Internally-Hosted Splash Page with RADIUS Authentication

Topic

This article describes the process for creating an internally-hosted splash page on an Access Point and configuring an external RADIUS server to handle authentication.

Environment

  • Datto Access Points
  • RADIUS Server

Description

You can use Datto Networking to create and upload a custom splash page to an Access Point, and use RADIUS technology to manage authentication.

Configure the RADIUS Server

You will need to configure a RADIUS server that can be reached by the Access Points on your network. The following steps are required; additional setup details will be specific to the type of RADIUS server you are using.

If you already have a configured RADIUS server, you may use it without configuring another server.
  1. Set up the RADIUS server. RADIUS servers are available from the FreeRADIUS project. Microsoft Windows Server includes RADIUS technology.
  2. Configure the RADIUS server to provide access for the users that you need to authenticate. You must provide a Username and Password for each.
    • You can also configure maximum upload and download bandwidth throttles for each user, as well a session timeout, by modifying the attributes WISPr-Bandwidth-Max-Up, WISPr-Bandwidth-Max-Down, and SESSION_TIMEOUT.
  3. Note the IP address (or hostname) and the server secret of the RADIUS server. You will need them in the following steps.

Configuring the SSID in the Datto Networking Portal

The splash page and authentication are specified separately in the Datto Networking Portal for each SSID.

1. Navigate to a web session for your network and SSID

2. Select Configure ? SSID 1 (or specify a different SSID number to configure a different SSID).

Figure 1: Navigating to SSID

3. Navigate to the Captive Portal section, and select the Splash page toggle to enable the feature.

Figure 2: Splash page configuration

4. Select Custom for the Splash page type.

5. Select Edit Splash Page and edit the splash page as needed. Be sure to include the existing form for RADIUS Access. You may change the form heading and prompt, but you must leave the form controls unchanged.


Figure 3: Radius Access login

6. Save the Splash Page.

7. Select RADIUS for Splash Page Authentication.

Figure 4: SSID RADIUS configuration

8. Enter the IP Address or Hostname of your RADIUS server under Server Address 1. If you have a secondary/backup RADIUS server, you may enter it for Server Address 2.

9. Enter the server secret associated with your RADIUS server under Server Secret. This is defined during initial RADIUS configuration, and the server limits access to only those knowing its secret.

10. Enter a NAS ID as needed. A NAS ID may be used to pass additional information about an authentication request to the RADIUS server.

11. Enter values for the following Failed Authentication Block options:

  • Blocked after X invalid attempts: This will block a client after a set number of failed login attempts.
  • Block duration of X minutes: This specifies how often the password challenge is cycled. We suggest setting this to at least 10 minutes, otherwise you may experience passwords that are decrypted incorrectly.

12. The splash page will forcibly terminate a client session after a set period of activity. Enter, in minutes, the time when Client force timeout occurs.

13. Select the Require voucher toggle to ensure that only users that have a valid voucher can access splash pages.

14. Save changes to the SSID configuration.

Test the Configuration

At this stage, the splash page and RADIUS configuration are complete. Unauthenticated users should be presented with the splash page. The Username and Password they enter into the splash page form will be authenticated for the RADIUS server. Only those users successfully authenticated by the RADIUS server will be allowed access to the Internet.

Fail-Safe Behavior

Note that in the case of a server configuration or runtime error, Datto Networking Cloud Management is designed to be fail-safe: if the specified RADIUS server cannot be reached, or is not configured correctly, the user will be given access for a period of time. Select the toggle for Enable Failsafe Mode to turn this feature on.