Configuring External Captive Portal for a Guest Network

This section provides the following information:

External Captive Portal Profiles
Creating a Captive Portal Profile
Configuring an SSID or Wired Profile to Use External Captive Portal Authentication
External Captive Portal Redirect Parameters

External Captive Portal Profiles

You can now configure external captive portal profiles and associate these profiles to a user role or SSID. You can create a set of captive portal profiles in the Security>External Captive Portal window and associate these profiles with an SSID or a wired profile. You can also create a new captive portal profile on the Security tab of the WLAN wizard or a Wired Network window. In the current release, you can configure up to sixteen external captive portal profiles.

When the captive portal profile is associated to an SSID, it is used before user authentication. If the profile is associated to a role, it is used only after the user authentication. When a captive portal profile is applied to an SSID or wired profile, the users connecting to the SSID or wired network are assigned a role with the captive portal rule. The guest user role allows only DNS and DHCP traffic between the client and network, and directs all HTTP or HTTPS requests to the captive portal unless explicitly permitted.

Creating a Captive Portal Profile

You can create a captive portal profile using the Instant UI or CLI.

In the Instant UI

1. Click Security>External Captive Portal.
2. Click New. The New pop-up window is displayed.
3. Specify values for the following parameters:

Table 1: Captive Portal Profile Configuration Parameters

Parameter Description


Enter a name for the profile.


Select any one of the following types of authentication:

l Radius Authentication - Select this option to enable user authentication against a RADIUS server.
l Authentication Text - Select this option to specify an authentication text. The specified text will be returned by the external server after a successful user authentication.

IP or hostname

Enter the IP address or the hostname of the external splash page server.


Enter the URL for the external captive portal server.


Enter the port number.

Use https

(Available only if RADIUS Authentication is selected)

Select Enabled to enforce clients to use HTTPS to communicate with the captive portal server.

Captive Portal failure

This field allows you to configure Internet access for the guest clients when the external captive portal server is not available. Select Deny Internet to prevent clients from using the network, or Allow Internet to allow the guest clients to access Internet when the external captive portal server is not available.

Automatic URL Whitelisting

Select Enabled to enable the automatic whitelisting of URLs. On selecting the check box for the external captive portal authentication, the URLs that are allowed for the unauthenticated users to access are automatically whitelisted. The automatic URL whitelisting is disabled by default.

Auth Text

(Available only if Authentication Text is selected)

If the External Authentication splash page is selected, specify the authentication text to be returned by the external server after successful authentication.

Server Offload

Select Enabled to enable server offload. The server offload feature ensures that the non-browser client applications are not unnecessarily redirected to the external portal server and thereby reducing the load on the external captive portal server. The Server Offload option is Disabled by default.

Prevent frame overlay

When the Prevent frame overlay option is enabled, a frame can display a page only if it is in the same domain as the main page. This option is Enabled by default and can be used to prevent the overlay of frames.

Switch IP Sends the IP address of the Virtual Controller in the redirection URL when external captive portal servers are used. This option is disabled by default.

Redirect URL

Specify a redirect URL if you want to redirect the users to another URL.

In the CLI

To configure an external captive portal profile:

(Instant AP)(config)# wlan external-captive-portal [profile_name]

(Instant AP)(External Captive Portal)# server <server>

(Instant AP)(External Captive Portal)# port <port>

(Instant AP)(External Captive Portal)# url <url>

(Instant AP)(External Captive Portal)# https

(Instant AP)(External Captive Portal)# redirect-url <url>

(Instant AP)(External Captive Portal)# server-fail-through

(Instant AP)(External Captive Portal)# no auto-whitelist-disable

(Instant AP)(External Captive Portal)# server-offload

(Instant AP)(External Captive Portal)# switch-ip

(Instant AP)(External Captive Portal)# prevent-frame-overlay

(Instant AP)(External Captive Portal)# end

(Instant AP)# commit apply

Configuring an SSID or Wired Profile to Use External Captive Portal Authentication

You can configure external captive portal authentication for a network profile when adding or editing a guest network using the Instant UI or CLI.

In the Instant UI

1. Navigate to the WLAN wizard or Wired window.
To configure external captive portal authentication for a WLAN SSID, in the Network tab, click New to create a new network profile or edit to modify an existing profile.
To configure external captive portal authentication for a wired profile, click More>Wired. In the Wired window, click New under Wired Networks to create a new network, or click Edit to select an existing profile.
2. On the Security tab, select External from the Splash page type drop-down list.
3. From the captive portal profile drop-down list, select a profile. You can select a default profile, or an already existing profile, or click New and create a new profile.
4. Configure the following parameters based on the type of splash page you selected.

