Introduction-
- Problem:
- Previous versions of IAP only allowed a global set of External Captive Portal (ECP) settings which is shared across all ECP SSIDs
- This made it difficult for managed service providers who want to provide different portals to different customers.
- Solution:
- In IAP4.0, up to eight separate ECP profiles could be created
- Each profile could be assigned to one or more wireless SSIDs, wired port profiles, and/or client Roles
- The first profile (default) is reserved and serves as the placeholder for the global profile in previous versions
- A new ‘Use HTTPS’ option is also added so the external ECP server is no longer required to implement the HTTP to HTTPS redirect
Environment- This feature is applicable for the deployment of client doing external captive portal
Network Topology- No network topology applied to this config.
Configuration Steps- Configuration UI: create/edit ECP profile from SSID or wired profile wizard
In the wizard, select or create a new ECP profile in the “captive portal profile” drop list
ECP profiles can also be managed in “Security” -> “External Captive Portal” -> “New” or “edit”
Configuration UI: Choosing different profiles in different SSIDs
Configuration UI: Using ECP profile with role-derivation
- Different clients use different ECP profile after connect the same SSID
- Use role derivation to make different clients assigned to different role
- For the default profile, CLI is identical to previous versions except for the new “https” command
wlan external-captive-portal
server 172.16.11.10
port 443
url "/"
auth-text "Authenticated"
auto-whitelist-disable
https
exit
wlan ssid-profile ecp
captive-portal external
exit
wired-port-profile wired_ecp
captive-portal external
exit
wlan access-rule role_role
captive-portal external
exit - The name “default” does not appear in “show run” for backward compatibility
- To create a custom profile:
wlan external-captive-portal ecp_profile1
server 172.16.11.10
port 443
url "/"
auth-text "Authenticated"
auto-whitelist-disable
https
exit
wlan ssid-profile ecp1
captive-portal external profile ecp_profile1
wired-port-profile wired_ecp1
captive-portal external profile ecp_profile1
wlan access-rule role_ecp1
captive-portal external profile ecp_profile1 - To delete a custom profile:
no wlan external-captive-portal ecp_profile1
To avoid confusion with the default profile, one cannot create a custom profile with the name “default”
Answer- From the above steps we could notice how to configure multiple profiles for ECP on IAP.
Verification- The command Show network <name of the network> will confirm if external captive portal is enabled on SSID profie.
Troubleshooting- Troubleshooting
show external-captive-portal ” is used to show all the external captive portal profiles on IAP
For example:
00:24:6c:c0:0a:d7# show external-captive-portal
External Captive Portal
-----------------------
Name Server Port Url Auth Text Redirect Url Server Fail Through Disable Auto Whitelist Use HTTPs In Use Redirect Mode
---- ------ ---- --- --------- ------------ ------------------- ---------------------- --------- ------ -------------
default localhost 80 / Authenticated Disable Enable Yes Yes Yes
ecp_profile1 172.16.11.10 80 /aruba.php Disable Enable No Yes Yes
show network <SSID profile name> ” -- check which ECP profile used in SSID
For example:
00:24:6c:c0:0a:d7# show network zlfeng
…
L2 Auth Failthrough :Disabled
Captive Portal :external
ECP Profile :ecp_profile1
Exclude Uplink :none
Hide SSID :Disabled
Content Filtering :Disabled
