Frequent Contributor I

How does captive portal authentica​tion really work?


I saw the topic   How does captive portal authentication really work with ClearPass Guest?  But I need to know how does captive portal authentication works with builtin configuration.


Other question: Does it need the controller have  an IP address of the guest network to work the captive portal?


Re: How does captive portal authentica​tion really work?

So, first off is YES you do need to have an IP on the guest's network.  This is because the controller will use this to proxy a http/https request from the client to present the captive portal.  Whether it is external (Clearpass) or internal on the controller, the process is similar.  


See this document for the overview -


Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
If you found my post helpful, please give kudos

Re: How does captive portal authentica​tion really work?

Basically this, but crucially DNS must be working for you to get the captive portal.



  • client opens browser and does a dns lookup for whatever site.
  • response received from dns.
  • Then client opens http to site.
  • controller hijacks the http and sends a http-redierect back to client which says "site has moved to".
  • client does a dns lookup for
  • controller spoofs the response and gives it's own address.
  • client opens http to controller and captive portal is presented.

It's neat to see it in action if you can get a wireshark capture of the whole process.

If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294
Search Airheads
Showing results for 
Search instead for 
Did you mean: