Xirrus Application Note WPR Final 011810

Application Note

Web Page Redirect

Application Note – Web Page Redirect

Rev 011810 2

Table of Contents Background............................................................................................................................... 3 Description................................................................................................................................ 3 Benefits...................................................................................................................................... 3 Theory of Operation ................................................................................................................. 4

Internal Login/Splash.............................................................................................................. 4 External .................................................................................................................................. 5

Configuration ............................................................................................................................ 5 Web Page Redirect Configuration Using the Web Management Interface (WMI) ................. 6

Tips and Recommendations.................................................................................................. 15


Rev 011810 3

Background Web Page Redirect (WPR) is an authentication technique which forces a client to view a special web page before accessing the network or Internet. This special web page can be used for several purposes:

• Authentication device wherein a user must enter a username and password before accessing network resources.

• To inform the user about the Terms and Conditions of using the network before allowing access.

• Captive Portal that can intercept a web page request by the client device and redirect them to a specific web page before accessing the network.

The most well known examples of WPR are in Wi-Fi hotspots such as a hotels or coffee shops. At a hotspot a user will typically associate to the wireless network, type the URL of a website, and then the service provider will redirect the user to special web page. This page will request the user to select a service plan, create a username and password, and enter a means to pay for the service. Once the user has been authenticated, the user can then be redirected back to the originally requested URL. Another common example is at a university where there are a large number of guest users. When a guest user accesses the network, a page may be presented describing the regulations of accessing the network as well as presenting key information such as a campus map and university phone numbers.

Description The Xirrus Wi-Fi Array implements Web Page Redirect (WPR) as a web-based means of authenticating users into the Wi-Fi network. The Array intercepts a user’s request for access and redirects the user to an authentication page or a splash screen. The Array provides a simple and free means of creating a captive portal. Web Page Redirect can be uniquely configured on a per SSID basis.

With the Xirrus Array, the screen presented to the user (e.g. the splash screen) can reside on the Array itself, or the Array can point a user to an external web server that hosts the landing page. Additionally, user authentication can be controlled by an internal RADIUS server that resides on each Array, or can be controlled by an external server on the network.

Benefits The main goal of WPR is to provide a secure mechanism for accessing an open wireless network and to provide a layer of security for guest access in wireless hotspot locations. Some of the key benefits of WPR are as follows:

• Home Page Redirection Once connected to the public access network, the Xirrus WPR feature intercepts the user’s requested URL and then directs the user to a web site to either securely sign up for service or


Rev 011810 4

login if they have a pre-existing account. When redirecting the customer to a new landing page, the original URL is passed as a parameter so the customer can still be directed to the requested URL after the local or personalized landing page has been presented.

• Multiple Types of Authentication

In addition to supporting secure access method via SSL, the Xirrus Array simultaneously supports Authentication using IEEE 802.1x. Xirrus products enable multiple authentication methods providing the maximum amount of flexibility to the end user and to the network administrator.

• Service Branding By allowing network owners to create a splash screen to promote their services, the Xirrus Array allows companies to better brand their name and create a stronger association with the customer.

• Service Tiering By using the WPR function in conjunction with User Groups, network administrators can offer different qualities of service to each user. By setting bandwidth limits and restrictions on when users can access the network, administrators have complete control over the end-user’s quality of experience.

• Traffic shaping By using WPR in conjunction with Filter Lists, network administrators can control the types of traffic that each user can send and receive. By setting Filter Lists, administrators can be assured that only appropriate traffic types are being sent across the network.

Theory of Operation WPR displays a splash or login page when a user associates to the wireless network and opens a browser to any URL. The user-requested URL is captured, the user’s browser is redirected to the splash or login page, and then the browser is redirected either to the specified landing page, if any, or back to the captured URL. The users can be directed to a splash/login page that resides internally on the Array or externally on a web server.

Internal Login/Splash The internal login feature displays a login page or splash screen residing on the Array instead of the first user requested URL. For Internal there are two modes:

• Internal Splash Displays a splash page instead of the first user-requested URL. The splash page files reside on the Array. This mode can also be configured to simply redirect the user to a specified landing page without presenting the splash page.

• Internal Login Displays a login page instead of the first user-requested URL. The login page resides on the Array. Internal Login requires the use of a RADIUS server to authenticate the user. The RADIUS server can reside internally on the Array or can be an external server that is reachable from the Array.


