[NEBULA] Authentication for captive portal

pinger
pinger Posts: 13  Freshman Member
Friend Collector First Comment
edited April 2021 in Nebula
If I setup a radius server in a security gateway, will this mean my captive portal can use such kind of authentication?
«13

Comments

  • Nebula_Bayardo
    Nebula_Bayardo Posts: 179  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Hi @pinger, welcome to the Nebula community!

    If you configure the radius server in the NSG (Gateway > Configure > My authentication server)


    And then in Gateway > Configure > Network access method you configure an interfaces to sign-on with your radius server ("ZyxelRadius" in this example)

    All the wireless and wired clients connecting to this interface will see the gateway captive portal and will need to authenticate using the credentials configured in your radius server.


    On the other hand, if you have a NAP and only want to authenticate the wireless clients connecting to a specific SSID, you can configure the SSID authentication method to sign-on with your radius server in AP > Configure > Authentication:

    This wireless clients will the AP captive portal and will need to authenticate using the credentials configured in your radius server.

    Hope this is clear :)
  • pinger
    pinger Posts: 13  Freshman Member
    Friend Collector First Comment
    edited May 2018
    Hi, and thank you very much for your support; if I can authenticate against my radius server for wired clients on such interface, if I connect an AP on such interface I assume my WiFi clients would also get network access through captive portal, right?, and another big question is, does the request to my radius server come from an IP address in Nebula network? I mean, should I setup my radius server to allow requests from just a set of IP addresses on Nebula network, or does the request to my radius server come from my customer public internet address and so I should setup every single public IP address allowed to request on my radius server? and
    I have another question related to Nebula, does it have an open API to get data from AP's on Nebula? (connected clients, passerby, location heatmap, etc...,and real time data support), if so, where can I get such info?
  • Nebula_Bayardo
    Nebula_Bayardo Posts: 179  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Hi @pinger

    If you configure the radius authentication in the security gateway, this (NSG) will be the radius client for your server.
    Thus, if your topology is NSG (192.168.1.1) ----- Radius server (192.168.1.100), you will need to allow the request from the NSG IP address 192.168.1.1.

  • pinger
    pinger Posts: 13  Freshman Member
    Friend Collector First Comment
    edited May 2018
    Hi,

    The idea is to authenticate against an external cloud based radius server, so I thought one of the advantages of cloud managed devices was requests on cloud services (such as radius authentication) were performed from a set of IP addresses (nebula ones) instead of customers public addresses where NSG devices are actually deployed. So are you sure requests would come from public IP addresses from our customers where NSG devices are actually deployed?
  • Nebula_Bayardo
    Nebula_Bayardo Posts: 179  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Hi @pinger
     
    The request would come from the public IP address of the network. Depending on the topology, the public IP might be the one configured in the NSG WAN interface or if you have the NSG behind a NAT router, it will be the public IP of that router. 
    You can check what's the public IP of your network in Gateway > Monitor > Security gateway:

    In this example, the NSG is behind a NAT router. The cloud radius server will receive the request from 210.61.209.2.

    It's also important to check the attributes needed for the cloud radius server. Currently, the NSG will send the radius attributes:
     - User information: username and encrypted password
     - NAS IP address: configurable on Nebula control center
     - Calling station ID: the IP address of the client connecting to the network.

    I saw you edited the previous post and I missed some of your questions there.
    if I connect an AP on such interface I assume my WiFi clients would also get network access through captive portal, right?
       - Right. WiFi clients will see the NSG captive portal

    does it have an open API to get data from AP's on Nebula? (connected clients, passerby, location heatmap, etc...,and real time data support), if so, where can I get such info?
      - Currently no API is available to get this information. If you have specific requirements for API, you can use the Ideas section to tell us more details about what kind of information you need to get.

    Cheers,
    Bayardo
  • LOL
    LOL Posts: 14  Freshman Member
    First Anniversary Friend Collector First Comment

    hi @pinger

    May I know what your external cloud based radius server is?

  • pinger
    pinger Posts: 13  Freshman Member
    Friend Collector First Comment
    Our radius server is just a cloud hosted radius service. Another question, If I choose Click-to-continue option as Network Access, is there any URL from Nebula Cloud I should use to add some parameters to gain network access from my captive portal?, I mean if I setup Network Access through "Click-to-continue" option, I assume clients connected to that interface (also WiFI clients if I connect an AP to such interface) should get access through captive portal, but the question is how my captive portal returns to Nebula an ok to allow network access after any kind of authentication?
  • pinger
    pinger Posts: 13  Freshman Member
    Friend Collector First Comment
    I have another question regarding an open API; we have a current development for dashboards which include info such as:
    1. Total devices in the area
    2. Connected vs Detected devices
    3. Repeated vs New (Repeated is a device that has already come to that place in the past).
    4. Total devices grouped by time granularity (To display a line chart with evolution over time).
    5. Total devices grouped by each zone (Previously registered in the system).
    6. Coordinates of each device (So we can display a heatmap).
    7. Image of the place (Floor plan).
    8. List of mac addresses (To match those mac addresses info with our db).

    In your portfolio for Nebula options for businesses, both professional pack and its lifetime version support for "WiFI analytics integration (social media/3rd party AAA)" option, so is this feature related to a potential development on Zyxel based APs deployment which could include the above info?




  • RUnglaube
    RUnglaube Posts: 135  Ally Member
    First Anniversary Friend Collector First Answer First Comment
    I have been using my own captive portal with the NAP tho....But I guess it's the same.
    On Nebula portal I just configured the URL of my external HTML page, no more parameters needed. But in your captive portal HTML code you obviously need to handle the submit event. I downloaded the template available in the captive portal page on the Nebula portal to use the same script.
    "You will never walk along"
  • pinger
    pinger Posts: 13  Freshman Member
    Friend Collector First Comment
    So I assume the template includes the required code to control network access (to grant clients network access) after an authentication process from my captive portal code, right?, is it something like a post on Nebula cloud?

Nebula Tips & Tricks