You are here: Authentication > Configuring Captive Portal Authentication > Configuring External Captive Portal for a Guest Network
Previous TopicNext Topic

Configuring External Captive Portal for a Guest Network

 Instant supports external captive portal authentication. The external portal can be on the cloud or on a server outside the enterprise network.

Configuring External Captive Portal Authentication for a Network Profile

You can configure external captive portal authentication for a network profile when adding or editing a guest network using Instant UI or CLI.

In the Instant UI

1. Select an existing wireless or wired profile. Depending on the network profile selected, the Edit <WLAN-Profile> or Edit Wired Network window is displayed.

 

You can also configure External Captive portal in the Security tab of New WLAN and New Wired Network windows when configuring a new wireless or wired profile.

2. In the Security tab, select any of the following options from the Splash page type drop-down:
External - Authentication Text
External - RADIUS Server
3. Configure the following parameters based on type of splash page you selected.

Table 1: External Captive Portal Configuration Parameters

Parameter

Description

WISPr

Select Enabled if you want to enable WISPr authentication. For more information on WISPr authentication, see Configuring WISPr Authentication.

 

NOTE: The WISPr authentication is applicable only for the External - RADIUS Server and Internal-Authenticated splash pages and is not applicable for wired profiles.

MAC authentication

Select Enabled if you want to enable MAC authentication. For information on MAC authentication, see Configuring MAC Authentication for a Network Profile.

Authentication server

To configure Authentication server, select any of the following options:

l If the server is already configured, select the server from the list.
l To create new external RADIUS server, select New. For more information, see Configuring an External Server for Authentication.

 

Reauth interval
Specify a value for reauthentication interval at which the APs periodically reauthenticate all associated and authenticated clients.
Accounting mode Select an accounting mode from Accounting mode for posting accounting information at the specified Accounting interval. When the accounting mode is set to Authentication, the accounting starts only after client authentication is successful and stops when the client logs out of the network. If the accounting mode is set to Association, the accounting starts when the client associates to the network successfully and stops when the client is disconnected.
Blacklisting If you are configuring a wireless network profile, select Enabled to enable blacklisting of the clients with a specific number of authentication failures.
Max authentication failures

If you are configuring a wireless network profile and the Blacklisting is enabled, specify a maximum number of authentication failures after which users who fail to authenticate must be dynamically blacklisted.

 

 

Walled garden

Click the link to open the Walled Garden window. The walled garden configuration determines access to the Websites. For more information, see Configuring Walled Garden Access.
Disable if uplink type is Select the type of the uplink to exclude.
External Splash Page

Specify the following parameters:

l IP or hostname— Enter the IP address or the hostname of the external splash page server.
l URL— Enter the URL for the external splash page server.
l Port—Enter the number of the port to use for communicating with the external splash page server
l Redirect URL—Specify a redirect URL if you want to redirect the users to another URL.
l Captive Portal failure—This field allows you to configure Internet access for the guest clients when the external captive portal server is not available. Select Deny Internet to prevent clients from using the network, or Allow Internet to allow the guest clients to access Internet when the external Captive portal server is not available.
l Automatic URL Whitelisting— Select Enabled or Disabled to enable or disable automatic whitelisting of URLs. On selecting the check box for the external Captive portal authentication, the URLs that are allowed for the unauthenticated users to access are automatically whitelisted. In the current release, the automatic URL whitelisting is disabled by default.
l This option is enabled by default.
l Auth Text—If the External Authentication splash page is selected, specify the authentication text that must be returned by the external server after successful authentication.
4. Click Next to continue and then click Finish to apply the changes.

In the CLI

To configure security settings for guest users of the WLAN SSID profile:

(Instant Access Point)(config)# wlan ssid-profile <SSID-Name>

(Instant Access Point)(SSID Profile <name>)# essid <ESSID-name>

(Instant Access Point)(SSID Profile <name>)# type <Guest>

(Instant Access Point)(SSID Profile <name>)# captive-portal <type> exclude-uplink {3G|4G|Wifi|Ethernet}

(Instant Access Point)(SSID Profile <name>)# blacklist

(Instant Access Point)(SSID Profile <name>)# mac-authentication

(Instant Access Point)(SSID Profile <name>)# max-authentication-failures <number>

(Instant Access Point)(SSID Profile <name>)# auth-server <server-name>

(Instant Access Point (SSID Profile <name>)# radius-accounting

(Instant Access Point (SSID Profile <name>)# radius-interim-accounting-interval

(Instant Access Point (SSID Profile <name>)# radius-accounting-mode {user-association|user-authentication}

(Instant Access Point)(SSID Profile <name>)# wpa-passphrase <WPA_key>

(Instant Access Point)(SSID Profile <name>)# wep-key <WEP-key> <WEP-index>

(Instant Access Point)(SSID Profile <name>)# end

(Instant Access Point)# commit apply

To configure external Captive Portal splash page:

(Instant Access Point)(config)# wlan external-captive-portal

(Instant Access Point)(External Captive Portal)# auth-text <text>

(Instant Access Point)(External Captive Portal)# port <port>

(Instant Access Point)(External Captive Portal)# redirect-url <url>

(Instant Access Point)(External Captive Portal)# server <server>

(Instant Access Point)(External Captive Portal)# url <url>

(Instant Access Point)(External Captive Portal)# end

(Instant Access Point)# commit apply

To allow Internet access to users when external Captive Portal is unavailable:

(Instant Access Point)(config)# wlan external-captive-portal

(Instant Access Point)(External Captive Portal)# server-fail-through

(Instant Access Point)(External Captive Portal)# end

(Instant Access Point)# commit apply

To enable automatic whitelisting of URLs:

(Instant Access Point)(config)# wlan external-captive-portal

(Instant Access Point)(External Captive Portal)# no auto-whitelist-disable

(Instant Access Point)(External Captive Portal)# end

(Instant Access Point)# commit apply