Environment : Typical environment of user get the cp page for users on L2 deployment having default-gateway on uplink or core switch.
Captive portal from MAS
Yes, MAS can do a captive portal in an L2 deployment. The key is that the upstream gateway is able to route traffic back to the MAS on any IP address.
This is a common demo below
So in this topology, the client is assigned VLAN 120 and it’s default gateway is on GWMAS (e.g. 192.168.120.1). The L2MAS only has one IP address on it (192.168.254.2), specifically on it’s Management VLAN 254. Since the GWMAS knows how to get to 192.168.254.2 via its own IP address 192.168.254.1, it routes the traffic back to the L2MAS for the CP page.
Captive portal from Controller
As we known captive portal is a layer3 authentication method, in order to make it work in a layer 2 deployment environment on wireless controller, we need to make sure the wireless controller have layer3 reachability to the client.
This can be achieved by 2 ways:
1 configure an IP address on the client vlan (this is not a layer2 deployment in some sort. However, since this IP is not the client default gateway, the packet is still pass through the controller. It still layer2 from datapath perspective) When the controller send out the syn-ack, it knows that the client is reachable locally and will do ARP and sent out the packet.
2 enable ‘firewall allow-tri-session’ command.