Table 2: External Captive Portal Configuration Parameters



Captive-portal proxy server

If required, configure a captive portal proxy server or a global proxy server to match your browser configuration by specifying the IP address and port number in the Captive-portal proxy server field.


Select Enabled if you want to enable WISPr authentication. For more information on WISPr authentication, see Configuring WISPr Authentication.

NOTE: The WISPr authentication is applicable only for the External and Internal-Authenticated splash pages and is not applicable for wired profiles.

MAC authentication

Select Enabled if you want to enable MAC authentication. For information on MAC authentication, see Configuring MAC Authentication for a Network Profile.

Delimiter character

Specify a character ( for example, colon or dash) as a delimiter for the MAC address string. When configured, the IAP will use the delimiter in the MAC authentication request. For example, if you specify the colon as a delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used.

NOTE: This option is available only when MAC authentication is enabled.

Uppercase support

Set to Enabled to allow the IAP to use uppercase letters in MAC address string for MAC authentication.

NOTE: This option is available only if MAC authentication is enabled.

Authentication server

To configure an authentication server, select any of the following options:

l If the server is already configured, select the server from the list.
l To create new external RADIUS server, select New. For more information, see Configuring an External Server for Authentication.

Reauth interval

Specify a value for the reauthentication interval at which the APs periodically reauthenticate all associated and authenticated clients.

Accounting mode

Select an accounting mode from Accounting mode for posting accounting information at the specified Accounting interval. When the accounting mode is set to Authentication, the accounting starts only after client authentication is successful and stops when the client logs out of the network. If the accounting mode is set to Association, the accounting starts when the client associates to the network successfully and stops when the client is disconnected.

Accounting interval

Configure an accounting interval in minutes within the range of 0–60, to allow APs to periodically post accounting information to the RADIUS server.


If you are configuring a wireless network profile, select Enabled to enable blacklisting of the clients with a specific number of authentication failures.

Max authentication failures

If you are configuring a wireless network profile and the Blacklisting is enabled, specify a maximum number of authentication failures after which users who fail to authenticate must be dynamically blacklisted.



Walled garden

Click the link to open the Walled Garden window. The walled garden configuration determines access to the websites. For more information, see Configuring Walled Garden Access.

Disable if uplink type is

Select the type of the uplink to exclude.


Select Enabled to configure encryption settings and specify the encryption parameters.

5. Click Next to continue and then click Finish to apply the changes.

In the CLI

To configure security settings for guest users of the WLAN SSID profile:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# essid <ESSID-name>

(Instant AP)(SSID Profile <name>)# type <Guest>

(Instant AP)(SSID Profile <name>)# captive-portal{<type>[exclude-uplink <types>]| external[exclude-uplink <types>| profile <name>[exclude-uplink <types>]]}

(Instant AP)(SSID Profile <name>)# captive-portal-proxy-server <IP> <port>

(Instant AP)(SSID Profile <name>)# blacklist

(Instant AP)(SSID Profile <name>)# mac-authentication

(Instant AP)(SSID Profile <name>)# max-authentication-failures <number>

(Instant AP)(SSID Profile <name>)# auth-server <server-name>

(Instant Access Point (SSID Profile <name>)# radius-accounting

(Instant Access Point (SSID Profile <name>)# radius-interim-accounting-interval

(Instant Access Point (SSID Profile <name>)# radius-accounting-mode {user-association|user-authentication}

(Instant AP)(SSID Profile <name>)# wpa-passphrase <WPA_key>

(Instant AP)(SSID Profile <name>)# wep-key <WEP-key> <WEP-index>

(Instant AP)(SSID Profile <name>)# end

(Instant AP)# commit apply

To configure security settings for guest users of the wired profile:

(Instant AP)(config)# wired-port-profile <name>

(Instant AP)(wired ap profile <name>)# type <Guest>

(Instant AP)(wired ap profile <name>)# captive-portal{<type>[exclude-uplink <types>]| external[exclude-uplink <types>| profile <name>[exclude-uplink <types>]]}

(Instant AP)(wired ap profile <name>)# mac-authentication

(Instant AP)(wired ap profile <name>)# end

(Instant AP)# commit apply

External Captive Portal Redirect Parameters

If the external captive portal redirection is enabled on a network profile, IAP sends an HTTP response with the redirect URL to display the splash page and enforce captive portal authentication by clients. The HTTP response from the IAP includes the following parameters:

Table 3: External Captive Portal Redirect Parameters

Parameters Example Value Description


Type of operation


Client MAC address 



Client IP address


AP hostname


AP MAC address   


VC name

Captive portal domain used for external captive portal authentication

original URL