Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[WLC/WLM] Authentication mechanism in SmartPass hosted web portal



Article ID: KB23298 KB Last Updated: 22 May 2012Version: 1.0
This article provides information about the Authentication mechanism in SmartPass hosted web portal.
Information about the Authentication mechanism in SmartPass hosted web portal

SmartPass hosted web portal authentication mechanism

Web portal mechanism details:

  1. Users associate to a web portal enabled service and are placed in the WEB-PORTAL state.

  2. All user traffic is blocked, except DNS and DHCP requests via the portal ACL, which is in place. The portal ACL should be modified, if SmartPass is used to serve the portal page to the client. The modification should include rules for allowing traffic to the SmartPass IP address and the port which is running the service.

  3. HTTP/HTTPS data is redirected to a configured external authentication web server. This is performed by configuring a dedicated ACL rule and setting the web-portal-form attribute in the web portal service profile.

  4.  The external web server directly interacts with the user web browser to validate credentials, by presenting the Login web page to the user; who is trying to browse the Internet. 

  5. Once the credentials have been confirmed, the external server sends a CoA request (RFC3576) to the originating Controller. The CoA contains a request for the session username change. The web portal session will become authorized and active at that time. The web portal ACL will be removed to allow normal traffic to take place. Additional CoA attributes can be set by the external web server at the same time.

  6. On successful authentication and authorization, the client will be automatically redirected to the web page, which it was initially trying to browse. Optionally, the client can also be sent a logout page, which will explicitly log out the user by setting their Controller session in the WEB-PORTAL state again.

Initial web portal state:

When the user is connected to the SSID, a session will be created on the Controller and the Name of the user will be web-portal-<SSID_NAME>. Issuing the show session network verbose command on the Controller will reveal the State of the session as being WEB PORTAL.

The PortalACL is used to block and capture traffic:

Also notice that when issuing the show session network verbose command on the Controller, the Filter ID property should say (service profile). This indicates that a set of ACL rules are in effect, which are supposed to block and capture traffic; except for DNS and DHCP. 

HTTP/HTTPS traffic is redirected to the external server login form:

After the client is placed in the WEB-PORTAL state, the client will want to start browsing the Internet and issue a request to an internet site, by inputting an URL in the browser’s address bar. This is when the Controller will capture the HTTP/HTTPS request and instead redirect the client to the Login form, which was configured in the web-portal-form service profile attribute, issuing the redirect request to the SmarPass Web-Portal Authentication Server.

Assuming that the client will want to browse to the URL, the Controller will capture this request and issue the previously configured redirect request, which will be shown to the client. The client’s address bar will reflect this by being updated with the following URL:

For Controllers running MSS 7.0 and 7.1, the URL will look like this:

For Controllers running MSS 7.5, the URL will look like this:

In which is the name of the SmartPass Web-Portal Server and is the Controller that has sent the URL.

The request parameters have the following meanings:

  • portal_ip: The Controller IP Address that is used to return the CoA request.

  • client_id: The client's MAC address.

  • wbaredirect: Original URL specified by the client.

The following parameters will be sent only by an Controller running MSS 7.5 or later:

  • ssid: The SSID to which the client is connected.

  • bssid: The BSSID of the AP radio to which the client associated.

The SmartPass server will immediately process the request and store the request parameters to use them after the client has provided and submitted the credentials.

Submitting the credentials:

On the Login form that is shown as a result of the Controller redirecting the initial request, which is hosted on the SmartPass server, the client will be able to provide the username and password credentials.

Clicking the Login button will start the Authentication process. If the authentication process is not successful, the client will not be granted access and the displayed page will inform the client of the failed authentication. The client will be automatically redirected to the Login page, on which the client can submit the credentials again.

Depending on the configuration of the User Type, the user is associated to several failed attempts, which may result in the account being locked for a determined or undetermined amount of time. SmartPass will differentiate between failed attempts due to incorrect credentials and failed attempts, which are due to unreachable external servers (see the Web Portal Authentication Types section).

Performing a successful authentication:

If the provided credentials are valid and there was no communication issue with an external server (in case the External type of authentication was selected), then a CoA message will be sent by the SmartPass server to the originating Controller. This message will contain at least two attributes:

  • Trpz-CoA-Replace-User – Trapeze VSA 12

  • Filter-Id – RADIUS Attribute 11

The Trapeze CoA Replace User VSA attribute will be present in the CoA message and its value will be the user name of the user, who was successfully authenticated, and will replace the WEB-PORTAL state user name in the Controller session - web-portal-<SSID_NAME>.

By default, the Filter-Id attribute will be sent with an empty string value, which will clear the portalacl ACL and will allow client traffic to flow normally.

The CoA message will make use of the client MAC address, which is received within the redirect URL, to identify the session. The user name cannot be used, as there could be potentially many other users with the same name - web-portal-<SSID_NAME>.

On successfully receiving the CoA message, the Controller will change the user name of the client being used in the session, as well as the State attribute, which will become active.

As far as accounting is concerned for an active session, after a username changes the CoA request, it is expected to receive an interim-accounting update with the new session username being used. In the case of an unauthenticated web portal session being changed, an accounting start should be sent by the Controller.

When the user is successfully authenticated, SmartPass can send a Change of Authorization message (CoA) to the Controller and update the following attributes: 

  • The filter-id radius attribute (replace the portalACL with a user ACL or no ACL).

  • username.

On successful user authentication, SmartPass can display a page, which indicates that the authentication was successful and redirect the user to the originally requested URL by embedding the meta refresh tag in the page:
<meta http-equiv="refresh" content="4;url=">

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search