How do I use an internally hosted splash page with RADIUS authentication?
- Datto Network Manager
Using an internally-hosted splash page allows you to provide via CloudTrax the HTML for a splash page that will be hosted internally on the Access Point. Internally-hosted splash pages may be edited via a WYSIWYG editor from within CloudTrax; the HTML is then loaded onto the Access Point by CloudTrax and will be presented to the user when authentication is required.
When combined with RADIUS Authentication, CloudTrax will consult an external RADIUS server that you specify in order to determine whether to authenticate a user.
This walk-through shows you how to configure CloudTrax to use an internally-hosted splash page with an external RADIUS server to handle authentication.
Configure the RADIUS Server
The first step is to configure a RADIUS server that will be accessible from the Access Points on your network. The following steps will be required; the particular details will depend on which RADIUS server you are using.
- Setup the RADIUS server. If you already have a configured RADIUS server than you may use it without configuring another server. Common RADIUS servers are available from the FreeRADIUS project, and with Microsoft Windows Server.
- Configure the RADIUS server to provide access for the Users that you wish to be able to authenticate. At minimum, you'll need to provide a User Name and Password for each. Optionally, for each user, you may configure the maximum upload and and download bandwidth and a session timeout; these are set using the attributes WISPr-Bandwidth-Max-Up, WISPr-Bandwidth-Max-Down, and SESSION_TIMEOUT, respectively.
- Note the IP address (or Hostname) and the secret of the RADIUS server. These will be needed in the steps below.
The splash page and authentication are specified separately in CloudTrax for each SSID.
- Select Configure -> SSID 1 (or specify a different SSID number if you want to use a different SSID).
- Select "Custom" for the type of Splash Page
- Select Edit Splash Page and edit the splash page as needed. Be sure to include the existing form for RADIUS Access. You may change the form heading and prompt, but you must leave the form controls unchanged.
Figure 1: RADIUS access (click to enlarge)
- Save the Splash Page
- Select RADIUS for Splash Page Authentication
- Enter the IP Address or Hostname of your RADIUS server under Server Address 1. If you have a secondary/backup RADIUS server you may enter it for Server Address 2.
- Enter the server secret for your RADIUS server under Server Secret. A RADIUS server limits access to only those knowing its secret.
- If a NAS ID is required in your usage, enter it as well. A NAS ID may be used to pass additional information about an authentication request to the RADIUS server.
- Normally, after a user is successfully authenticated they will be taken to the web-page that triggered the splash page. If instead you would like them to be taken to a common completion page, you may enter an explicit Redirect URL.
- The setting "Block duration of XX minutes" specifies how often the password challenge is cycled. We suggest setting this to at least 10 minutes, otherwise you may experience passwords that are decrypted incorrectly.
- Save changes to the SSID configuration.
Test the Configuration
The splash page and RADIUS configuration are now complete. Unauthenticated users should be presented with the splash page. The User Name and Password they enter into the splash page form will be authenticated for the RADIUS server. Only those users successfully authenticated by the RADIUS server will be allowed access to the Internet.
Note that in the case of a server configuration or runtime error, CloudTrax is designed to fail-safe: if the specified RADIUS server cannot be reached, or is not configured correctly, the user will be given access for a period of time.