This chapter describes how to configure CradlePoint.
Before proceeding further with the configuration, you need to configure HSNM with a domain and a gateway as described in Adding a New Gateway.
The prerequisites required for configuration are:
To get started, you will need to:
a) Make sure to have a proper SSL certificate available.
b) Setup Hotspot Services in NetCloud Manager.
Ericsson Cradlepoint has developed a secure method for facilitating transactions between their routers and captive portals using HTTPS. By encrypting these transactions, the submitted information remains secure, enhancing user trust and delivering a positive experience.
An SSL certificate and key must be uploaded to the Ericsson Cradlepoint router, and assigned to be used with HTTPS transactions to encrypt the HTTP transactions passed between a client browser (not the administrator level browser being used to make these changes), the Ericsson Cradlepoint router, and the captive portal. The SSL certificate:
IMPORTANT
A valid SSL certificate is required. If you have not set one up yet, see How to Use Custom Certificates with HTTPS.
Hotspot Services enables businesses to provide their customers a public Wi-Fi hotspot with access controls. On networks that allow open public access, for example in hotel or on a bus, a captive portal page can be displayed with terms and limitations of the Wi-Fi service. Cradlepoint Hotspot Services provide an easy way to set up a captive portal, where clients attempting to access the internet are initially redirected to a different webpage, or are placed in a limited-service “walled garden”. Importantly, Cradlepoint also offers RADIUS/UAM hotspot mode, the mode in which it must be for Secure Captive Portal setup. This mode permits additional enterprise-level configuration via custom or third-party authentication servers.
IMPORTANT
Hotspot Services must be enabled. See Configuring Hotspot Services in RADIUS/UAM Mode.
Complete the following steps to set up a secure captive portal for UAM.
Log into NetCloud Manager.
Select Devices in the left-side navigation panel.
Select a router from the Routers page. Alternatively, to make configuration changes to a group navigate to the Groups page and select a group.
Select Configuration and then Edit.
Navigate to SYSTEM > Administration > Local Management.
a) Enter the domain associated with the SSL certificate in the Local Domain field, and select the matching SSL Certificate from the available list.
b) A best practice is to include the domain in the title of SSL certificate. This makes finding the correct certificate, and entering the correct domain where needed, much easier.
Click Save.
Navigate to NETWORKING > Local Networks > Local IP Networks.
Select the LAN you configured earlier for Hotspot routing.
Click Edit.
Navigate to the General Settings tab.
In the Hostname field, enter the host name associated with the SSL certificate.
This is “cp” by default (as below) and this is what is used in the existing routers used for testing.
Click Save.
Navigate to NETWORKING > Local Networks > Hotspot Services.
Note: You must have set up Hotspot Services in RADIUS/UAM mode already.
Find the Login URL field in the UAM Settings section of the page. The URL should have the form,
https://<captive.portal.url>/start?<parameters>
where:
<captive.portal.url> Is the URL of the captive portal to which users will be
<parameters> Is a list of parameters that are appended to the end of
Add the following new parameter string to the end of the <parameters> list:
&proto=https
For example, a complete Login URL statement could be:
Click Save.
Click Commit Changes. The router is now ready to serve secure captive portal transactions.
When accessing
Complete the following steps to verify the configuration.
Connect a client device (for example, a laptop or cellular phone) to the Cradlepoint router using either ethernet or Wi-Fi.
Verify that the client device’s only access to the internet is through its connection to the Ericsson Cradlepoint router.
Open a web browser in private viewing mode on the client device. For example, in Chrome open a new Incognito window, or in Edge open a new InPrivate window. Using this type of browser window ensures that the browser answers HTTPS requests by sending them over the web instead of retrieving pages from its cache.
Navigate to any web page that is external to the client’s local domain. Verify that:
Verify you can authenticate through the captive portal without triggering a pop- up from the browser warning of an insecure connection.
The protocol used for a browser-based login at a captive portal is called the Universal Access Method (UAM). There is currently no specification for the UAM protocol. Because there is no specification, there are slight differences in how UAM is implemented between vendors of captive portal solutions. It may be necessary for Ericsson Enterprise Wireless to work with your captive portal vendor to fully implement their side of the Secure UAM feature.
Upload SSL here:
