Configuring Internal Captive Portal for Guest Network
For internal captive portal authentication, an internal server is used for hosting the captive portal service. You can configure internal captive portal authentication when adding or editing a guest network created for wireless or wired profile through the Instant UI or CLI.
In the Instant UI
| | 1. | Navigate to the WLAN wizard or Wired window. |
| | | To configure internal captive portal authentication for a WLAN SSID, in the Network tab, click New to create a new network profile or edit to modify an existing profile. |
| | | To configure internal captive portal authentication for a wired profile, click More>Wired. In the Wired window, click New under Wired Networks to create a new network, or click Edit to select an existing profile. |
| | 2. | Click the Security tab and assign values for the configuration parameters: |
Table 1: Internal Captive Portal Configuration Parameters
Parameter Description
| Splash page type | Select any of the following from the drop-down list. | | l | Internal - Authenticated—When Internal Authenticated is enabled, the guest users are required to authenticate in the captive portal page to access the Internet. The guest users who are required to authenticate must already be added to the user database. |
| | l | Internal - Acknowledged— When Internal Acknowledged is enabled, the guest users are required to accept the terms and conditions to access the Internet. |
|
MAC authentication | Select Enabled from the drop-down list to enable the MAC authentication. |
Delimiter character | Specify a character ( for example, colon or dash) as a delimiter for the MAC address string. When configured, the IAP will use the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. NOTE: This option is available only when MAC authentication is enabled. |
Uppercase support | Set to Enabled to allow the IAP to use uppercase letters in MAC address string for MAC authentication. NOTE: This option is available only if MAC authentication is enabled. |
WISPr (Applicable for WLAN SSIDs only.) | Select Enabled if you want to enable WISPr authentication. For more information on WISPr authentication, see Configuring WISPr Authentication. NOTE: The WISPr authentication is applicable only for Internal-Authenticated splash pages and is not applicable for wired profiles. |
Auth server 1 Auth server 2 | Select any one of the following: | | l | A server from the list of servers if the server is already configured. |
| | l | Internal Server to authenticate user credentials at run time. |
| | l | Select New for configuring a new external RADIUS or LDAP server for authentication. |
|
| Load balancing | Select Enabled to enable load balancing if two authentication servers are used. |
Reauth interval | Select a value to allow the APs to periodically reauthenticate all associated and authenticated clients. |
Blacklisting (Applicable for WLAN SSIDs only.) | If you are configuring a wireless network profile, select Enabled to enable blacklisting of the clients with a specific number of authentication failures. |
Accounting mode (Applicable for WLAN SSIDs only.) | Select an accounting mode from Accounting mode for posting accounting information at the specified accounting interval. When the accounting mode is set to Authentication, the accounting starts only after client authentication is successful and stops when the client logs out of the network. If the accounting mode is set to Association, the accounting starts when the client associates to the network successfully and stops when the client is disconnected. |
Accounting interval | Configure an accounting interval in minutes within the range of 0–60, to allow APs to periodically post accounting information to the RADIUS server. |
Encryption (Applicable for WLAN SSIDs only.) | Select Enabled to configure encryption parameters. Select an encryption and configure passphrase. |
| Splash Page Design | Under Splash Page Visuals, use the editor to specify text and colors for the initial page that will be displayed to the users when they connect to the network. The initial page asks for user credentials or email, depending on the splash page type (Internal - Authenticated or Internal -Acknowledged). To customize the splash page design, perform the following steps: | | l | To change the color of the splash page, click the Splash page rectangle and select the required color from the Background Color palette. |
| | l | To change the welcome text, click the first square box in the splash page, type the required text in the Welcome text box, and click OK. Ensure that the welcome text does not exceed 127 characters. |
| | l | To change the policy text, click the second square in the splash page, type the required text in the Policy text box, and click OK. Ensure that the policy text does not exceed 255 characters. |
| | l | To upload a custom logo, click Upload your own custom logo Image, browse the image file, and click upload image. Ensure that the image file size does not exceed 16 KB. |
| | l | To redirect users to another URL, specify a URL in Redirect URL. |
| | l | Click Preview to preview the captive portal page. |
NOTE: You can customize the captive portal page using double-byte characters. Traditional Chinese, Simplified Chinese, and Korean are a few languages that use double-byte characters. Click on the banner, term, or policy in the Splash Page Visuals to modify the text in the red box. These fields accept double-byte characters or a combination of English and double-byte characters. |
| | 3. | Click Next to configure access rules. |
In the CLI
To configure internal captive portal authentication:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# essid <ESSID-name>
(Instant AP)(SSID Profile <name>)# type <Guest>
(Instant AP)(SSID Profile <name>)# captive-portal <internal-authenticated> exclude-uplink {3G|4G|Wifi|Ethernet}
(Instant AP)(SSID Profile <name>)# mac-authentication
(Instant AP)(SSID Profile <name>)# auth-server <server1>
(Instant AP)(SSID Profile <name>)# radius-reauth-interval <Minutes>
(Instant AP)(SSID Profile <name>)# end
(Instant AP)# commit apply
To configure internal captive portal for a wired profile:
(Instant AP) (config)# wired-port-profile <name>
(Instant AP) (wired ap profile <name>)# type <guest>
(Instant AP) (wired ap profile <name>)# captive-portal {<internal-authenticated>| <internal-acknowledged>} exclude-uplink {3G|4G|Wifi|Ethernet}
(Instant AP) (wired ap profile <name>)# mac-authentication
(Instant AP) (wired ap profile <name>)# auth-server <server1>
(Instant AP) (wired ap profile <name>)# radius-reauth-interval <Minutes>
(Instant AP) (wired ap profile <name>)# end
(Instant AP)# commit apply
To customize internal captive portal splash page:
(Instant AP)(config)# wlan captive-portal
(Instant AP)(Captive Portal)# authenticated
(Instant AP)(Captive Portal)# background-color <color-indicator>
(Instant AP)(Captive Portal)# banner-color <color-indicator>
(Instant AP)(Captive Portal)# banner-text <text>
(Instant AP)(Captive Portal)# decoded-texts <text>
(Instant AP)(Captive Portal)# redirect-url <url>
(Instant AP)(Captive Portal)# terms-of-use <text>
(Instant AP)(Captive Portal)# use-policy <text>
(Instant AP)(Captive Portal)# end
(Instant AP)# commit apply
To upload a customized logo from a TFTP server to the IAP:
(Instant AP)# copy config tftp <ip-address> <filename> portal logo