How do I configure captive portal access for guest users?

Aruba Employee
Aruba Employee

Product and Software: This article applies to all Aruba controllers and ArubaOS 2.x.


The guest users have a separate SSID and they fall into a separate VLAN that does not have access to the external network. The users must do a captive portal authentication to access the network.

In this example, the guest ESSID maps to a VLAN using private addresses that are not routable by the rest of the network, including DNS servers and an upstream router. All outgoing traffic that originates from this VLAN needs to be src-natted to a routable IP address when the guest is both in the "logon" role as well as in the "guest" role (before and after authentication).

Here is a sample of a working configuration:
(Assume that is a routable IP address.)

ip nat pool 1

ip access-list session captiveportal

user alias mswitch svc-https permit

user any svc-http dst-nat 8080

user any svc-https dst-nat 8081

ip access-list session control-NAT

any any svc-icmp src-nat pool 1

any any svc-dns src-nat pool 1

any any svc-papi permit

any any svc-tftp permit

any any svc-dhcp permit

ip access-list session allowall-nat

user any any src-nat pool 1

user-role guest

session-acl control-NAT

session-acl cplogout

session-acl allowall-nat

user-role logon

session-acl captiveportal

session-acl control-NAT


This example shows the basic configuration. In a real network, you might consider adding these configurations:


  • In the authenticated role (for example, "guest") consider blocking "guest" users from accessing the internal network.
  • Consider limiting outgoing traffic to a certain type (for example, http, https, and VPN).
  • The "logon" role is shared by all uses on the switch, so it applies to captive portal users on other non-guest ESSIDs as well. If you want to limit this behavior for the guest ESSID only, you can define another role:

user-role guest-logon


and user a derivation rule to apply this role to one specific ESSID:


set role condition essid equals guest-essid set-value guest-logon


Note: The "logon" role is also applied automatically to all IP addresses seen on untrusted ports. Special configuration has to be accounted for.

Version history
Revision #:
1 of 1
Last update:
‎07-01-2014 01:47 PM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: