You are here: Captive Portal for Guest Access > Configuring Internal Captive Portal for Guest Network
Previous TopicNext Topic

Configuring Internal Captive Portal for Guest Network

In the Internal Captive Portal type, an internal server is used for hosting the captive portal service. You can configure internal captive portal authentication when adding or editing a guest network created for wireless or wired profile through the Instant UI or CLI.

In the Instant UI

1. Navigate to the WLAN wizard or Wired window.
To configure internal captive portal authentication for a WLAN SSID, in the Network tab, click New to create a new network profile or edit to modify an existing profile.
To configure internal captive portal authentication for a wired profile, click More>Wired. In the Wired window, click New under Wired Networks to create a new network, or click Edit to select an existing profile.
2. Click the Security tab and assign values for the configuration parameters:

Table 1: Internal Captive Portal Configuration Parameters

Parameter Description
Splash page type

Select any of the following from the drop-down list.

l Internal - Authenticated—When Internal Authenticated is enabled, the guest users are required to authenticate in the captive portal page to access the Internet. The guest users who are required to authenticate must already be added to the user database.
l Internal - Acknowledged— When Internal Acknowledged is enabled, the guest users are required to accept the terms and conditions to access the Internet.
MAC authentication Select Enabled from the drop-down list to enable the MAC authentication.


(Applicable for WLAN SSIDs only.)

Select Enabled if you want to enable WISPr authentication. For more information on WISPr authentication, see Configuring WISPr Authentication.


NOTE: The WISPr authentication is applicable only for Internal-Authenticated splash pages and is not applicable for wired profiles.

Auth server 1

Auth server 2

Select any one of the following:

l A server from the list of servers if the server is already configured.
l Internal Server to authenticate user credentials at run time.
l Select New for configuring a new external RADIUS or LDAP server for authentication.

Load balancing

Select Enabled to enable load balancing if two authentication servers are used.
Reauth interval Select a value to allow the APs to periodically reauthenticate all associated and authenticated clients.

(Applicable for WLAN SSIDs only.)

If you are configuring a wireless network profile, select Enabled to enable blacklisting of the clients with a specific number of authentication failures.
Accounting mode

(Applicable for WLAN SSIDs only.)

Select an accounting mode from Accounting mode for posting accounting information at the specified Accounting interval. When the accounting mode is set to Authentication, the accounting starts only after client authentication is successful and stops when the client logs out of the network. If the accounting mode is set to Association, the accounting starts when the client associates to the network successfully and stops when the client is disconnected.

Disable if uplink type is To exclude uplink, select an uplink type.


(Applicable for WLAN SSIDs only.)

Select Enabled to configure encryption parameters.

Splash Page Design

Under Splash Page Visuals, use the editor to specify text and colors for the initial page that will be displayed to the users connecting to the network. The initial page asks for user credentials or email, depending on the splash page type (Internal - Authenticated or Internal -Acknowledged) for which you are customizing the splash page design. Perform the following steps to customize the splash page design.

l To change the color of the splash page, click the Splash page rectangle and select the required color from the Background Color palette.
l To change the welcome text, click the first square box in the splash page, type the required text in the Welcome text box, and click OK. Ensure that the welcome text does not exceed 127 characters.
l To change the policy text, click the second square in the splash page, type the required text in the Policy text box, and click OK. Ensure that the policy text does not exceed 255 characters.
l To upload a custom logo, click Upload your own custom logo Image, browse the image file, and click upload image. Ensure that the image file size does not exceed 16 KB.
l To redirect users to another URL, specify a URL in Redirect URL.
l Click Preview to preview the Captive Portal page.

NOTE: You can customize the captive portal page using double-byte characters. Traditional Chinese, Simplified Chinese, and Korean are a few languages that use double-byte characters. Click on the banner, term, or policy in the Splash Page Visuals to modify the text in the red box. These fields accept double-byte characters or a combination of English and double-byte characters.

3. Click Next to configure access rules.

In the CLI

To configure internal captive portal authentication:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# essid <ESSID-name>

(Instant AP)(SSID Profile <name>)# type <Guest>

(Instant AP)(SSID Profile <name>)# captive-portal <internal-authenticated> exclude-uplink {3G|4G|Wifi|Ethernet}

(Instant AP)(SSID Profile <name>)# mac-authentication

(Instant AP)(SSID Profile <name>)# auth-server <server1>

(Instant AP)(SSID Profile <name>)# radius-reauth-interval <Minutes>

(Instant AP)(SSID Profile <name>)# end

(Instant AP)# commit apply

To configure internal captive portal for a wired profile:

(Instant AP) (config)# wired-port-profile <name>

(Instant AP) (wired ap profile <name>)# type <guest>

(Instant AP) (wired ap profile <name>)# captive-portal {<internal-authenticated>| <internal-acknowledged>} exclude-uplink {3G|4G|Wifi|Ethernet}

(Instant AP) (wired ap profile <name>)# mac-authentication

(Instant AP) (wired ap profile <name>)# auth-server <server1>

(Instant AP) (wired ap profile <name>)# radius-reauth-interval <Minutes>

(Instant AP) (wired ap profile <name>)# end

(Instant AP)# commit apply

To customize internal captive portal splash page:

(Instant AP)(config)# wlan captive-portal

(Instant AP)(Captive Portal)# authenticated

(Instant AP)(Captive Portal)# background-color <color-indicator>

(Instant AP)(Captive Portal)# banner-color <color-indicator>

(Instant AP)(Captive Portal)# banner-text <text>

(Instant AP)(Captive Portal)# decoded-texts <text>

(Instant AP)(Captive Portal)# redirect-url <url>

(Instant AP)(Captive Portal)# terms-of-use <text>

(Instant AP)(Captive Portal)# use-policy <text>

(Instant AP)(Captive Portal)# end

(Instant AP)# commit apply

To upload a customized logo from a TFTP server to the IAP:

(Instant AP)# copy config tftp <ip-address> <filename> portal logo