Wireless Access

New Contributor

External Captive Portal Authentication

I have a few questions related to a custom external captive portal. My company wants to develop an in-house solution (ie they don't want to buy the guest provisioning portion of Clearpass ;)) to redirect our free public wifi users to an external server. The programmer I'm working with wants to know if the controller can send the mac address info of the user to the external server.


The other question we have is about how the reauth period is defined. So once someone gets access via the captive portal, how long is it before they have to reauthenticate? Can that be a value that's sent over from the external server? The reason I ask is because we are a tourist attraction/hospitality venue and we'd like to set something up so once someone is granted access and we confirm they have a ticket or are a hotel guest, they wouldn't have to keep going through the captive portal. 


Any help/insight would be much appreciated.  Also, fyi we have two 7220 controllers, master/local setup, and are running Thanks!

Guru Elite

Re: External Captive Portal Authentication

1.  You need to change the the "Login Page" parameter in the Captive Portal Authentication Profile to point to your external Captive Portal (by default this parameter points to /auth/index.html which is a login page internal to the local controller.  In addition, in the "logon" role that the user is assigned, you MUST allow http and https access to this external server.  You can also manipulate how long before the user is prompted for credentials by enabling and configuring the user idle timeout as shown below in the same Captive Portal Authentication profile.  For users that are returning, you can do mac authentication and send back a user idle-timeout via Radius.


2.  The external HTML page can be constructed using the same information used to construct a custom HTML page here:   http://www.arubanetworks.com/techdocs/ArubaOS_64_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/Captive_Portal/Internal_Captive_Portal.htm except you will load that page onto your external web server.  The HTML will use Form Submit to submit the username and password to an external server (typically a radius server).  By default the initial redirect URL will include the mac address of the guest user.


A second way that can be done is via the XML-API, where your external server can programatically change the role on users (authenticate), blacklist and even query users.  This is more advanced, of course:  http://www.arubanetworks.com/techdocs/ArubaOS_64_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/XML_API/Sample_Code.htm



*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Employee

Re: External Captive Portal Authentication

I can only assume that this is what Colin meant to put for #3...


3. Or use ClearPass with an external Authentication source. This won't use Guest Licensing.


So, if you can query your external DB (Postgres, MySQL, MSSQL, or Oracle 11g) for the ticket number or room information, then you could use that as the authentication source.




Last Name:______________

Ticket/Room Number:______________


Last name can be used as the username and Ticket/Room Number could be the password, assuming you have access to the database with that information, and it is one of the database types listed above.




Zach Jennings
New Contributor

Re: External Captive Portal Authentication

Thank you both, this is very helpful! 

Search Airheads
Showing results for 
Search instead for 
Did you mean: