aaa authentication captive-portal

aaa authentication captive-portal <profile>

apple-cna-bypass

ap-mac-in-redirection-url

auth-protocol mschapv2|pap|chap

black-list/deny-list <black-list>/<deny-list>

clone <source-profile>

default-guest-role <role>

default-role <role>

enable-welcome-page

guest-logon

ip-addr-in-redirection <ipaddr>

login-page <url>

logon-wait {cpu-threshold <percent>}|{maximum-delay <seconds>}|{minimum-delay <seconds>}

logout-popup-window

max-authentication-failures <number>

no ...

protocol-http

proxy <ipaddr> port <port>

redirect-pause <seconds>

redirect-url <url>

server-group <group-name>

show-acceptable-use-policy

show-fqdn

single-session

switchip-in-redirection-url

url-hash-key <key>

user-idle-timeout

user-logon

user-vlan-in-redirection-url

welcome-page <url>

white-list/allow-list <white-list>/<allow-list>

Description

This command configures the Captive Portal authentication profile in the base operating system or with the PEFNG license installed. When you configure the profile in the base operating system, the name of the profile must be entered for the initial role in the AAA profile. Also, when you configure the profile in the base operating system, you cannot define the default-role.

Starting from ArubaOS 8.7.0.0, captive portal authentication is supported for VAPs in the bridge forwarding mode. Only the following parameters of the aaa authentication captive-portal command will be supported in the bridge forwarding mode:

  • ap-mac-in-redirection-url

  • ip-addr-in-redirection-url

  • login-page

  • switchip-in-redirection-url

  • url-hash-key

  • user-vlan-in-redirection-url

Parameter

Description

<profile>

Name that identifies an instance of the profile. The name must be 1-63 characters.

Default: default

apple-cna-bypass

Enable this knob to bypass Apple CNA on iOS devices such as iPad, iPhone, and iPod. You need to perform Captive Portal authentication from browser.

authentication-protocol chap|mschapv2|pap

This parameter specifies the type of authentication required by this profile, PAP is the default authentication type.

Range: mschapv2, pap, chap

Default: pap

ap-mac-in-redirection-url

This parameter adds the AP's MAC address in the redirection URL.

Default: disabled

black-list/deny-list

Name of an existing blacklist/denylist on an IPv4 or IPv6 network destination. The blacklist/denylist contains websites (unauthenticated) that a guest cannot access.

Specify a netdestination host or subnet to add that netdestination to the captive portal blacklist/denylist.

If you have not yet defined a netdestination, use the netdestination command to define a destination host or subnet before you add it to the blacklist/denylist.

clone

Name of an existing Captive Portal profile from which parameter values are copied.

default-guest-role

Role assigned to guest.

Default: guest

default-role <role>

Role assigned to the Captive Portal user when that user logs in. When both user and guest logons are enabled, the default role applies to the user logon; users logging in using the guest interface are assigned the guest role.

Default: guest

enable-welcome-
page

Displays the configured welcome page before the user is redirected to their original URL. If this option is disabled, redirection to the web URL happens immediately after the user logs in.

Default: enabled

guest-logon

Enables Captive Portal logon without authentication.

Default: disabled

ipaddr-in-redirection-url

Sends the interface IP address of the managed device in the redirection URL when external captive portal servers are used. An external captive portal server can determine the managed device from which a request originated by parsing the switchip variable in the URL.

login-page <url>

URL of the page that appears for the user logon. This can be set to any URL.

logon-wait

Configure parameters for the logon wait interval.

Range: 1-100

Default: 60

cpu-threshold <percent>

CPU utilization percentage above which the logon wait interval is applied when presenting the user with the logon page.

Range: 1-100

Default: 60

maximum-delay <seconds>

Maximum time, in seconds, the user will have to wait for the logon page to pop up if the CPU load is high. This works in conjunction with the Logon wait CPU utilization threshold parameter.

