Frequent Contributor I

How does captive portal authentica​tion really work?


I saw the topic   How does captive portal authentication really work with ClearPass Guest?  But I need to know how does captive portal authentication works with builtin configuration.


Other question: Does it need the controller have  an IP address of the guest network to work the captive portal?


Re: How does captive portal authentica​tion really work?

So, first off is YES you do need to have an IP on the guest's network.  This is because the controller will use this to proxy a http/https request from the client to present the captive portal.  Whether it is external (Clearpass) or internal on the controller, the process is similar.  


See this document for the overview -


Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
If you found my post helpful, please give kudos

Re: How does captive portal authentica​tion really work?

Basically this, but crucially DNS must be working for you to get the captive portal.



  • client opens browser and does a dns lookup for whatever site.
  • response received from dns.
  • Then client opens http to site.
  • controller hijacks the http and sends a http-redierect back to client which says "site has moved to".
  • client does a dns lookup for
  • controller spoofs the response and gives it's own address.
  • client opens http to controller and captive portal is presented.

It's neat to see it in action if you can get a wireshark capture of the whole process.

If my post is helpful please give kudos, or mark as solved if it answers your post.

Search Airheads
Showing results for 
Search instead for 
Did you mean: