Enabling Captive Portal Enhancements
ArubaOS introduces the following enhancements in Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.:
- Location information such as AP name and AP group name have been included in the Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. redirect URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet.. The following example shows a Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. redirect URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. that contains the AP name and the AP group name:
https://securelogin.example.com/cgi-bin/login?cmd=login&mac=00:24:d7:ed:84:14&ip=10.15.104.13&essid=example-test-tunnel&apname=ap135&apgroup=example&url=http%3A%2F%2Fwww%2Eespncricinfo%2Ecom%2F
- A new option Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. Authentication profile which allows you to redirect the users to a specific URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. after the authentication is complete. l is introduced in the
- Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. Login URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. length has been increased from 256 characters to 2048 characters.
- Support for “?” (question mark) inside the Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. login URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. has been added.
- A new field, has been introduced in the and commands to provide a description about the netdestination up to 128 characters long.
- Support for configuring Whitelist in Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. has been introduced.
The Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. enhancements are available on Tunnel and Split-Tunnel forwarding modes.
The following section describes the various enhancements in Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.:
Configuring the Redirect-URL
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure the Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. redirect URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet.:
(host) [md] (config) # aaa authentication captive-portal REDIRECT
(host) [md] (Captive Portal Authentication Profile "REDIRECT") #redirect-url <absolute-URL>
Example:
(host) [md] (config) # aaa authentication captive-portal REDIRECT
(host) [md] (Captive Portal Authentication Profile "REDIRECT") #redirect-url https://test-login.php
Configuring the Login URL
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure a Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. login URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. up to 2048 characters:
(host) [md] (config) # aaa authentication captive-portal LOGIN
(host) [md] (Captive Portal Authentication Profile "LOGIN")#login-page "https://clearpass-dev1.dev.arubademo.net/guest/aos8_self-reg.php?_browser=1"
You can configure the login URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. with “?” (question mark) character in it provided the URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. containing the question mark is within the double quotes.
Defining Netdestination Descriptions
You can provide a description (up to 128 characters) for the netdestination using the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands provide description for an IPv4 netdestination:
(host) [md] (config) #netdestination Local-Server
(host) [md] (config-dest) #description “This is a local server for IPv4 client registration”
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands provide description for an IPv6 netdestination:
(host) [md] (config) #netdestination6 Local-Server6
(host) [md] (config-dest) #description “This is a local server for IPv6 client registration”
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command displays the details of the specified IPv4 netdestination in the managed device:
(host) (config-dest)#show netdestination Local-Server
Name: Local-Server
Description: This is a local server for IPv4 client registration
Position Type IP addr Mask-Len/Range
-------- ---- ------- --------------
1 name 0.0.0.1 yahoomail
2 name 0.0.0.2 mycorp
3 name 0.0.0.3 cricinfo
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command displays the details of the specified IPv6 netdestination in the managed device:
(host) (config-dest) #show netdestination Local-Server6
Name: Local-Server6
Description: This is a local server for IPv6 client registration
-------------------------------------------------------------------------------
Position Type IP addr Mask-Len/Range
-------- ---- ------- --------------
1 name ::9 yahoomail
2 name ::a mycorp
3 name ::b cricinfo
Configuring a Whitelist
You can now configure a whitelist in Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. using the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..
