doc title Help Center
You are here: Home > Bridge Mode Deployment > Configuring Security for a WLAN SSID Profile in Bridge Mode > Configuring Captive Portal Security for a WLAN SSID Profile

Configuring Captive Portal Security for a WLAN SSID Profile

When the captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile is associated to an SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network., it is used before user authentication. If the profile is associated to a role, it is used only after the user authentication. When a captive portal profile is applied to an SSID, the users connecting to the SSID are assigned a role with the captive portal rule. The guest user role allows only DNSDomain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. and DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  traffic between the client and network, and directs all HTTPHypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. or HTTPSHypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. requests to the captive portal unless explicitly permitted.

To configure captive portal security profile for guest user access:

  1. To access the WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID configuration wizard for a new SSID profile or an existing SSID profile, see Configuring a WLAN SSID Profile in Bridge Mode or Creating a WLAN Profile in Tunnel and Mixed Mode.
  2. In the WLAN SSID configuration wizard, click the Security tab.
  3. In Security Level , select Captive Portal.
  4. Under Splash Page, select one of the following from the Captive Portal Type drop-down list:
    • Internal—The guest users are required to authenticate in the captive portal page to access the Internet. The guest users who are required to authenticate must already be added to the user database. For more information, see Configuring an Internal Captive Portal Splash Page Profile
    • External—The guest users are required to enter the proxy server details such as IP address and captive portal proxy server port details. For more information, see Configuring an External Captive Portal Splash Page Profile
    • Cloud Guest—When Cloud Guest is enabled, the guest users are required to select the Guest Captive Portal Profile. For more information, see Associating a Cloud Guest Splash Page Profile to a Guest SSID.
    • None—Select this option if you do not want to set any splash page.
    • Configure the following parameters:

      Table 1: Captive Portal Security Profile

      Parameter

      Description

      Captive Portal Type

      Select any of the following options from the drop-down list:

      • Internal—When Internal is enabled, the guest users are required to authenticate in the captive portal page to access the Internet. The guest users who are required to authenticate must already be added to the user database. For more information, see Configuring an Internal Captive Portal Splash Page Profile
      • External—When External is enabled, the guest users are required to enter the proxy server details such as IP address and captive portal proxy server port details. For more information, see Configuring an External Captive Portal Splash Page Profile
      • Cloud Guest—When Cloud Guest is enabled, the guest users are required to select the Guest Captive Portal Profile.
      • None—Select this option if you do not want to set any splash page.

      Captive Portal Profile

      To use the default captive portal profile, select Default.

      To use a custom Splash Page profile, click + and configure the following parameters:

      Name—Enter a name for the profile.

      Type— Select any one of the following types of authentication:

      RADIUS Authentication—Select this option to enable user authentication against a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

      Authentication Text—Select this option to specify an authentication text. The specified text will be returned by the external server after a successful user authentication.

      IP or Hostname—Enter the IP address or the host name of the external splash page server.

      URL—Enter the URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet. of the external captive portal server.

      Port—Enter the port number that is used for communicating with the external captive portal server.

      Use HTTPS—Select this to enforce clients to use HTTPS to communicate with the captive portal server. This option is available only if RADIUS Authentication is selected.

      Captive Portal Failure—This field allows you to configure Internet access for the guest users when the external captive portal server is not available. Select Deny Internet to prevent guest users from using the network, or Allow Internet to access the network.

      Automatic URL Allowlisting—On enabling this for the external captive portal authentication, the URLs that are allowed for the unauthenticated users to access are automatically allowlisted.

      Server Offload—Select the check box to enable the server offload feature. The server offload feature ensures that the non-browser client applications are not unnecessarily redirected to the external captive portal server, thereby reducing the load on the external captive portal server.

      Prevent Frame Overlay—Select this check box to prevent the overlay of frames. When enabled, the frames display only those pages that are in the same domain as the main page.

      Redirect URL—Specify a redirect URL if you want to redirect the users to another URL.

      Encryption

      To enable encryption settings, turn on the Encryption toggle switch and select an encryption key from Key Management:

      For WPA-2 Personal, WPA Personal, Both (WPA-2&WPA), and WPA-3 keys, configure the following parameters:

      Passphrase Format: Select a passphrase format. The options are available are 8-63 alphanumeric characters and 64 hexadecimal characters.

      Enter a passphrase in Passphrase and reconfirm.

      For Static WEP, specify the following parameters:

      Select an appropriate value for WEPWired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. key size from the WEP Key Size. You can define 64-bit or 128-bit.

      Select an appropriate value for Tx key from Tx Key.

      Enter an appropriate WEP Key and reconfirm.

  5. Click Advanced Settings and configure the following parameters:

    Table 2: Advanced WLAN Security Settings—Captive Portal Security Profile

    Data pane item

    Description

    Captive Portal Proxy Server IP

    To configure a captive portal proxy server or a global proxy server to match your browser configuration, enter the proxy server IP address.

    Captive Portal Proxy Server Port

    If the captive portal proxy server IP address is configured, enter the captive portal proxy server port.