Rev 011810 5

Figure 1: WPR operation diagram

External The external login feature redirects the user to a login page that resides on an external web server for authentication, instead of the first user-requested URL. The external login page will collect the username and password and then pass the credentials back to the Array for authentication. The Array then sends the username and password to the internal or external RADIUS server to verify user authentication. If authentication is successful, the browser is redirected back to the user-requested URL or to a specific landing page instead (entered in the WMI as the “WPR Landing Page URL”).

Figure 2: External Login

Configuration


Rev 011810 6

The following chart contains a list of possible use cases and features that are supported in each case. To configure a feature on a particular use case, refer to the step numbers under the feature. For example, to configure registered user login with external radius, follow steps 1, 2, and 3b.

Internal RADIUS

External RADIUS

Landing Page

Custom Redirect Page (see Customizing WPR Files)

Guest Login 1, 2, 3a 1, 2, 3b 1, 2, 3a or 3b 1, 2, 3a or 3b, 6, 7

Registered User Login 1, 2, 3a 1, 2, 3b 1, 2, 3a or 3b 1, 2, 3a or 3b, 6, 7

Splash Page 1, 2, 4a or 4b 1, 3, 4a or 4b

Landing Page Only 1, 2, 4c 1, 2, 4c

External Web Server 1, 2, 5a 1, 2, 5b 1, 2, 5a or 5b 1, 2, 5a or 5b, 6, 7, 8

Web Page Redirect Configuration Using the Web Management Interface (WMI) (Note: In order for WPR to work correctly, the Array must be able to resolve DNS. Please make sure that a DNS server is defined and reachable from the Array.)

1. Web Page Redirect can be set for a specific SSID or for just for a specific User Group. Each User Group will use the Internal Splash/Login screen of its associated SSID, however each SSID can have its own Landing Page. WPR is enabled under the SSID / SSID Management screen.

2. Enable WPR by selecting the WPR check box for the appropriate SSID. In most cases you will uncheck the Global setting to configure authentication on a per SSID basis.

When enabled, a new WPR section appears at the bottom of the configuration screen.

3. For Internal Login, the login page obtains the user name and password and authenticates the credentials. The login page resides internally on the Array, however the authentication can take place against either an internal or external RADIUS server. You can create a single Guest


Rev 011810 7

username/password, or create a username for individual users. To customize the login page, see Customizing WPR Files.

a. Internal RADIUS Server:

• Select Internal Login • Define a landing page to redirect user to after login is successful. (Optional) • Choose HTTPS On or Off (Note: if this is turned off, the username and password

will be sent as clear text). • Select Internal Radius Server • Click Apply • Configure username and password on Array Internal Radius server settings

under Security -> Internal Radius

b. External RADIUS Server:

• Select Internal Login • Define a landing page to redirect user to after login is successful. (Optional) • Choose HTTPS On or Off (Note: if this is turned off, the username and password

will be sent as clear text). • Select External Radius Server • Enter the External Radius Server settings • Select RADIUS Authentication Type • Click Apply

4. For Internal Splash screen, the Array presents the user with a web page containing Terms of

Usage, advertising, or simply redirects the user to another web page. Following steps present the user with a default splash page. To customize the splash page, see Customizing WPR Files.

a. Internal Splash with no timeout (splash page is presented until user clicks proceed):


Rev 011810 8

• Select Internal Splash • Set Timeout to Never • Define a landing page to redirect user to after login is successful (Optional) • Click Apply

b. Internal Splash with timeout (splash page is presented for defined number of seconds,

user is then redirected to landing page):

• Select Internal Splash • Set Timeout to desired value • Define a landing page to redirect user to after login is successful • Click Apply

c. No Splash, Landing page only (user is redirected to landing page without presenting a splash page beforehand):

• Select Internal Splash • Set Timeout value to 1 • Define a landing page to redirect user to • Click Apply

5. For External mode, the login page resides on an external web server. The external web server

must be capable of executing perl scripts and the Xirrus provided wpr.cgi, wpr.pl, and hs.css files need to be loaded. See External Web Server Setup and Customizing WPR Files.


Rev 011810 9

a. External Redirect with Internal Radius (Web page resides on external server, authentication is handled by Array’s Internal Radius):

• Select External • Enter Redirect URL. This is the URL or IP address of the external web server. • Enter the Redirect Secret. This is the secret passphrase defined in the .cgi file

that resides on the external web server. This is NOT the Radius Secret. • Select Radius Authentication Type • Select Internal Radius Server • Click Apply • Configure username and password on Array Internal Radius server settings

under Security -> Internal Radius

b. External Redirect with External Radius (Web page resides on external server, authentication is handled by external Radius server):

• Select External • Enter Redirect URL. This is the URL or IP address of the external web server. • Enter the Redirect Secret. This is the secret passphrase defined in the .cgi file

that resides on the external web server. This is NOT the Radius Secret. • Select Radius Authentication Type • Select External Radius Server • Click Apply

6. For customizing WPR Files, there are three main files used by the Array to display the WPR

splash and login pages. Two of these files are used in adjusting the look and feel of each page. Users can edit these files to customize their splash and login pages to fit the client’s needs and then upload them to the Array. Some knowledge of html is preferred before attempting to edit these files.


Rev 011810 10

wpr.pl

The wpr.pl file contains the html code that is responsible for displaying both the login and the splash screens presented by the Array. The file is actually a list of variables that are accessed by a perl cgi script that is executed on the Array when a user is redirected to a splash or login screen. When the perl script is executed, the cgi file looks into this file to build the html page that is presented to the user.

Editing the wpr.pl file can customize your splash and login screens. When editing the value of the variables, remember that all text that is placed inside of quotes denotes the value of the variable. If you are inserting html that has quotes in it, you must escape the quotes with the \ character. For example:

$html_head_metatags = "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\">"; Quotes inside of the quotes that denote the value of the variable must be escaped.

There are 5 major sections to pay close attention to when editing this file

a. $html_head_css – This variable defines the cascading style sheet (css) that will be used to define the default colors, fonts, header styles, etc. By default this is set to the default hs.css.

b. $html_body_top – This variable defines the html code that is responsible for displaying the top of the splash/login page. Changes that need to be made to this section of the splash/login screen can be defined here.

c. $html_body_bottom – This variable defines the html code that is responsible for displaying the bottom of the splash/login page.

d. $html_splash – This variable defines the html code that will be presented between the body top and the body bottom when in Internal Splash mode, e.g., terms and conditions, proceed button.


Rev 011810 11

e. $html_login – This variable defines the html code that will be presented between the body top and the body bottom when in Internal or External Login mode, e.g., Username/Password boxes.

hs.css

The hs.css file is a cascading style sheet that can be used to set default html settings that are applied to the entire splash/login page. A cascading style sheet (css) is typically used in defining global setting that would apply to any page in which the css is called. For instance, a user may choose to have a default text or background color that would apply to the body section of a web page. You may also modify the default font size for certain head types or title lines.

7. After customizing files to change the look and feel of the Splash or Login page, you must load the pages on the Array in order for your changes to take effect. These files can be uploaded in the Tools/System Tools page. From this page you can also list all WPR files that currently reside on the Array and remove them as well.

Each SSID that has WPR enabled may have its own page. Custom files for a specific SSID must be named-based on the SSID name. For example, if the SSID is named Public, the default wpr.pl should be modified as desired and renamed to wpr-Public.pl. If you modify and upload files named wpr.pl and hs.css, they will replace the factory default files and will be used for any SSID that does not have its own custom files, per the naming convention just described.

Uploading Files

a. Enter the filename and directory location (or click Browse to locate the splash/login page files).

b. Click on the Upload button to upload the new files to the Array.

c. In order for your changes to take effect, you must reboot the Array.

Removing Files

a. Use the List Files button to show you a list of files that have been saved on the Array for WPR.

b. Enter the name of the WPR file you want to remove.


Rev 011810 12

c. Click on the Delete button.

d. Reboot to make your changes take effect.

8. In some cases it can be advantageous to host the login page on an external web server. One advantage to this is that if a change is made to the Login page, you do not need to populate that change to every Array that is performing the WPR. Also, hosting the page on an external web server can give the customer more flexibility and control over the cgi script and even allow for the use of PHP or ASP as the backend scripting language. These are advanced options that may require an advanced level of expertise and knowledge.

External Web Server Requirements • Web server that is capable of executing PERL cgi scripts when using the cgi file provided by

Xirrus.

• Web server must be reachable from the Array.

• All commercially available web servers with PERL support should work. (Apache, IIS, etc.)

