[NEBULA] External Captive Portal authentication

SB10
SB10 Posts: 8
Friend Collector First Comment
edited April 2021 in Nebula

Hi,


I work with many different AP brands with external captive portal.

This is are my current Authentication and Captive Portal settings.

I have a custom self coded portal that i use in other brands, but it is not working properly here.

The correct behaviour of the portal should be "Image below" --> video --> close portal pop-up

This is the URL i get when portal pops up:

[myCPaddress]index.html?gw_addr=http://192.168.0.111&apmac=[myAPMAC]&usermac=[myDeviceMAC]&apip=192.168.0.111&userip=[userIP]&auth_path=/login.cgi&apurl=http://192.168.0.111/cgi-bin/Clicktocontinue.cgi

So what's happening is when user clicks/taps 'Browse now' button, user should be authenticated and authorized, and then show a video that automatically closes when it's finished, but instead redirects to [myCPaddress]/loginexpecting server to have this .


Since there is not (or I could not find) any documentation about external captive portals, i don't know if Zyxel does not allow complete custom portals or has to follow any rules for it to work.

*I know there is a customizable portal available to download, but that's very basic and not what i need, since mine gets and posts data to servers and databases.


I'm currently stuck with it right here, any help would be appreciated.

«1

Comments

  • Zyxel_Freda
    Zyxel_Freda Posts: 397  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment

    Hi @SB10,

    As you mentioned that the sample of the customized captive portal page is the basic one for reference, however, the important thing is the control code can't be changed when you modify on it. So, would you help to check if the control code of your page is following the sample?

  • SB10
    SB10 Posts: 8
    Friend Collector First Comment
    edited February 2020

    Excuse me, but i am not getting your point.

    What is the control code, and how does this apply to my case? (Since there is no documentation on this, or at least i could not find it)

    For example, when i work with Meraki, and a portal opens, i get a URL like this:

    https://dexterlabora.github.io/excap-clientjs/public/index.html?base_grant_url=https%3A%2F%2Fn143.network-auth.com%2Fsplash%2Fgrant&user_continue_url=http%3A%2F%2Fmeraki.io%2F&node_id=149624922840090&node_mac=xx:xx:xx:xx:xx:xx&gateway_id=149624922840090&client_ip=10.255.60.208&client_mac=xx:xx:xx:xx:xx:xx

    This is an example that's given in the Meraki API docs.


    What the portal does, is when user clicks "Browse now" button, it redirects to

    https://n143.network-auth.com/splash/grant/http://meraki.com

    But with Zyxel, there is no such thing, and i need to find a way to auth the user and then redirect to my custom splash page

  • Zyxel_Freda
    Zyxel_Freda Posts: 397  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment

    Hello @SB10,

    I just modified the MAC in your post because of the privacy.

    After clicking the agree in the captive portal with click to continue page, take the default as an example, I get below URL as below.

    http://<AP IP>/cgi-bin/tmp/captive-portal/THEME1/success.html

    If you have problem after you click 'Browse now!', it should be related about 'submit' of the HTML. The code below has to be used when click the "Browse now!" button to let the AP know that user is authorized. If you modified the code, please make sure if the path is correct.

    If you still have problem after you checked these parts, would you share the code for us to check?

    Thanks.

  • SB10
    SB10 Posts: 8
    Friend Collector First Comment

    I am not allowed to share the code publicly, so i will PM you.

  • Iwannaquitthegym
    Iwannaquitthegym Posts: 23  Freshman Member
    First Anniversary Friend Collector First Comment

    When the "Browse button!" is clicked you should have a submitEvent that calls the script posted by @Nebula_Freda. Actually this code seems to only return the apurl which is already included in the parameters when the AP redirects to your portal in the first place, in your case:

    apurl=http://192.168.0.111/cgi-bin/Clicktocontinue.cgi

    This should tell the AP that the button has been clicked. Then in order to see the video, you should put the video URL in the Promotion URL, by that time the device should have been granted with internet already.

