hi apoapoapoapo
the controller doesnt trigger it, the client triggers it. Flow is as follows:
1. client connects, gets a role that has captive portal ACLs in it
2. client tries to open http://place.com
3. controller spoofs the src ip of place.com and the client establishes an HTTP connection and gets the index page
4. controller responds with http 302 redirect to the "login-page" as configured in the captive portal, say http://captiveportalserver.com
5. client dns resolves and then attempts to connect to captiveportalserver.com - there must be an allow rule in the captive portal access list for this host, placed above all the dst-nat rules, for example:
netdestination external_cp << or you can put the IP directly into the ACL
host 1.2.3.4
!
ip access-list session captiveportal
user alias external_cp svc-http permit <<
user alias external_cp svc-https permit <<
user alias controller svc-https dst-nat 8081
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
!
6. client receives the external CP webpage which contains a form with username and password fields, and the form action is the controllers authentication interface
7. client adds username/password or whatever else is used to authenticate (might just be a "press ok to continue" where the username and password are embedded in the form as hidden data etc.)
8. client presses "ok/login" and the client submits the form to the controller, the controller then performs radius auth and if the result is OK it changes the role to the captive portal guest auth role (i.e. removes the captive portal).
you can refer to this link for some of the common methods
https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-1649
regards
-jeff