Firewall Friendly External Captive Portal support addresses customers who use a public cloud-based ECP. An ECP is a web server that hosts a site that allows users to authenticate to the network. The web server is not hosted on the wireless controller/AP. Instead, the wireless controller/AP intercepts some of the user’s HTTP messages and redirects them to the External Captive Portal web server.
Typically APs and wireless controller are located together behind a firewall. Increasingly, companies are turning to cloud-based firms to provide authentication services and related analytics. These firms typically are located on the unsecured side of the customer’s firewall (“outside”). These firms need a way for their staff and guests to authenticate against the cloud service without requiring extra ports be open in their firewall. The Firewall-Friendly External Captive Portal (FF-ECP), addresses this requirement for an enterprise’s wireless stations. If the ECP is Firewall Friendly, it can work with an AP (Series AP38xx and AP39xx) as well as a controller. Each AP in the deployment acts as redirector and web server. AP redirects traffic for clients that are associated on that AP.
ECP authentication involves filtering the traffic of unauthenticated stations. When the station sends HTTP traffic, its browser is redirected to a website where the station’s user can authenticate. The website is referred to as an ECP because it is located outside the wireless controller (which has its own ‘internal’ captive portal). The external captive portal authenticates the user in whatever way it sees fit, and then tells the controller/AP whether the user is authenticated and what policy to apply to the user’s session.

Controller configuration

The controller needs to be configured to redirect user HTTP traffic and it needs to be told where to redirect that traffic as well as how to listen for instructions sent to it by the External Captive Portal web server. Policy is used to cause the controller to redirect HTTP traffic. Controller WLAN Service configuration determines where the redirected traffic goes and how communication between the controller and the External Captive Portal takes place.
Prior to v10.11, traffic redirection was dependent on authentication state. Traffic of unauthenticated stations was redirected when:

  • It is blocked by a rule or default action in an access control role, and

  • The user that sent the traffic is in an unauthenticated state, and

  • The traffic is carried on a tunneled (Bridged at Controller, Routed) topology, and

  • Some type of captive portal authentication has been configured for the user’s WLAN Service, including a destination for redirected traffic.

Beginning with release v10.11, rule-based redirection is an option that requires explicit enablement for upgraded systems.


Roles define the access domain of users, and you can manage them by going to VNS in the main menu, and then clicking on Roles.
In this case, you have to create two different roles, one before and one after the authentication. "unauthenticated" and "Guest" roles.

Enable Rule Based redirection

To enable Rule-based Redirection upon an upgrade, go to VNS > Global > Filtering Mode

Rule Based Redirection to a Captive Portal

Redirecting to a captive portal is a common rule-based redirection use case. The following is an example Allow configuration for rule-based redirection to a captive portal.

Policy to be associated to unauthenticated role

  • This role allows the station to use DHCP and DNS:

    • Access Control = Allow, Port = DNS

    • Access Control = Allow, Port = DHCP Client.

    • Access Control = Allow, Port = DHCP Server.

  • The role allows the station to communicate with the external captive portal server using HTTP or HTTPS.

    • Access Control = Allow, IP/subnet = IP of Captive Portal Server Overview of Facilities and Usage Then specify the Captive Portal Server on the VLAN Class of Service tab in the Redirection URL field. The Redirection URL can be provided as a URL, IP address, or host name if using L7 Host Name
      DNS support.

    • The role must allow the station to send traffic to the controller’s IP address on the VLAN (Virtual LAN) containing the station’s traffic; therefore, one Allow policy must include the IP/subnet that corresponds to the VLAN ID. Depending on the Default Access Control value on the role, this can be the VLAN ID specified on the role or the VLAN ID specified during WLAN (Wireless Local Area Network) Service configuration.

      • When default Access Control = Allow, VLAN ID on the WLAN Service configuration is used.

      • When default Access Control = Contain to VLAN, the VLAN ID on the Role configuration is used.

      • Access Control = Allow, IP/subnet = Configured VLAN subnet.

Additional rules may be required if you enabled Social Networking connectors. ( TBD - link to additional policies )

Policy to be associated with "Guest" role ( authenticated )

If you have defined multiple Cloudi-Fi user profiles, you will have to define as many Extreme Wireless Roles as you defined Cloudi-Fi profiles. This will allow you to defined Role based policies and grant more access rights to your VIP users.

RADIUS Servers

Once the WLAN Service exists, the FF-ECP configuration takes place on the Auth & Acct tab. First, select Firewall Friendly External as shown in

A RADIUS server is required if the FF-ECP does not include all the following items in the redirection URLs it sends to authenticated clients:

  • Signature – A secure hash computed over the body of the redirection URL.

  • Timestamp – A timestamp indicates when the redirection URL was sent to the user.

Add following Radius servers:

Primary Server
Shared Secret: ( contact Cloudi-Fi support to get it )
Default Protocol: PAP

Secondary Server
Shared Secret: ( contact Cloudi-Fi support to get it )
Default Protocol: PAP

Firewall Friendly External Captive Portal Configuration

Options to be selected:

  • EWC/AP IP & port ( set a FQDN which will point to your Controller IP Address ). The controller MUST have a public certificate which matches this FQDN. If you need any assistance, get in touch with our support.

  • AP Ethernet MAC

  • Associated BSSID

  • VNS Name

  • SSID

  • Startion's MAC address

  • Timestamp

  • Signature

Identity and Shared Secret
The identity must be a printable (non-control code) ASCII alphanumeric string. The shared secret should:

  • Be a printable (non-control code) ASCII string.

  • Be between 16 and 64 characters. It can contain slashes, braces, and other printable ASCII symbols.

  • Be exactly the same key must be configured on the ECP and associated with the same identity.

Redirect from External Captive Portal

Tick the box "Use HTTPS for User Connections" and select "session management page" in the Send Successful Login To droplist.

Did this answer your question?