The following example of an UAM-authentication workflow for your hotspot includes descriptions of the URLs for logging in and authenticating with a hotspot service provider. This is provided as an example to help understand the UAM workflow, the URL requirements, and that parameters specific to your hotspot provider can be used.
This example assumes a network client is attempting to access a resource through the router configured to act as a Wi-Fi hotspot.
The client device’s request is captured by the router’s captive portal (walled garden).
The router builds a URL to redirect the client device’s request to your UAM service provider’s login page. The redirect URL is sent to the client device in an HTTP 302 response.
The login redirect URL uses the following format:
<login_url>&res=<uam_handshake_state>&uamip=<uam_ip_address>&uamport=<uam_port>&challenge=<chap_challenge_string>&called=<called_sta_id>&mac=<calling_sta_id>&ip=<client_ip_address>&nasid=<nas_gateway_id>&sessionid=<session_id>&userurl=<hotspot_detect_url>
The login-redirect URL fields are defined in the following list:
login_url – The URL of the UAM service provider’s login page. To configure the login URL, go to > in the router's setup pages and use the Login URL field under UAM Settings.
The login_url can be thought of as two parts – <uam_service_login_url> and <uam_service_parameters>
uam_service_login_url – The base URL for the UAM provider’s login page.
uam_service_parameters – An optional list of parameters that are unique to the UAM provider. Must be of form: <name>=<value>.
Example: The parameter "proto=https" may be added to the <uam_service_parameters> list to enable Secure UAM transactions.
res – The current state of the UAM handshake. Valid states include:
notyet – The client has not yet logged in.
already – The client has already logged in successfully.
logoff – The client is logging off.
success – The client has successfully logged on.
failed – The client's login attempt has failed with one of the following reasons:
other – A generic default (see router logs to debug).
timeout – The router timed out trying to reach the RADIUS server.
rejected – The RADIUS server denied the client access.
uamip – The IP address of the router’s local IP network configured to use a hotspot as its IPv4 Routing Mode. See step 7 in Configuring the Hotspot Services Feature for more information on configuring a local IP network as a hotspot.
uamport – The port number of the router’s UAM client. The uamport can be configured using the Hotspot/UAM Authentication Port slider in the Hotspot Settings section at page in the router's setup pages.
challenge – A router-generated CHAP challenge string; 32 hexadecimal characters.
called – The 802.1x Called-Station-Id. This is set to the router’s MAC address.
mac – The 802.1x Calling-Station-Id. This is set to the client device’s MAC address.
ip – The IP address assigned to the client device, either by a static network configuration or by the router’s DHCP server.
nasid – A string used to identify the router to the UAM service provider. Configure nasid using the NAS/Gateway ID field under the UAM Settings section at page in the router's setup pages.
sessionid – The router-generated unique identifier for the current session.
userurl – The URL that the client device uses to detect captive portals.
The client device redirects to the UAM service provider’s login page. The client device’s user is required to perform an operation (typically a button press) that submits a form to the UAM provider’s server.
The UAM server replies to the client’s submit action by sending the client device a page indicating that authentication is being done. The HTML code within this page must contain a line that redirects the client device back to the router’s captive portal.
The UAM service provider may choose how the redirect itself is achieved.
One option is to use an HTML meta refresh.
Example: <meta http-equiv="refresh" content="<redirect_to_router_url>">.
The redirect URL must perform an HTTP GET operation. The Ericsson Enterprise Wireless Captive Portal solution does not currently support using HTTP POST operations for login requests when in RADIUS mode.
The redirect URL requires the following format:
<protocol>://<uamip>:<uamport>/logon?username=<calling_sta_id>&response=<chap_response>
protocol – Defaults to “http”. The protocol can be set to “https” by using the Secure UAM feature.
<uamip>, <uamport>, <calling_sta_id> were all given to the UAM provider’s server in the login redirect URL built by the router in step 2.
logon – The command for the router to execute.
username – The username to use in the RADIUS auth command.
response – A CHAP response that used in the RADIUS auth command.
Note
The Ericsson Enterprise Wireless Captive Portal only supports CHAP at this time.
If the client device authenticates, the router’s captive portal redirects the client to a URL based on the Redirection on Successful Authentication setting. The Redirection on Successful Authentication setting can be selected from the Redirection on Successful Authentication drop-down list in the RADIUS Settings section at Networking > Local Networks > Hotspots Services page in the router's setup pages. The Redirection on Successful Authentication setting options include the following:
To the URL the user intended to visit – The router issues an HTTP redirect to the URL the client device first requested at the beginning of the authentication process.
To an administrator-defined URL – The router will issue an HTTP redirect to the custom URL defined in the UI.
To the UAM Server – The router will issue an HTTP 302 redirect back to the UAM server. This redirect URL uses the following format:
<login_url>&res=success&uamip=<uam_ip_address>&uamport=<uam_port>&challenge=<chap_challenge_string>&called=<called_sta_id>&mac=<calling_sta_id>&ip=<client_ip_address>&nasid=<nas_gateway_id>&sessionid=<session_id>&userurl=<hotspot_detect_url>&uid=<calling_sta_id>&timeleft=<time_left_on_network>
Note
“res=success” indicates the client has successfully authenticated.
uid is the same field as username in the redirect URL sent to the router by the UAM service provider.
timeleft indicates how much time the client device has until it is de-authenticated from the hotspot network. This value is based on information the router received from the RADIUS server when the client device authenticated.
All other parts of this URL are identical to those previously described.
Note
A network sniffer (for instance, tcpdump or wireshark) may display cpcheck requests in its output. A UAM or RADIUS service provider can safely ignore these. They are used internally by the router to identify HTTP[S] requests from a Captive Portal client device versus other HTTP[S] traffic.
For more information on using UAM with your router, see Enabling Secure Captive Portal (UAM) Transactions.