Can we configure internal or external captive portal without PEFNG license?
This KB is applicable to AOS version 6.x.
Yes, without PEFNG license we can configure internal as well as external captive portal in the controller.
Captive portal authentication has two roles, pre-authentication and post-authentication role. These roles can be customized if the controller has PEFNG license installed.
Without PEFNG license we cannot modify or customize the roles, however we can achieve the basic captive portal functionality.
Internal captive portal configuration without PEFNG license:
Select Security --> Authentication --> L3 Authentication --> Captive Portal Authentication
Create a new captive portal profile. Here, we have "new_captive" profile created.
Once the captive portal profile is created a new role gets created in the controller. The name of the user role will be same as that of the captive portal profile.
Here, we got a new role called "new_captive" created as a result of the captive portal profile "new_captive"
As we see the following 11 ACLs get automatically created under this role. These ACLs are required to perform captive portal authentication.
The role "new_captive" needs to be mapped under the initial role in the aaa profile created for the captive portal.
External captive portal configuration without PEFNG license:
The configuration will be similar to that of internal captive portal except that we will have to add the external web server IP or FQDN which hosts the captive portal page needs to be added under "Login Page".
The traditional External captive portal requires the external server which hosts the captive portal page to be allowed for http/https access in the client initial role. To perform this configuration we need PEFNG license in the controller.
In case of controller does not have the PEFNG license, configure the "Login Page" with the external server's host page url as seen below.
The "cp-allow-loginip" gets derived from the "Login Page" link configured in the captive portal profile along with its server.
Note: We can either use http or https for the host page based on the login page url configured