtual Directory.exe. /icons/” would refer to images that have been placed in C:\inetput\wwwroot\icons. Application Note – Web Page Redirect 5. gathering username/password parameters..pl file to match where you have placed it on your server: require '. hs.cgi file is the main perl script that is responsible for building the splash/login page. #!/usr/bin/perl. There are 3 items in the wpr.cgi file is located.exe. The wpr. Change the image path to reflect the image path in your virtual directory: $imagepath = ". Place the wpr.cgi file is written to support Linux based operating systems.cgi. By default. For example.pl. Restart IIS.cgi file that need to be adjusted to support IIS 7.. Sample files can be found: http://support.css. the wpr.com 6.xirrus. Please note that the $imagepath and require elements are relative to the directory in which the wpr./icons/". • • • • 7../htdocs/icons/wpr. then $imagepath=”. • Change the first line in the file. Rev 011810 14 . Change the location of the wpr. to the path in which the perl.cgi file is located in C:\inetpub\wwwroot\iiswpr\. This script also handles all of the backend data execution such as presenting a splash or login page to the user. wpr. and any image files in the folder pointed to by your new virtual directory.pl'.exe file resides on you server #!c:\perl\bin\perl. and passing a user’s response to the Array for authentication and network access. if the wpr. pl files. If possible. If the URL is not resolved. a. Whenever possible. On the external web server. You must also change: content=\"text/html. Application Note – Web Page Redirect Tips and Recommendations 1. In the wpr. you will need files that can be found on the Xirrus support site. charset=utf-8\"> <meta http-equiv=\"Cache-control\" content=\"no-cache\"> <meta http-equiv=\"Pragma\" content=\"no-cache\">". follow the steps below: a. The User requested URL must be properly resolved via DNS for WPR to work properly. use a DHCP server external to the Array for uniform addressing across multiple Arrays.css and wpr. Be careful to not use programs that alter the carriage return character such as Notepad. c. An External web server must be used. the splash or login screen will never be displayed. 3. This is because the file that needs to be changed to see the foreign language sentences is wpr. the following change is required to see foreign language characters: # Meta Tags $html_head_metatags = " <meta http-equiv=\"Content-Type\" content=\"text/html. To enable a different language set. Alleviates having to worry about routing configuration issues 2. When editing hs. By default. WPR only supports the English character set.pl file. NAT results in significant performance drop b. use an editor such as Word Pad. In the Array this file is built dynamically each time the Array is booted. b. charset=utf-8\"> to content=\"text/html\"> Rev 011810 15 . 5. 4.cgi and is not accessible in the Array. set up WPR without NAT.