Frequent Contributor II

Captive portal bypass

Hi, have a guest network with a single SSID authenticated via cp.  Is it possible to send certain users to an external VPN server without hitting the portal, and not using MAC auth ?



Guru Elite

Re: Captive portal bypass

Yes, you can use a UDR to put them into a different role.



Tim Cappalli | Aruba Security
@timcappalli | | ACMX #367 / ACCX #480

Re: Captive portal bypass

What you can do it allow the VPN traffic in the captive portal initial role.


Please check what is the initial role that users get when they are redirected to the captive portal, by default that is the guest-logon role.


If you add the required traffic for the VPN in that role, before the captiveportal roles, that traffic will be allowed 'through' the captive portal (not triggering the captive portal).


You can create a new policy to allow traffic to your VPN service, for example if the VPN service is at IP, and uses HTTPS (tcp-443) and NAT-T (udp-4500), you can create the following policy:


2014-06-03 10_10_02-Security User Roles.png


Then add this policy to your inital role for guest users, above the captive portal rules:


2014-06-03 10_10_46-Security User Roles.png


This will allow the traffic as defined in the vpn-passthrough policy, without requiring to use the captive portal. One note to add, if you need traffic other than HTTP and HTTPS, you may need to allow this also in the role that is applied after the logon. The default 'guest' role does only allow http and https.


Another approach can be to use the captive portal whitelist, where you create a named or IP destination in ADVANCED SERVICES, Stateful Firewall, Destination; and apply that to the captive portal whitelist (Security, Authentication, L3 Authentication, Captive Portal Authentication).


Command-line configuration:


Aruba Instant has similar methods to make this work, choose for Role-based in the Security tab for your SSID.



If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Frequent Contributor II

Re: Captive portal bypass

Herman, excellent, it worked a treat, I now understand this .   Thanks much appreciated.

New Contributor

Re: Captive portal bypass


I have several dozen MACs to enter into Captive Portal Bypass on multiple controllers, is it possible to do this through the CLI?



Guru Elite

Re: Captive portal bypass

Search Airheads
Showing results for 
Search instead for 
Did you mean: