# Sign-on Splash

External splash pages are stored and executed on a web server that you define, and must respond appropriately to certain messages from the Access Point in order to present appropriate user-interface to the user at various stages of the authentication process.

When combining with RADIUS Authentication, EnGeniusCloud can consult an external RADIUS server that you specify in order to determine whether to authenticate the user. The user interface presented to the user will be determined by the external splash page.

EnGeniusCloud supports three types of RADIUS-based authentication: **EnGenius Authentication**, **Custom Radius**, and **Voucher Service**. All the three types can works with external splash page to perform a sign-on splash service.

## Overview

### Communication Flow

![](/files/-LrEtV1vdQ_QKF5zkATu)

1. A new wireless client tries to connect to a Captive Portal enabled SSID served by an Access Point.
2. The AP intercepts the request and redirect the user to the external splash page which is served by a external web server configured in `SSID's splash page` setting. In addition, an **`actionurl`** parameter is passed to the splash page such that browser can be redirected back to the cloud after submission in splash page.
3. Splash page content with **`actionurl`** parameter are delivered to browser.&#x20;
4. User clicks on the **login** button in the splash page and then be redirected to **`actionurl`**. The actionurl actually makes Access Point play as a RADIUS proxy to help on authenticating user with Remote RADIUS Server.

### Parameters

In previous Section Step 2, the actionurl parameter is composed of a cloud URL with extra parameters. A https request sample to the splash page could be like this:

```http
https://yourwebsite.com/login.html?actionurl=http%3A%2F%2F172.23.1.1%3A4990%2Fwww%2Flogin.chi%3Fclient_ip%3D192.168.1.111%26vendor%3DEnGenius%26ssidProfileId%3D62a9561efc9ea68257e08e4d%26userurl%3Dhttp%253A%252F%252Fwww.msftconnecttest.com%252Fredirect%26ap_mac%3D88-DC-96-9C-E9-3C%26mac%3D68-EC-C5-3F-5C-F0%26client_mac%3D68-EC-C5-3F-5C-F0%26networkId%3D5f647ea0786661d04888ea59%26ap_ip%3D172.23.1.1%26ap_port%3D3990%26called%3D88-DC-96-9C-E9-3C&res=notyet&reason=None
```

The [https://yourwebsite.com/splash.html](https://xxxxx/splash.html) here is the splash page setting customized for corresponding SSID. The details of the actionurl parameters are listed as follows:

| Parameter Name | Description                                                                                             |
| -------------- | ------------------------------------------------------------------------------------------------------- |
| vendor         | Should be "EnGenius"                                                                                    |
| ap\_ip         | IP address of associated AP                                                                             |
| ap\_mac        | MAC address of associated AP                                                                            |
| ap\_port       | AP service port                                                                                         |
| client\_ip     | IP address of the wireless client                                                                       |
| client\_mac    | MAC address of the wireless client                                                                      |
| userurl        | The URL that user tried to visit before authenticated                                                   |
| mac            | <p>Client's MAC address (will be obsolete after 2021)</p><p>please use <strong>client\_mac</strong></p> |
| called         | <p>AP's MAC address (will be obsolete after 2021)</p><p>please use <strong>ap\_mac</strong></p>         |
| nas\_id        | Network access server identifier is used to notify the source of a RADIUS access request.               |
| ssidProfileId  | Global unique identity of assoicated SSID                                                               |
| networkId      | Global unique identity of the network which the assoicated AP belongs to                                |

## Configure Authentication Type of Captive Portal

1. Select a network in [Org-tree](https://doc.engenius.ai/home-cloud-user-manual/working-with-org-trees).
2. Select SSID in the configuring tool menu.
3. Choose the SSID you want to configure.
4. Under **`Association`** Tab, choose "**Open**", "**WPA2 PSK**".&#x20;
5. Switch to **`Captive Portal`**&#x54;ab and choose one of three authentication types: **EnGenius Authentication**, **Custom Radius**, and **Voucher Service** to enable the RADIUS-based authentication.
6. Enable walled garden (located under **Captive Portal > Advanced Settings > Walled garden**) and enter the public IP address of your web server. The address specified needs to be the public-facing IP address of the web server hosting the Splash page, not the local LAN IP.
7. Click on **`Apply`** button.&#x20;

## Enabling an External Splash Page on EnGeniusCloud

1. Select a network in [Org-tree](https://docs.engenius.ai/home/cloud-user-manual/working-with-org-trees).
2. Select SSID in the configuring tool menu.
3. Choose the SSID you want to configure.
4. switch to **`Captive Portal`** Tab and make sure your Captive Portal is enabled and Authentication Type is set to **`Click-through`**.
5. switch to **`Splash Page`** Tab. Select **`External Splash Page URL`**.
6. Enter the URL of your custom splash page (eg, <https://yourwebsite.com/splash.html>).
7. Click on "`Apply`" button.

## Configure the External Splash Page Server

The external splash page must be hosted on a web server that will be accessible from the Access Points on your network. The following must be accomplished, but the particular details will depend very much on your web hosting environment.

1. Setup the Web Server.
2. Modify the splash page to set **`form action`** as the value of **`actionurl`** passed by cloud. In this way, after user submits the form, he will be redirected to specific URL and complete the authentication. In order to collect logon credentials, you will need to create an HTML based form that collects and then submits these to the login URL. In its simplest form this could look similar to the code below:&#x20;

```markup
<form method="POST" action="$actionurl">
   Username:<br><input type="text" name="username" value=""><br>
   Password:<br><input type="password" name="password" value=""><br>
   <input type="submit" value="Submit">
</form>
```

{% hint style="info" %}
Note that the input field name "username" and "password" are unchangeable. These two input fields are necessary to provide the credential for RADIUS authentication.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://doc.engenius.ai/home-cloud-white-papers/captive-portal/external-splash-page/authentication.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.