Security

Hey everyone,

Is it possible to have an external captive portal if the controller does not have an IP on the user VLAN?

Recently testing on a system and the redirection did not work until I added an IP to the user VLAN, even though I had allow-tri-session nat enabled. Before this I was only using a IP address for the management VLAN (not 1) and  the cluster VRRP address.(currently version 8.5)

I had the external captive portal working on instant and instant does not have multiple IP addresses

Thanks in advance,

RK

Captive portal redirection is a layer 3 function and requires an IP address on the interface.

Thanks James!

RKinsp, Captive Portal authentication is a L3 authentication and the Controller needs to communicate with the client over IP, e.g. to redirect the client to the external captive portal. But the IP does not need to be in the same VLAN as the client. It is recommended to have an IP in the client VLAN, because it makes everything easier. If you do not have an IP in the user VLAN, you need to make sure, that the client can reach the controller IP from the client VLAN, e.g using the main router or firewall. You also need to make sure, that you enable Allow tri-session with DNAT in the firewall settings:

Hope this helps.