    MAC Authentication

    To enable MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address based authentication of clients, turn on the MAC Authentication toggle switch. When MAC authentication is enabled, you can configure the following parameters:

    Delimiter Character—Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the AP uses the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. This option is available only when MAC authentication is enabled.

    Uppercase Support—Set to Enabled to allow the AP to use uppercase letters in MAC address string for MAC authentication. This option is available only if MAC authentication is enabled.

    Reauth Interval

    Define a value for Reauth Interval. When set to a value greater than zero, APs periodically re-authenticate all associated and authenticated clients.

    The following events occur when the re-authentication interval is configured on WLAS SSIDs:

    On an SSID performing L2 authentication (MAC or 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication)— When re-authentication fails, the clients are disconnected. If the SSID is performing only MAC authentication and has a pre-authentication role assigned to the client, the client will get a post-authentication role only after a successful re-authentication. If re-authentication fails, the client retains the pre-authentication role.

    On an SSID performing both L2 and L3 authentication (MAC with captive portal authentication): When re-authentication succeeds, the client retains the role that is already assigned. If re-authentication fails, a pre-authentication role is assigned to the client.

    On an SSID performing only L3 authentication (captive portal authentication): When re-authentication succeeds, a pre-authentication role is assigned to the client that is in a post-authentication role. Due to this, the clients are required to go through captive portal to regain access.

    Denylisting

    To enable denylisting of the clients with a specific number of authentication failures, select Denylisting and specify a value for Max Authentication Failures. The users who fail to authenticate the number of times specified in Max Authentication Failures field are dynamically denylisted. By default, the Denylisting option is disabled.

    Enforce DHCP

    To enforce DHCP and to block traffic for AP clients that do not obtain IP address from DHCP, enable Enforce DHCP. When DHCP is enforced:

    A layer-2 user entry is created when a client associates with an AP.

    The client DHCP state and IP address are tracked.

    When the client obtains an IP address from DHCP, the DHCP state changes to complete.

    If the DHCP state is complete, a layer-3 user entry is created.

    When a client roams between the APs, the DHCP state and the client IP address is synchronized with the new AP.

    Use IP for Calling Station

    Enable this option to configure client IP address as calling station ID. When this option is enabled, the following options are displayed:

    Called Station ID Type—Select any of the following options for configuring called station ID:

    Access Point Group—Uses the AP ID as the called station ID.

    Access Point Name—Uses the host name of the AP as the called station ID.

    VLAN ID—Uses the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID of as the called station ID.

    IP Address—Uses the IP address of the AP as the called station ID.

    MAC address—Uses the MAC address of the AP as the called station ID.

    Called Station Include SSID—Appends the SSID name to the called station ID.

    Called Station ID Delimiter—Sets delimiter at the end of the called station ID.

    Max Authentication Failures—Sets a value for the maximum allowed authentication failures.

    Disable If Uplink Type Is

    To exclude EthernetEthernet is a network protocol for data transmission over LAN., Wi-FiWi-Fi is a technology that allows electronic devices to connect to a WLAN network, mainly using the 2.4 GHz and 5 GHz radio bands. Wi-Fi can apply to products that use any 802.11 standard., or cellular uplinks from authentication, select the uplink type.

    Fast Roaming

    Enable the following fast roaming features as per your requirement:

    802.11r—Turn on the 802.11r toggle switch to enable 802.11r802.11r is an IEEE standard for enabling seamless BSS transitions in a WLAN. 802.11r standard is also referred to as Fast BSS transition. roaming. Selecting this enables fast BSSBasic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. transition. The fast BSS transition mechanism minimizes the delay when a client transitions from one BSS (AP) to another within the same cluster.

    When 802.11r is enabled, you can configure a mobility domain identifier (MDID). In a network of standalone APs with the same management VLAN, 802.11r roaming is not supported as MDIDs do not match across APs. They are auto-generated based on a AP key. To enable 802.11r, you can configure an MDID with the same value.

    802.11k—Turn on the 802.11k toggle switch to enable 802.11k802.11k is an IEEE standard that enables APs and client devices to discover the best available radio resources for seamless BSS transition in a WLAN. roaming. The 802.11k protocol enables APs and clients to dynamically discover the available radio resources. When 802.11k is enabled, APs and clients send neighbor reports, beacon reports, and link measurement reports to each other.

    802.11v—Turn on the 802.11v toggle switch to enable 802.11v802.11v is an IEEE standard that allows client devices to exchange information about the network topology and RF environment. This information is used for assigning best available radio resources for the client devices to provide seamless connectivity. based BSS transition. The 802.11v standard defines mechanisms for wireless network and BSS transition management. It allows the client devices to exchange information about the network topology and RFRadio Frequency. RF refers to the electromagnetic wave frequencies within a range of 3 kHz to 300 GHz, including the frequencies used for communications or Radar signals. environment. The BSS transition management mechanism enables an AP to request a voice client to transition to a specific AP, or suggest a set of preferred APs to a voice client, due to network load balancing or BSS termination. It also helps the voice client identify the best AP to transition to as they roam.

  6. Click Next.
/*]]>*/