Using an internally-hosted splash page with RADIUS authentication
Topic
This article describes how to set up and edit a splash page hosted on your Datto Access Point that uses a RADIUS server for user authentication.
Environment
- Datto Network Manager
Description
A splash page is the page users will land on when they first use the Web through your network. This article shows you how to set up and edit a splash page, set up authentication on an external server, and host the page on your Datto access point.
Procedure
Configure the RADIUS Server
The RADIUS server is the external server that handles authentication for your website. When users log in, your splash page will communicate with the RADIUS server to verify user identity. You must set up the RADIUS server before following the steps below. If you already have a configured RADIUS server, you may use it without configuring another server.
Standard RADIUS servers are available from the FreeRADIUS project (external link) and within Microsoft Windows Server.
1. In the Navigation menu, select the SSID you are using.
Figure 1: The Navigation window
2. Configure the RADIUS server to provide access for the users that you wish to be able to authenticate. At a minimum, you must provide a username and password for each.
You can also configure the maximum upload and download bandwidth and session timeout length for each user. These are set using the attributes WISPr-Bandwidth-Max-Up, WISPr-Bandwidth-Max-Down, and SESSION_TIMEOUT.
3. Note the IP address (or Hostname) and the secret of the RADIUS server; you will need these in the steps below.
Configure Datto Network Manager
In Network Manager, the splash page and authentication are specified separately for each SSID.
1. In the Datto Network Manager's Navigation menu, select the SSID on which you the splash page will operate (see Figure 1, above).
2. Click Captive Portal from the section options.
Figure 2: SSID section options
3. Select Custom for the type of splash page, then click the Edit Splash Page button.
Figure 3: Captive Portal configuration options
4. Edit the splash page as needed. Be sure to include the current form for RADIUS Access. You may change the form heading and prompt, but you must leave the form controls unchanged. Save the splash page when finished.
Figure 4: RADIUS server access
Link the splash page with the RADIUS server
On Datto Network Manager's Splash Page Authentication card, configure the following settings:
- Splash page authentication type: Select RADIUS from the drop-down menu.
- Server address 1: Enter the IP address or hostname of the RADIUS server.
- Server address 2: Enter the IP address or hostname of a secondary RADIUS server, if configured.
- Server secret: Enter the secret the RADIUS server gave you after configuration.
- NAS ID: A NAS ID may be used to pass additional information about an authentication request to the RADIUS server. If you have a NAS ID, enter it here.
- Block clients after: Set how many password attempts a user gets before their username is blocked
- Block duration of: Specify the length of time a username is blocked. We suggest setting this to at least 10 minutes; otherwise, you may experience incorrectly decrypted passwords that are decrypted incorrectly.
When finished, click the Save Changes button in the upper right-hand corner of the screen.
Figure 5: Splash page authentication
Test the Configuration
The splash page and RADIUS configuration are now complete.
- Unauthenticated users should see the splash page.
- The User Name and Password users enter into the splash page form will be authenticated for the RADIUS server.
- Only those users successfully authenticated by the RADIUS server will be allowed access to the Internet.
Fail-Safe Behavior
If a server configuration or runtime error occurs, Network Manager is designed to fail-safe. If the specified RADIUS server cannot be reached or is not configured correctly, Network Manager will give the user temporary access.