Using an externally-hosted splash page with RADIUS authentication

Topic

This article describes how to set up and edit an externally-hosted splash page that uses a RADIUS server for user authentication.

Environment

Datto Network Manager

Description

A splash page is the page users will land on when they access the web through your network. This article shows you how to set up and edit a splash page, set up authentication on an external server, and host the page on a web server that you define.

Internal vs. external splash page hosting

An externally-hosted splash page gives you full control over its sequencing and presentation of a splash page. It must respond to messages from your network's access point to present the correct user interface during authentication.
Internally-hosted splash pages are hosted on your Datto Access Point. They are simpler to set up and configure but provide less flexibility.

Procedure

When combined with RADIUS Authentication, Datto Network Manager will consult an external RADIUS server that you specify to determine whether to authenticate the user. The external splash page defines the interface presented to the user.

This article shows how to configure Network Manager for a minimal external splash page implementation, written in PHP. You can customize the generated HTML or rewrite the external splash page in a language of your choice.

Configure the RADIUS Server

The RADIUS server is the external server that handles authentication for your website. When users log in, your splash page will communicate with the RADIUS server to verify user identity. You must set up the RADIUS server before following the steps below.

If you already have a configured RADIUS server, you may use it without configuring another server.

Standard RADIUS servers are available from the FreeRADIUS project (external link) and within Microsoft Windows Server.

The RADIUS server is not part of the Datto Networking suite; you must set up your RADIUS server according to the instructions provided by its vendor.

1. In the Navigation menu, select the SSID you are using.

Figure 1: The Navigation window

2. Configure the RADIUS server to provide access for the users that you wish to be able to authenticate. At a minimum, you must provide a username and password for each.

You can also configure the maximum upload and download bandwidth and session timeout length for each user. These values are set using the attributes WISPr-Bandwidth-Max-Up, WISPr-Bandwidth-Max-Down, and SESSION_TIMEOUT.

3. Note the IP address (or Hostname) and the secret of the RADIUS server; you will need these values in the steps below.

Configure the external splash page server

The external splash page server is the machine that stores your splash page. The access points on your network must be able to access the splash page server.

The following steps outline the configuration procedure, but the particular details will depend on your web hosting environment.

1. Set up the web server

2. Install the attached PHP file (splash.php), so the web server will serve it in response to a given URL.

3. Note the URL from step 2; you will need it in the steps below.

You may edit the PHP to meet your needs. You may want to do this only after you have a successfully operating solution.
The PHP code contains a secret that is shared with the Network Manager server, and which helps to protect the user's login information. You should change that secret and note it for use in the steps below.

Configure Datto Network Manager

The splash page and authentication are specified separately in CloudTrax for each SSID.

1. In the Datto Network Manager's navigation menu, select the SSID on which the splash page will operate (see Figure 1, above).

2. Click Captive Portal from the section options.

Figure 2: SSID section options

3. Under Splash Page Type, Select Hosted Remotely from the drop-down menu, then enter the splash page URL and the splash page secret from your web server's PHP code into the appropriate fields.

Figure 3: Splash page hosting options

Link the splash page with the RADIUS server

On Datto Network Manager's Splash Page Authentication card, configure the following settings:

Splash page authentication type: Select RADIUS from the drop-down menu.
Server address 1: Enter the IP address or hostname of the RADIUS server.
Server address 2: Enter the IP address or hostname of a secondary RADIUS server, if configured.
Server secret: Enter the secret the RADIUS server gave you after configuration.
NAS ID: A NAS ID may be used to pass additional information about an authentication request to the RADIUS server. If you have a NAS ID, enter it here.
Block clients after: Set how many password attempts a user gets before Network Manager blocks their username.
Block duration of: Specify the length of time to block a username. We suggest setting this to at least 10 minutes; otherwise, you may experience incorrectly decrypted passwords.

When finished, click the Save Changes button in the upper right-hand corner of the screen.

Figure 4: Splash page authentication

Test the Configuration

The external web server, Network Manager, and RADIUS configuration are now complete.

Unauthenticated users should see the splash page.
The User Name and Password users enter into the splash page form will be authenticated for the RADIUS server.
Only those users successfully authenticated by the RADIUS server will be allowed access to the Internet.

Fail-Safe Behavior

If a server configuration or runtime error occurs, Network Manager is designed to fail-safe. If Network Manager cannot reach the specified RADIUS server, it will give the user temporary access.

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the Ideas forum!
	Provide feedback for the Documentation team.