Wired Intelligent Edge (Campus Switching and Routing)

How to have captive portal for wired uses only on one vlan on a trunk link?

Aruba Employee
Aruba Employee

Captive portal is a L-3 authentication which occurs after all L-2 authentication has been completed and user has got an IP address. Depending upon the configuration, he would need to enter the username / password or the email ID to pass the authentication.

We can have captive portal for wired clients also. For that, we must un-trust a wired port so that the traffic in it goes through authentication.


Environment : This article is valid for all Aruba controllers and code versions.


Network Topology : An Aruba controller with wired users.



Configure the following on the Aruba controller:


# config t
# interface g 1/0
# no trust

It will be authenticated according to the aaa profile mapped to aaa authentication wired:

# aaa authentication wired
#aaa profile wired captiveportal

We can also have authentication on a trunk port. In that case all the traffic no matter which Vlan it  belongs to.

#config t
#int g 1/0
#switchport trunk
#no trust

If we want authentication only for one particular VLAN and not the other VLANs , we must do the following

a. Make the port trusted
2. untrust the Vlan where we want the authentication to take place

#config t
#int g 1/0
#switchport mode trunk

#no trusted vlan 10

Now, vlan 10 traffic will go through authentication and rest of the traffic will be trusted and will not go through authentication.



To have authentication enabled on one vlan on a trunk link:


1. Trust the port:

#config t
#int g 1/0
#switchport mode trunk

2. Then untrust the vlan where we want the authentication(captive portal ) to take place.

#no trusted vlan 10



Version history
Revision #:
1 of 1
Last update:
‎07-11-2014 09:26 AM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: