How do I configure a controller to support an external captive portal?

Aruba Employee
Aruba Employee

Product and software: This article applies to all Aruba wireless controllers and ArubaOS 3.1.1.x and later.



  •  This is a step by step configuration of an Aruba controller that redirects wireless users to an external captive portal page.
  •  The configuration applies to ArubaOS 3.x and later.
  •  The external server will present the login page, authenticate the user and in case of a successful authentication, communicate with the controller via XML to move the user to a predefined role on the Aruba controller.



We assume the following is already implemented:

  •  An ESI license is installed on the controller.
  •  A wireless users VLAN, a DHCP pool for those with the controller interface VLAN IP address as the default gateway, an SSID profile, and a virtual AP profile are already configured on the controller.



For illustration purposes, the following configuration is assumed to be in place as per the above assumptions:

  •  External Captive Portal IP Address:
  •  DNS Server IP Address:
  •  Captive Portal SSID: guest
  •  Wireless VLAN: 30
  •  Wireless VLAN interface IP: / 24
  •  DHCP Pool: / 24  gtw: dns:
  •  Captive Portal SSID Profile ext_cp_ssid


Step 1: Allow http(s) access to the external server in the captiveportal ACL.

(config) #ip access-list session captiveportal

user alias mswitch svc-http dst-nat 8080

user alias mswitch svc-https dst-nat 8081

user alias svc-http permit

user alias svc-https permit

user any svc-http dst-nat 8080

user any svc-https dst-nat 8081

Step 2: Define a new captive portal profile.

(config) #aaa authentication captive-portal "external"

default-role guest

no user-logon <- Auth done by external server

login-page <- URL details may differ

no enable-welcome-page


Step 3: Define the captive portal initial role.

(config) #user-role cp-logon

captive-portal external

session-acl control

session-acl captiveportal


Step 4: Define the captive portal default ACL and role.

(config) #ip access-list session guest-acl

any any svc-dhcp permit

user any svc-icmp permit

user any svc-dns permit

user any svc-http permit

user any svc-https permit


(config) #user-role guest

session-acl guest-acl


Step 5: Define the external captive portal server as an xml-api server.

(config) #aaa xml-api server ""

key "secretkey"


Step 6: Define a new aaa profile to use the initial role and xml-api server.

(config) # aaa profile "external_auth"

initial-role "cp-logon" <-- defined in step 3

xml-api-server ""


Step 7: Define a new virtual AP profile for the external captive portal users.

(config) # wlan virtual-ap "ext_cp_vap"

ssid-profile "ext_cp_ssid" <-- predefined in the prerequisites

vlan 30 <-- wireless user vlan

aaa profile "external_auth" <-- defined in step 6

Important Notes

  1.  Knowing that the external server will communicate with the Aruba controller via HTTPS POST to send xml commands, it is important that the server uses the 'user_add' xml command that includes the "guest" role among others.
  2.  The 'user_authenticate' xml command should be used in case the Aruba controller authenticates the users. In such case:  - The "user login" option should be enabled.  - An authentication server should be configured and its group added to the captive portal profile.
  3.  In the case that SRC_NAT is desired, it is advisable not to use the "ip nat inside" command under the users VLAN interface, and go for scr_nat'ing the users at the ACL level in the post-auth role.  If src-nat is used in the initial role, the redirection may fail and the output of the 'show aaa xml-api statistics command will show that the counter "Cant use Switch IP" has incremented by 1: 
    (MM800) #show aaa xml-api statistics


ECP Statistics



---------- -----------

user_authenticate 0 (0)

user_add 1 (0)

user_delete 0 (0)

user_blacklist 0 (0)

user_query 0 (0)

unknown user 0 (0)

unknown role 0 (0)

unknown external agent 0 (0)

authentication failed 0 (0)

invalid command 0 (0)

invalid message authentication method 0 (0)

invalid message digest 0 (0)

missing message authentication 0 (0)

missing or invalid version number 0 (0)

internal error 0 (0)

client not authorized 0 (0)

Cant use VLAN IP 0 (0)

Invalid IP 0 (0)

Cant use Switch IP 1 (0)


Packets received from unknown clients : 0 (0)

Packets received with unknown request : 0 (0)

Requests Received/Success/Failed : 1/0/1 (0/0/0)


4. A new captive portal profile option was introduced in ArubaOS 3.3.x:  switchip-in-redirection 

When this option is enabled it will add the switchip as a CGI parameter to the redirection URL that already contains the user MAC and IP addresses.  The benefit of this option is to allow multiple switches to use the same XML server.

Version history
Revision #:
1 of 1
Last update:
‎07-01-2014 04:26 PM
Updated by:
Labels (1)