Enabling Optional Captive Portal Configuration

You can configure optional captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. pages by using the WebUI or the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

This section describes the following topics:

Uploading Captive Portal Pages by SSID Association

You can upload custom login pages for captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. into the managed device through the WebUI. The SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. to which the client associates determines the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. login page displayed.

You specify the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. login page in the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile, along with other configurable parameters. The initial user role configuration must include the applicable captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile instance. (In the case of captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. in the base operating system, the initial user role is automatically created when you create the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile instance.) You then specify the initial user role for captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. in the AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile for the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection..

When you have multiple captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. login pages loaded in the managed device, you must configure a unique initial user role and user role, and captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile, AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile, SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile, and virtual AP profile for each WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. that will use captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.. For example, if you want to have different captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. login pages for the engineering, business and faculty departments, you need to create and configure according to Table 1.

Table 1: Captive Portal login Pages

Entity

Engineering

Business

Faculty

Captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. login page

eng-login.html

bus-login.html

fac-login.html

Captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. user role

eng-user

bus-user

fac-user

Captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile

eng-cp

(Specify eng-login.html and eng-user)

bus-cp

(Specify bus-login.html and bus-user)

fac-cp

(Specify bus-login.html and fac-user)

Initial user role

eng-logon

(Specify the eng-cp profile)

bus-logon

(Specify the bus-cp profile)

fac-logon

(Specify the fac-logon profile)

AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile

eng-aaa

(Specify the eng-logon user role)

bus-aaa

(Specify the bus-logon user role)

fac-aaa

(Specify the fac-logon user role)

SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile

eng-ssid

bus-ssid

fac-ssid

Virtual AP profile

eng-vap

bus-vap

fac-vap

Changing the Protocol to HTTP

By default, the HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. protocol is used on redirection to the Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. page. If you need to use HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. instead, you need to do the following:

In the base operating system, the implicit ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. captive-portal-profile is automatically modified.

The following procedure describes how to change the protocol to HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands.:

  1. Login to the Mobility Master.
  2. In the Managed Networknode hierarchy, edit the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile by navigating to the Configuration > Authentication > L3 Authentication tab.
  3. Select a captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile, enable the Use HTTP for authentication check box and click Submit.
  4. (For captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. with role-based access only) Edit the captive portal policy by navigating to the Configuration > Roles & Policies > Policies tab.
    1. Select the policy for which you want to add or delete a new rule.
    2. Click + in the Policy > <name of the policy> Rules table. Select a Rule type and click Ok.
    3. Add a new rule with the following values:
    • Source is User.
    • Destination is the mswitch alias.
    • Service is svc-http.
    • Action is dst-nat.
    1. Click Submit.
  5. Click Pending Changes.
  6. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands change the protocol to HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands.:

(host) [md] (config) #aaa authentication captive-portal profile

protocol-http

 

(For captive portal with role-based access only)

(host) [md] (config) #ip access-list session captiveportal

no user alias mswitch svc-https dst-nat
user alias mswitch svc-http dst-nat

user any svc-http dst-nat 8080

user any svc-https dst-nat 8081

Configuring Redirection to a Proxy Server

You can configure captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. to work with proxy Web servers. When proxy Web servers are used, browser proxy server settings for end users are configured for the IP address and TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. port of the proxy server. When the user opens a Web browser, the HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. or HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. connection request must be redirected from the proxy server to the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. on the managed devices.

To configure captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. to work with a proxy server:

The base operating system automatically modifies the implicit ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. captive-portal-profile.

The following sections describe how use the WebUI and CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. to configure the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. with a proxy server.

When HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. traffic is redirected from a proxy server to the managed device, the users browser will display a warning that the subject name on the certificate does not match the hostname to which the user is connecting.

The following procedure describes how to redirect proxy server traffic:

  1. Login to the Mobility Master.
  2. For captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. with Aruba base operating system, in the Managed Network node hierarchy, edit the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile by navigating to the Configuration > Authentication > L3 Authentication page.
    1. Select a captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile and enter the IP address and port for the proxy server.
    2. Click Submit.
  3. For captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. with role-based access, edit the captiveportal policy by navigating to the Configuration > Roles and Policies > Policies tab.
  4. Select the policy you want to edit.
  5. Click + in the Policy > <name of the policy> Rules table. Select a Rule type and click Ok.
  6. Add a new rule with the following values:
    1. Source is user.
    2. Destination is any.
    3. Service is TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. .
    4. Port is the TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. port on the proxy server.
    5. Action is dst-nat.
    6. IP address is the IP address of the proxy port.
    7. Port is the port on the proxy server.
  7. Click Submit.
  8. Click Pending Changes.
  9. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands redirect proxy server traffic:

For captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. with Aruba base operating system:

(host) [md] (config) #aaa authentication captive-portal profile

proxy host ipaddr port port

For captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. with role-based access:

(host) [md] (config) #ip access-list session captiveportal

user alias mswitch svc-https permit
user any tcp port dst-nat 8088

user any svc-http dst-nat 8080

user any svc-https dst-nat 8081

Redirecting Clients on Different VLANs

You can redirect wireless clients that are on different VLANs Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. (from the IP address of the managed device) to the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. on the managed device. To do this:

  1. Specify the redirect address for the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users..
  2. For captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. with the PEFNG Policy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license only, you need to modify the captiveportal policy that is assigned to the user. To do this:
    1. Create a network destination alias to the managed device interface.
    2. Modify the rule set to allow HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. to the new alias instead of the mswitch alias.

In the base operating system, the implicit ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. captive-portal-profile is automatically modified.

This example shows how to use the command-line interface to create a network destination called cp-redirect and use that in the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. policy:

(host) [md] (config ) #ip cp-redirect-address ipaddr

For captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. with PEFNG Policy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license:

(host) [md] (config) #netdestination cp-redirect

(host) [md] (config-submode)#ip access-list session captiveportal

user alias cp-redirect svc-https permit
user any svc-http dst-nat 8080

user any svc-https dst-nat 8081

Web Client Configuration with Proxy Script

If the web client proxy configuration is distributed through a proxy script (a .pac file), you need to configure the captiveportal policy to allow the client to download the file. Note that in order modify the captiveportal policy, you must have the PEFNG Policy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license installed in the managed device.

The following procedure describes how to allow clients to download proxy script:

  1. Login to the Mobility Master.
  2. Edit the captiveportal policy by navigating to the Configuration > Roles & Policies > Policies tab in the Managed Network node hierarchy.
  3. Select the policy you want to edit.
  4. Click + in the Policy > <name of the policy> Rules table. Select a Rule type and click Ok.
  5. Add a new rule with the following values:
    • Source is User.
    • Destination is Host.
    • Host IP is the IP address of the proxy server.
    • Service is svc-https or svc-http.
    • Action is Permit.
  6. Click Submit to add the rule.
  7. Click Pending Changes.
  8. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands allow clients to download proxy script:

(host) [md] (config) #ip access-list session captiveportal

user alias mswitch svc-https permit

user any tcp port dst-nat 8088

user host ipaddr svc-https permit

user any svc-http dst-nat 8080

user any svc-https dst-nat 8081

Related Topics

Personalizing the Captive Portal Page

Creating and Installing an Internal Captive Portal