Enabling Optional Captive Portal Configuration
You can configure optional captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. pages by using the WebUI or the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..
This section describes the following topics:
Uploading Captive Portal Pages by SSID Association
You can upload custom login pages for captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. into the managed device through the WebUI. The SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. to which the client associates determines the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. login page displayed.
You specify the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. login page in the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile, along with other configurable parameters. The initial user role configuration must include the applicable captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile instance. (In the case of captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. in the base operating system, the initial user role is automatically created when you create the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile instance.) You then specify the initial user role for captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. in the AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile for the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection..
When you have multiple captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. login pages loaded in the managed device, you must configure a unique initial user role and user role, and captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile, AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile, SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile, and virtual AP profile for each WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. that will use captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.. For example, if you want to have different captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. login pages for the engineering, business and faculty departments, you need to create and configure according to Table 1.
Entity |
Engineering |
Business |
Faculty |
eng-login.html |
bus-login.html |
fac-login.html |
|
eng-user |
bus-user |
fac-user |
|
eng-cp (Specify eng-login.html and eng-user) |
bus-cp (Specify bus-login.html and bus-user) |
fac-cp (Specify bus-login.html and fac-user) |
|
Initial user role |
eng-logon (Specify the eng-cp profile) |
bus-logon (Specify the bus-cp profile) |
fac-logon (Specify the fac-logon profile) |
eng-aaa (Specify the eng-logon user role) |
bus-aaa (Specify the bus-logon user role) |
fac-aaa (Specify the fac-logon user role) |
|
eng-ssid |
bus-ssid |
fac-ssid |
|
Virtual AP profile |
eng-vap |
bus-vap |
fac-vap |
Changing the Protocol to HTTP
By default, the HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. protocol is used on redirection to the Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. page. If you need to use HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. instead, you need to do the following:
- Modify the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile to enable the HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. protocol.
- For captive portal with role-based access only—Modify the policy to permit HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. traffic instead of HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. traffic.
In the base operating system, the implicit ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. captive-portal-profile is automatically modified.
The following procedure describes how to change the protocol to HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands.:
- Login to the Mobility Master.
- In the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile by navigating to the tab. node hierarchy, edit the
- Select a captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile, enable the check box and click .
- (For captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. with role-based access only) Edit the policy by navigating to the tab.
- Select the policy for which you want to add or delete a new rule.
- Click in the table. Select a and click .
- Add a new rule with the following values:
- is User.
- is the mswitch alias.
- is svc-http.
- is dst-nat.
- Click
- Click .
- In the window, select the check box and click .
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands change the protocol to HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands.:
(host) [md] (config) #aaa authentication captive-portal profile
protocol-http
(For captive portal with role-based access only)
(host) [md] (config) #ip access-list session captiveportal
no user alias mswitch svc-https dst-nat
user alias mswitch svc-http dst-nat
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
Configuring Redirection to a Proxy Server
You can configure captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. to work with proxy Web servers. When proxy Web servers are used, browser proxy server settings for end users are configured for the IP address and TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. port of the proxy server. When the user opens a Web browser, the HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. or HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. connection request must be redirected from the proxy server to the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. on the managed devices.
To configure captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. to work with a proxy server:
- (For captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. with base operating system) Modify the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile to specify the IP address and TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. port of the proxy server.
- (For captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. with role-based access) Modify the policy to have traffic for the port destination of the proxy server with NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. applied to port 8088 on the managed device.
The base operating system automatically modifies the implicit ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. captive-portal-profile.
The following sections describe how use the WebUI and CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. to configure the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. with a proxy server.
When HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. traffic is redirected from a proxy server to the managed device, the users browser will display a warning that the subject name on the certificate does not match the hostname to which the user is connecting.
The following procedure describes how to redirect proxy server traffic:
- Login to the Mobility Master.
- For captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. with Aruba base operating system, in the node hierarchy, edit the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile by navigating to the page.
- Select a captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile and enter the IP address and port for the proxy server.
- Click .
- For captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. with role-based access, edit the policy by navigating to the tab.
- Select the policy you want to edit.
- Click in the table. Select a and click .
- Add a new rule with the following values:
- is user.
- is any.
- TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. . is
- TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. port on the proxy server. is the
- is dst-nat.
- is the IP address of the proxy port.
- is the port on the proxy server.
- Click .
- Click .
- In the window, select the check box and click .
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands redirect proxy server traffic:
For captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. with Aruba base operating system:
(host) [md] (config) #aaa authentication captive-portal profile
proxy host ipaddr port port
(host) [md] (config) #ip access-list session captiveportal
user alias mswitch svc-https permit
user any tcp port dst-nat 8088
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
Redirecting Clients on Different VLANs
You can redirect wireless clients that are on different VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. (from the IP address of the managed device) to the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. on the managed device. To do this:
- Specify the redirect address for the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users..
- For captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. with the PEFNG Policy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license.
PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license only, you need to modify the policy that is assigned to the user. To do this:
- Create a network destination alias to the managed device interface.
- Modify the rule set to allow HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. to the new alias instead of the mswitch alias.
In the base operating system, the implicit ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. captive-portal-profile is automatically modified.
This example shows how to use the command-line interface to create a network destination called cp-redirect and use that in the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. policy:
(host) [md] (config ) #ip cp-redirect-address ipaddr
For captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. with PEFNG Policy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license:
(host) [md] (config) #netdestination cp-redirect
(host) [md] (config-submode)#ip access-list session captiveportal
user alias cp-redirect svc-https permit
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
Web Client Configuration with Proxy Script
If the web client proxy configuration is distributed through a proxy script (a .pac file), you need to configure the policy to allow the client to download the file. Note that in order modify the captiveportal policy, you must have the PEFNG Policy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license installed in the managed device.
The following procedure describes how to allow clients to download proxy script:
- Login to the Mobility Master.
- Edit the captiveportal policy by navigating to the tab in the node hierarchy.
- Select the policy you want to edit.
- Click in the table. Select a and click .
- Add a new rule with the following values:
- is .
- is .
- is the IP address of the proxy server.
- is or
- is .
- Click to add the rule.
- Click .
- In the window, select the check box and click .
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands allow clients to download proxy script:
(host) [md] (config) #ip access-list session captiveportal
user alias mswitch svc-https permit
user any tcp port dst-nat 8088
user host ipaddr svc-https permit
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
Personalizing the Captive Portal Page
Creating and Installing an Internal Captive Portal