Integrating with IIS 7 on Windows 2008 Server

1. Add IIS as a role through Server Manager if it has not been enabled already.

2. Download and Install ActivePerl for Windows: http://www.activestate.com/activeperl/

3. Create a handler mapping that associates "*.pl" requests with ActiveState's perlex30.dll extension using the following steps:

a. Open Internet Information Services (IIS) Manager


Rev 011810 13

b. In the left hand pane of IIS Manager, select your server. This will apply the following handler mappings on the entire server. In the center pane, double click on the Handler Mappings icon.

c. When the Handler Mappings pane is displayed, click on the "Add Module Mapping..." item in the Actions pane on the right.

d. Fill out the Add Module Mapping dialog as follows:

• For Request Path, enter "*.cgi" (without the quotes).

• For Module, select "IsapiModule" from the dropdown list. Note that the ISAPI module is a prerequisite. If it does not show up on this list, it will need to be installed as an IIS optional component.

• For Executable, enter "c:\perl\bin\perl.exe %s %s" (without the quotes.) Note that this assumes that you've installed ActiveState Perl using its default location. If you installed it in another location, you will need to look there for perl.exe.

• For Name, enter "ActiveState Perl for .cgi" (without the quotes). Note that this name is just a label and does not affect functionality. It does need to be unique, though. If you are going to be associating other file extensions with ActiveState Perl, the names for those mappings will need to be different.

4. IIS by default creates a folder C:\inetpub\wwwroot. This is the directory where you will place the wpr.cgi and all dependant files to demonstrate basic functionality. In most cases you will want to create a virtual directory under the Default Web Site in IIS Manger. Do this by right clicking on the Default Web Site in the left hand side of the IIS Manger and choose Virtual Directory. Create an alias for this directory and define a physical path where the cgi files are located.


Rev 011810 14

5. Place the wpr.cgi, wpr.pl, hs.css, and any image files in the folder pointed to by your new virtual directory. Sample files can be found: http://support.xirrus.com

6. By default, the wpr.cgi file is written to support Linux based operating systems. There are 3 items in the wpr.cgi file that need to be adjusted to support IIS 7.

• Change the first line in the file, #!/usr/bin/perl, to the path in which the perl.exe file resides on you server #!c:\perl\bin\perl.exe.

• Change the image path to reflect the image path in your virtual directory: $imagepath = "../icons/";

• Change the location of the wpr.pl file to match where you have placed it on your server: require '../htdocs/icons/wpr.pl';

• Please note that the $imagepath and require elements are relative to the directory in which the wpr.cgi file is located. For example, if the wpr.cgi file is located in C:\inetpub\wwwroot\iiswpr\, then $imagepath=”../icons/” would refer to images that have been placed in C:\inetput\wwwroot\icons.

• The wpr.cgi file is the main perl script that is responsible for building the splash/login page. This script also handles all of the backend data execution such as presenting a splash or login page to the user, gathering username/password parameters, and passing a user’s response to the Array for authentication and network access.

7. Restart IIS.


Rev 011810 15

Tips and Recommendations

1. Whenever possible, set up WPR without NAT.

a. NAT results in significant performance drop b. Alleviates having to worry about routing configuration issues

2. If possible, use a DHCP server external to the Array for uniform addressing across multiple

Arrays.

3. The User requested URL must be properly resolved via DNS for WPR to work properly. If the URL is not resolved, the splash or login screen will never be displayed.

4. When editing hs.css and wpr.pl files, use an editor such as Word Pad. Be careful to not use programs that alter the carriage return character such as Notepad.

5. By default, WPR only supports the English character set. To enable a different language

set, follow the steps below:

a. An External web server must be used. This is because the file that needs to be changed to see the foreign language sentences is wpr.cgi and is not accessible in the Array. In the Array this file is built dynamically each time the Array is booted.

b. On the external web server, you will need files that can be found on the Xirrus support site.

c. In the wpr.pl file, the following change is required to see foreign language characters:

# Meta Tags $html_head_metatags = " <meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"> <meta http-equiv=\"Cache-control\" content=\"no-cache\"> <meta http-equiv=\"Pragma\" content=\"no-cache\">";

You must also change: content=\"text/html; charset=utf-8\"> to content=\"text/html\">

Documents

Xirrus Application Note WPR Final 011810