This section describes the following topics:
Configuring the Netdestination for a Whitelist:
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure a netdestination alias for Whitelist:
(host) [md] (config) #netdestination whitelist
(host) [md] (config-dest) #description guest_whitelist
(host) [md] (config-dest) #name mycorp
Associating a Whitelist to Captive Portal Profile
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands associate a whitelist to the Captive profile:
(host) [md] (config) #aaa authentication captive-portal CP_Profile
(host) [md] (Captive Portal Authentication Profile "CP_Profile”) #white-list whitelist
Applying a Captive Portal Profile to a User-Role
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands apply the Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile to a user-role:
(host) [md] (config) # user-role guest_role
(host) [md] (config-submode) #access_list logon-control
(host) [md] (config-submode) #access_list captiveportal
(host) [md] (config-submode) #captive-portal CP_Profile
Verifying a Whitelist Configuration
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command verifies the whitelist alias in the managed device:
(host) (config) #show netdestination whitelist
whitelist Description: guest_whitelist
--------------------------------------
Position Type IP addr Mask-Len/Range
-------- ---- ------- --------------
1 name 0.0.0.6 mycorp
Verifying a Captive Portal Profile Linked to a Whitelist
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command verifies the Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile linked to the whitelist in the managed device:
(host) (config) #show aaa authentication captive-portal CP_Profile
Captive Portal Authentication Profile "CP_Profile"
-----------------------------------------------------------------
Parameter Value
--------- -----
Default Role guest
Default Guest Role guest
Server Group default
Redirect Pause 10 sec
User Login Enabled
Guest Login Disabled
Logout popup window Enabled
Use HTTP for authentication Disabled
Logon wait minimum wait 5 sec
Logon wait maximum wait 10 sec
logon wait CPU utilization threshold 60 %
Max Authentication failures 0
Show FQDN Disabled
Use CHAP (non-standard) Disabled
Login page /auth/index.html
Welcome page /auth/welcome.html
Show Welcome Page Yes
Add switch IP address in the redirection URL Disabled
Adding user vlan in redirection URL Disabled
Add a controller interface in the redirection URL N/A
Allow only one active user session Disabled
White List whitelist
Black List N/A
Show the acceptable use policy page Disabled
Redirect URL N/A
Verifying Dynamic ACLs for a Whitelist
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command verifies the dynamically created ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. for the whitelist in the managed device:
(host) (config)#show rights guest_role
Derived Role = 'guest_role'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 79/0
Max Sessions = 65535
Captive Portal profile = CP_Profile
access-list List
----------------
Position Name Location
-------- ---- --------
1 CP_Profile_list_operations
2 logon-control
3 captiveportal
CP_Profile_list_operations
-----------------------------------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user whitelist svc-http permit Low 4
2 user whitelist svc-https permit Low 4
logon-control
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user any udp 68 deny Low 4
2 any any svc-icmp permit Low 4
3 any any svc-dns permit Low 4
4 any any svc-dhcp permit Low 4
5 any any svc-natt permit Low 4
captiveportal
-------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user controller svc-https dst-nat 8081 Low 4
2 user any svc-http dst-nat 8080 Low 4
3 user any svc-https dst-nat 8081 Low 4
4 user any svc-http-proxy1 dst-nat 8088 Low 4
5 user any svc-http-proxy2 dst-nat 8088 Low 4
6 user any svc-http-proxy3 dst-nat 8088 Low 4
Expired Policies (due to time constraints) = 0
Verifying DNS Resolved IP Addresses for Whitelisted URLs
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command verifies the DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. resolved IP addresses for the whitelisted URLs Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. in the managed device:
(host) #show firewall dns-names ap-name <AP-name>
Example:
(host)[md] #show firewall dns-names ap-name ap135
Firewall DNS names
------------------
Index Name Id Num-IP List
----- ---- -- ------ ----
0 bugzilla 10 1 0.0.0.0
1 cricinfo 9 0
2 yahoo 1 0
3 mycorp 6 1 1.1.1.1
Bypassing Captive Portal Landing Page
An increasing number of user sessions in Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. pre-authenticated role, repeatedly request the Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. login page from the managed devices. This impacts the number of browser-based user login requests handled per second by the managed devices. This eventually delays the loading of the Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. page and logging into Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.. Most of the increased activities are from non-browser based applications running on smart phones and tablets.
managed devices send 200 OK status code message to the non-browser based apps Short form for application. It generally refers to the application that is downloaded and used on mobile devices..
is disabled by default, hence theThe following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands enable from the managed devices. When doing so, non-browser apps Short form for application. It generally refers to the application that is downloaded and used on mobile devices. continue to request Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. login page from the managed devices and they are responded with status code. This increases the load of the process of the managed devices.
(host) [md] (config) #web-server profile
(host) [md] (Web Server Configuration) #bypass-cp-landing-page
The landing page contains the meta-refresh tag to reload the page using real browser applications.
Captive Portal Authentication in Bridge Mode
Starting from ArubaOS 8.7.0.0, captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication is supported for VAPs in the bridge forwarding mode. This feature supports only external captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. servers which generate XML Extensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software./Radius CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. to the controller Only the following parameters of the command will be supported for APs in the bridge forwarding mode:
- ap-mac-in-redirection-url
- ip-addr-in-redirection-url
- login-page
- switchip-in-redirection-url
- url-hash-key
- user-vlan-in-redirection-url
The Campus AP and Remote AP models in cluster and non-cluster topology. To support captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication in the bridge forwarding mode, it is required to enable the parameter in the command.
should be configured with an absolute path, starting with http:// or https://. This feature is supported for wireless users on all