Range: 1-10

Default: 10

minimum-delay <seconds>

Minimum time, in seconds, the user will have to wait for the logon page to pop up if the CPU load is high. This works in conjunction with the Logon wait CPU utilization threshold parameter.

Range: 1-10

Default: 5

logout-popup-
window

Enables a pop-up window with the Logout link that allows the user to log out. If this option is disabled, the user remains logged in until the user timeout period has elapsed or the station reloads.

Default: enabled

max-authentication-failures <number>

Maximum number of authentication failures before the user is blacklisted/denylisted.

Range: 0-10

Default: 0

no

Negates any configured parameter.

protocol-http

Use HTTP protocol on redirection to the Captive Portal page. If you use this option, modify the captive portal policy to allow HTTP traffic.

Default: disabled

proxy

Update IP address of the proxy host.

redirect-pause <secs>

Time, in seconds, that the system remains in the initial welcome page before redirecting the user to the final web URL. If set to 0, the welcome page displays until the user clicks on the indicated link.

Range: 1-60

Default: 10

redirect-url <url>

URL to which an authenticated user will be directed. This parameter must be an absolute URL that begins with either http:// or https://.

server-group <group-name>

Name of the group of servers used to authenticate Captive Portal users.

show-fqdn

Allows the user to see and select the FQDN on the login page. The FQDNs shown are specified when configuring individual servers for the server group used with captive portal authentication.

Default: disabled

single-session

Allows only one active user session at a time.

Default: disabled

show-acceptable-use-policy

Show the acceptable use policy page before the login page.

Default: disabled

switchip-in-redirection-url

Sends the IP address of the managed device in the redirection URL when external captive portal servers are used. An external captive portal server can determine the managed device from which a request originated by parsing the switchip variable in the URL.

Default: disabled

url-hash-key <key>

Issue this command to hash the redirection URL using the specified key.

Default: disabled

user-idle-timeout

The user idle timeout for this profile. Specify the idle timeout value for the client in seconds. Valid range is 30-43200 in multiples of 30 seconds. Enabling this option overrides the global settings configured in the AAA timers. If this is disabled, the global settings are used.

Default: disabled

user-logon

Enables Captive Portal with authentication of user credentials.

Default: enabled

user-vlan-in-redirection-url

Add the user VLAN in the redirection URL.

Default: disabled

welcome-page <url>

URL of the page that appears after logon and before redirection to the web URL. This can be set to any URL.

white-list/allow-list

Name of an existing whitelist/allowlist on an IPv4 or IPv6 network destination. The whitelist/allowlist contains authenticated websites that a guest can access. If you have not yet defined a netdestination, use the netdestination command to define a destination host or subnet before you add it to the whitelist/allowlist.

Example

The following example configures a Captive Portal authentication profile that authenticates users against the internal database. Users who are successfully authenticated are assigned the auth-guest role.

To create the auth-guest user role shown in this example, the PEFNG license must be installed in the Mobility Conductor.

(host)^[md] (config) #aaa authentication captive-portal guestnet

(host) ^[md] (Captive Portal Authentication Profile "guestnet") #default-role auth-guest

(host) ^[md] (Captive Portal Authentication Profile "guestnet") #user-logon

(host) ^[md] (Captive Portal Authentication Profile "guestnet") #no guest-logon

(host) ^[md] (Captive Portal Authentication Profile "guestnet") #server-group internal

Command History

Release

Modification

ArubaOS 8.9.0.0

The following changes were introduced:

All instances of blacklist have been replaced with denylist.

All instances of whitelist have been replaced with allowlist.

ArubaOS 8.7.0.0

Captive portal authentication was supported for VAPs in the bridge forwarding mode.

ArubaOS 8.4.0.0

The ap-mac-in-redirection-url parameter was added.

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

License

Command Mode

All platforms

Base operating system, except for noted parameters.

Config mode on managed devices.