    It seems to me that the "NOT FOUND" page is from your captive portal, but I'm not sure if it's because the code when clicking the button redirects to somewhere that is not the apurl, or this is actually related to the Promotion URL you set.

    You can do it step by step, first try to make the SubmitEvent work, meaning that your CP talks back to the AP and the wireless device will have internet after clicking the button. And then try to redirect to your portal again for the video play.

    Keep me updated, interesting implementation that you have there ?

  • SB10
    SB10 Posts: 8
    Friend Collector First Comment

    @Iwannaquitthegym

    I used the script provided in the html, and replaced button-submit with my button id.

    apurl in link is:

    apurl=http://2.2.2.2/cgi-bin/Clicktocontinue.cgi

    But when i click on Browse now, it redirects to http://myserver.com/cgi-bin/Clicktocontinue.cgi

    and crashes there like it shows in the last image as if it tries to find it in my server, and does not authorize the client

  • Zyxel_Freda
    Zyxel_Freda Posts: 397  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    edited February 2020

    Hello,

    Sorry that I pasted wrong URL which is used for internal captive portal, and you are right that the URL is http://192.168.1.44/cgi-bin/Clicktocontinue.cgi for external captive portal.

    @SB10 I got your message for the html. We'll check it asap and update for you.

    Thanks.

  • Zyxel_Freda
    Zyxel_Freda Posts: 397  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment

    Hello @SB10,

    After we checked the HTML, we found the button can't be clicked, so we help to modified one and PM you.

    We'd like to check the behavior of the captive portal page, so would you help to clarify that which one is expected?

    1. Click 'Brose now!' and then playing the video before doing authentication.> If playing the video before authentication, please check if the video path/server is set in wall garden?

    Or, 2. You expect that the user should be authenticated after click 'Browse now!' and play the video as a successful page?

    We test the click continue by using the HTML sample which downloaded on NCC for the last version of AP. May I know which version is on the AP and did you got the same result when using our sample to test?

    Thanks.

  • SB10
    SB10 Posts: 8
    Friend Collector First Comment

    @Nebula_Freda

    First of, button is indeed correctly disabled, which gets enabled after js checks everything is succesfully loaded.

    About the captive portal behaviour, it is most likely 2nd option.

    User should be authenticated when clicking Browse now!, and then, will be redirected to another path where another HTML with video/image will be shown as a successful page, and will automatically close itself after the video is played or in case it is an image after 5 seconds.

    Sample captive portal works well.

    The AP is a NAP102, and it is up-to-date as it show on the controller.

    I will PM with more details.

  • SB10
    SB10 Posts: 8
    Friend Collector First Comment

    Allright, i found the issue, it is nothing related to portal configs.


    The problem is on the url that tries to load, and crashes on "#" symbol.

    This is the url it was supposed to load

    http://myserver.com/zyxel/?apmac=xx:xx:xx:xx:xx:xx&usermac=xx:xx:xx:xx:xx:xx&apip=192.168.0.111&userip=192.168.0.46&ssid=Zyxel%20#FreeWifi&apurl=http://2.2.2.2/cgi-bin/Clicktocontinue.cgi

    But after tracking network load, i saw it was trying to load this

    http://myserver.com/zyxel/?apmac=xx:xx:xx:xx:xx:xx&usermac=xx:xx:xx:xx:xx:xx&apip=192.168.0.111&userip=192.168.0.46&ssid=Zyxel

    So basically was crashing at # symbol, and therefore the rest of the url , was not loading, and the important thing here is "apurl" ,so when i clicked Browse now!, it did not work.

    I simply renamed my SSID without any symbol, and it authenticated the client properly and redirected to my landing page.


    So, if anyone ever encounters something like this, make sure your SSID or any url parameters does not include any symbols. ?

Nebula Tips & Tricks