Configuring External Captive Portal for a Guest Network

This section provides the following information:

External Captive Portal Profiles

You can now configure external captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profiles and associate these profiles to a user role or SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.. You can create a set of captive portal profiles in the External Captive Portal window (accessed from the Security tab of the old WebUI and the Configuration > Security tab of the new WebUI) and associate these profiles with an SSID or a wired profile. You can also create a new captive portal profile on the Security tab of the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. wizard or a Wired Network window. In the current release, you can configure up to 16 external captive portal profiles.

When the captive portal profile is associated to an SSID, it is used before user authentication. If the profile is associated to a role, it is used only after the user authentication. When a captive portal profile is applied to an SSID or wired profile, the users connecting to the SSID or wired network are assigned a role with the captive portal rule. The guest user role allows only DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. and DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  traffic between the client and the network, and directs all HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. or HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. requests to the captive portal unless explicitly permitted to allow all types of traffic.

Creating an External Captive Portal Profile

The following procedure describes how to create an external captive portal profile:

  1. Navigate to Configuration > Security page.
  2. Expand External Captive Portal.
  3. Click +. The New popup window is displayed.
  4. Specify values for the following parameters:

Table 1: External Captive Portal Profile Configuration Parameters




Enter a name for the profile.


Select any one of the following types of authentication:

IP or hostname

Enter the IP address or the host name of the external splash page server.


Enter the URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet. for the external captive portal server.


Enter the port number.

Use https

(Available only if RADIUS Authentication is selected)

Select Enabled to enforce clients to use HTTPS to communicate with the captive portal server.

Captive Portal failure

Allows you to configure Internet access for the guest clients when the external captive portal server is not available. Select Deny Internet to prevent clients from using the network, or Allow Internet to allow the guest clients to access Internet when the external captive portal server is not available.

Automatic URL Whitelisting

Select Enabled to enable the automatic whitelisting of URLs. On selecting the check box for the external captive portal authentication, the URLs that are allowed for the unauthenticated users to access are automatically whitelisted. The automatic URL whitelisting is disabled by default.

Auth Text

(Available only if Authentication Text is selected)

If the External Authentication splash page is selected, specify the authentication text to be returned by the external server after successful authentication.

Server Offload

Select Enabled to enable server offload. The server offload feature ensures that the non-browser client applications are not unnecessarily redirected to the external portal server and thereby reducing the load on the external captive portal server. The Server Offload option is Disabled by default.

Prevent frame overlay

When the Prevent frame overlay option is enabled, a frame can display a page only if it is in the same domain as the main page. This option is Disabled by default and can be used to prevent the overlay of frames.

Use VC IP in Redirect URL

Sends the IP address of the virtual controller in the redirection URL when external captive portal servers are used. This option is disabled by default.

Redirect URL

Specify a redirect URL if you want to redirect the users to another URL.

  1. Click OK.

The following CLI commands configure an external captive portal profile:

(Instant AP)(config)# wlan external-captive-portal [profile_name]

(Instant AP)(External Captive Portal)# server <server>

(Instant AP)(External Captive Portal)# port <port>

(Instant AP)(External Captive Portal)# url <url>

(Instant AP)(External Captive Portal)# https

(Instant AP)(External Captive Portal)# redirect-url <url>

(Instant AP)(External Captive Portal)# server-fail-through

(Instant AP)(External Captive Portal)# no auto-whitelist-disable

(Instant AP)(External Captive Portal)# server-offload

(Instant AP)(External Captive Portal)# switch-ip

(Instant AP)(External Captive Portal)# prevent-frame-overlay

(Instant AP)(External Captive Portal)# out-of-service-page <url>

The out-of-service-page <url> parameter configures the Instant AP to display a custom captive portal page when the internet uplink is down. This parameter can be configured only through the Instant CLI.

Configuring an SSID or Wired Profile to Use External Captive Portal Authentication

The following procedure describes how to configure external captive portal authentication when adding or editing a guest network profile:

  1. Navigate to the WLAN wizard or Wired window.
    • To configure external captive portal authentication for a WLAN SSID, on the Networks tab, click New to create a new network profile or edit to modify an existing profile.
    • To configure external captive portal authentication for a wired profile, Go to More > Wired. In the Wired window, click New under Wired Networks to create a new network, or click Edit to select an existing profile.
  2. On the Security tab, select External from the Splash page type drop-down list.
  3. From the Captive Portal Profile drop-down list, select a profile. You can select and modify a default profile, or an already existing profile, or click New and create a new profile.
  1. Configure the following parameters based on the type of splash page you selected.

Table 2: External Captive Portal Configuration Parameters



Captive-portal proxy server

If required, configure a captive portal proxy server or a global proxy server to match your browser configuration by specifying the IP address and port number in the Captive-portal proxy server text box.


Select Enabled if you want to enable WISPr Wireless Internet Service Provider Roaming. The WISPr framework enables the client devices to roam between the wireless hotspots using different ISPs. authentication.

NOTE: The WISPr authentication is applicable only for the External and Internal-Authenticated splash pages and is not applicable for wired profiles.

MAC authentication

Select Enabled if you want to enable MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication.

Delimiter character

Specify a character (for example, colon or dash) as a delimiter for the MAC address string. When configured, the Instant AP will use the delimiter in the MAC authentication request. For example, if you specify colon as the delimiter, MAC addresses in the xx:xx:xx:xx:xx:xx format are used. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used.

NOTE: This option is available only when MAC authentication is enabled.

Uppercase support

Set to Enabled to allow the Instant AP to use uppercase letters in MAC address string for MAC authentication.

NOTE: This option is available only if MAC authentication is enabled.

Authentication server 1 and Authentication server 2

To configure an authentication server, select any of the following options:

  • If the server is already configured, select the server from the list.
  • To create new external RADIUS server, select New.

Reauth interval

Specify a value for the reauthentication interval at which the Instant APs periodically reauthenticate all associated and authenticated clients.

Accounting mode

Select an accounting mode from the Accounting mode drop-down list for posting accounting information at the specified Accounting interval. When the accounting mode is set to Authentication, the accounting starts only after client authentication is successful and stops when the client logs out of the network. If the accounting mode is set to Association, the accounting starts when the client associates to the network successfully and stops when the client is disconnected.

Accounting interval

Configure an accounting interval in minutes within the range of 0–60, to allow Instant APs to periodically post accounting information to the RADIUS server.


If you are configuring a wireless network profile, select Enabled to enable blacklisting of the clients with a specific number of authentication failures.

Max auth failures

If you are configuring a wireless network profile and Blacklisting is enabled, specify the maximum number of authentication failures after which users who fail to authenticate must be dynamically blacklisted.


Disable if uplink type is

Select the type of the uplink to exclude.


Select Enabled to configure encryption settings and specify the encryption parameters.

  1. Click Next to continue and then click Finish to apply the changes.

The following CLI commands configure security settings for guest users of the WLAN SSID profile:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# essid <ESSID-name>

(Instant AP)(SSID Profile <name>)# type <Guest>

(Instant AP)(SSID Profile <name>)# captive-portal{<type>[exclude-uplink <types>]|external[exclude-uplink <types>| profile <name>[exclude-uplink <types>]]}

(Instant AP)(SSID Profile <name>)# captive-portal-proxy-server <IP> <port>

(Instant AP)(SSID Profile <name>)# blacklist

(Instant AP)(SSID Profile <name>)# mac-authentication

(Instant AP)(SSID Profile <name>)# max-authentication-failures <number>

(Instant AP)(SSID Profile <name>)# auth-server <server-name>

(Instant Access Point (SSID Profile <name>)# radius-accounting

(Instant Access Point (SSID Profile <name>)# radius-interim-accounting-interval

(Instant Access Point (SSID Profile <name>)# radius-accounting-mode {user-association|user-authentication}

(Instant AP)(SSID Profile <name>)# wpa-passphrase <WPA_key>

(Instant AP)(SSID Profile <name>)# wep-key <WEP-key> <WEP-index>

The following CLI commands configure security settings for guest users of the wired profile:

(Instant AP)(config)# wired-port-profile <name>

(Instant AP)(wired ap profile <name>)# type <Guest>

(Instant AP)(wired ap profile <name>)# captive-portal{<type>[exclude-uplink <types>]|external[exclude-uplink <types>| profile <name>[exclude-uplink <types>]]}

(Instant AP)(wired ap profile <name>)# mac-authentication

External Captive Portal Redirect Parameters

If the external captive portal redirection is enabled on a network profile, Instant AP sends an HTTP response with the redirect URL to display the splash page and enforce captive portal authentication by clients. The HTTP response from the Instant AP includes the following parameters:

Table 3: External Captive Portal Redirect Parameters

Parameter Example Value Description



Type of operation



Client MAC address 



ESSID Extended Service Set Identifier. ESSID refers to the ID used for identifying an extended service set.


Client IP address



Instant AP host name



Instant AP MAC address   



Virtual controllername


Captive portal domain used for external captive portal authentication


original URL