You are here: Home > CLI Commands > Just_CLI_Topics > aaa authentication captive-portal

aaa authentication captive-portal

aaa authentication captive-portal <profile>

apple-cna-bypass

ap-mac-in-redirection-url

auth-protocol mschapv2|pap|chap

black-list <black-list>

clone <source-profile>

default-guest-role <role>

default-role <role>

enable-welcome-page

guest-logon

ip-addr-in-redirection <ipaddr>

login-page <url>

logon-wait {cpu-threshold <percent>}|{maximum-delay <seconds>}|{minimum-delay <seconds>}

logout-popup-window

max-authentication-failures <number>

no ...

protocol-http

proxy <ipaddr> port <port>

redirect-pause <seconds>

redirect-url <url>

server-group <group-name>

show-acceptable-use-policy

show-fqdn

single-session

switchip-in-redirection-url

url-hash-key <key>

user-idle-timeout

user-logon

user-vlan-in-redirection-url

welcome-page <url>

white-list <white-list>

 

Description

This command configures a Captive PortalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile.

Syntax

Parameter

Description

Range

Default

<profile>

Name that identifies an instance of the profile. The name must be 1-63 characters.

default

apple-cna-bypass

Enable this knob to bypass Apple CNACaptive Network Assistant. CNA is a popup page shown when joining a network that has a captive portal. on iOS devices such as iPad, iPhone, and iPod. You need to perform Captive PortalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication from browser.

authentication-protocol chap|mschapv2|pap

This parameter specifies the type of authentication required by this profile, PAPPassword Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure. is the default authentication type.

mschapv2

pap

chap

pap

ap-mac-in-redirection-url

This parameter adds the AP's MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.  address in the redirection URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet..

disabled

black-list

Name of an existing black list on an IPv4 or IPv6 network destination. The black list contains websites (unauthenticated) that a guest cannot access.

Specify a netdestination host or subnetSubnet is the logical division of an IP network. to add that netdestination to the captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. blacklist.

If you have not yet defined a netdestination, use the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command netdestination to define a destination host or subnetSubnet is the logical division of an IP network. before you add it to the blacklist.

clone

Name of an existing Captive PortalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile from which parameter values are copied.

default-guest-role

Role assigned to guest.

guest

default-role <role>

Role assigned to the Captive PortalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. user when that user logs in. When both user and guest logons are enabled, the default role applies to the user logon; users logging in using the guest interface are assigned the guest role.

guest

enable-welcome-
page

Displays the configured welcome page before the user is redirected to their original URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet.. If this option is disabled, redirection to the web URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet. happens immediately after the user logs in.

enabled or
disabled

enabled

guest-logon

Enables Captive PortalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. logon without authentication.

enabled or
disabled

disabled

ipaddr-in-redirection-url

Sends the interface IP address of the managed device in the redirection URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet. when external captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. servers are used. An external captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. server can determine the managed device from which a request originated by parsing the switchip variable in the URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet..

login-page <url>

URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet. of the page that appears for the user logon. This can be set to any URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet..

/auth/index.
html

logon-wait

Configure parameters for the logon wait interval.

1-100

60%

cpuCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions.-threshold <percent>

CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. utilization percentage above which the logon wait interval is applied when presenting the user with the logon page.

1-100

60%

maximum-delay <seconds>

Maximum time, in seconds, the user will have to wait for the logon page to pop up if the CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. load is high. This works in conjunction with the Logon wait CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. utilization threshold parameter.

1-10

10 seconds

minimum-delay <seconds>

Minimum time, in seconds, the user will have to wait for the logon page to pop up if the CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. load is high. This works in conjunction with the Logon wait CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. utilization threshold parameter.

1-10

5 seconds

logout-popup-
window

Enables a pop-up window with the Logout link that allows the user to log out. If this option is disabled, the user remains logged in until the user timeout period has elapsed or the station reloads.

enabled or
disabled

enabled

max-authentication-failures <number>

Maximum number of authentication failures before the user is blacklisted.

0-10

0

no

Negates any configured parameter.

protocol-http

Use HTTPHypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. protocol on redirection to the Captive PortalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. page. If you use this option, modify the captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. policy to allow HTTPHypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. traffic.

enabled or
disabled

disabled
(HTTPSHypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. is used)

proxy

Update IP address of the proxy host.

redirect-pause <secs>

Time, in seconds, that the system remains in the initial welcome page before redirecting the user to the final web URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet.. If set to 0, the welcome page displays until the user clicks on the indicated link.

1-60

10 seconds

redirect-urlUniform Resource Locator. URL is a global address used for locating web resources on the Internet. <url>Uniform Resource Locator. URL is a global address used for locating web resources on the Internet.

URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet. to which an authenticated user will be directed. This parameter must be an absolute URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet. that begins with either http:// or https://.

server-group <group-name>

Name of the group of servers used to authenticate Captive PortalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. users. See aaa server-group.

show-fqdn

Allows the user to see and select the FQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. on the login page. The FQDNs shown are specified when configuring individual servers for the server group used with captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication.

enabled or
disabled

disabled

single-session

Allows only one active user session at a time.

disabled

show-acceptable-use-policy

Show the acceptable use policy page before the login page.

enabled or
disabled

disabled

switchip-in-redirection-url

Sends the IP address of the managed device in the redirection URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet. when external captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. servers are used. An external captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. server can determine the managed device from which a request originated by parsing the switchip variable in the URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet..

enabled or
disabled

disabled

urlUniform Resource Locator. URL is a global address used for locating web resources on the Internet.-hash-key <key>

Issue this command to hash the redirection URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet. using the specified key.

disabled

user-idle-timeout

The user idle timeout for this profile. Specify the idle timeout value for the client in seconds. Valid range is 30-15300 in multiples of 30 seconds. Enabling this option overrides the global settings configured in the AAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. timers. If this is disabled, the global settings are used.

disabled

user-logon

Enables Captive PortalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. with authentication of user credentials.

enabled or
disabled

enabled

user-vlan-in-redirection-url

Add the user VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. in the redirection URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet..

enabled

disabled

disabled

welcome-page <url>

URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet. of the page that appears after logon and before redirection to the web URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet.. This can be set to any URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet..

/auth/welcome
.html

white-list <white-list>

Name of an existing white list on an IPv4 or IPv6 network destination. The white list contains authenticated websites that a guest can access. If you have not yet defined a netdestination, use the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command netdestination to define a destination host or subnetSubnet is the logical division of an IP network. before you add it to the whitelist.

Usage Guidelines

You can configure the Captive PortalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile in the base operating system or with the PEFNGPolicy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license installed. When you configure the profile in the base operating system, the name of the profile must be entered for the initial role in the AAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile. Also, when you configure the profile in the base operating system, you cannot define the default-role.

Example

The following example configures a Captive PortalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication profile that authenticates users against the internal database. Users who are successfully authenticated are assigned the auth-guest role.

To create the auth-guest user role shown in this example, the PEFNGPolicy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license must be installed in the Mobility Master.

(host)^[md] (config) #aaa authentication captive-portal guestnet

(host) ^[md] (Captive Portal Authentication Profile "guestnet") #default-role auth-guest

(host) ^[md] (Captive Portal Authentication Profile "guestnet") #user-logon

(host) ^[md] (Captive Portal Authentication Profile "guestnet") #no guest-logon

(host) ^[md] (Captive Portal Authentication Profile "guestnet") #server-group internal

Command History

Release

Modification

ArubaOS 8.4.0.0

ap-mac-in-redirection-url parameter was introduced.

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

License

Command Mode

All platforms

Base operating system, except for noted parameters.

Config mode on managed devices.

/*]]>*/