Related Documentation
Configuring the EX Series Switch for Captive Portal Authentication with Junos Pulse Access Control Service (CLI Procedure)
If you have connected the EX Series switch to the Junos Pulse Access Control Service and you want to use the captive portal user authentication feature, configure the Access Control Service network access control (NAC) device as an external captive portal server. The captive portal feature is required only for user authentication. Unmanaged devices, such as printers or phones, can be authenticated through 802.1X and MAC address authentication.
When users try to access a protected network resource that is connected to the switch, the user must first sign in to the Access Control Service for authentication and endpoint security checking. The captive portal redirects the user to a login page located on the Access Control Service.
When the sign-in page for the Access Control Service is displayed, the user signs in and the Access Control Service examines the endpoint for compliance with security policies. If the endpoint passes the security check, access is granted to the protected resource.
Before you begin, be sure you have:
- Configured access between the switch and the Access Control Service. See Configuring an EX Series Switch to Use Junos Pulse Access Control Service for Network Access Control (CLI Procedure).
- Designed your captive portal login page on the Access Control Service. See About Sign-In Policies.
To configure the switch to use the Access Control Service for captive portal:
- Configure captive portal to authenticate clients connected
to the switch for access to use the authentication profile that directs
the client to the Access Control Service:
Note: The access profile name specified here must match the access profile name that you specified for the Access Control Service in Configuring an EX Series Switch to Use Junos Pulse Access Control Service for Network Access Control (CLI Procedure).
[edit]
user@switch# set services captive-portal authentication-profile-name access-profile-name - Enable an interface for use with captive portal authentication:
[edit]
user@switch# set services captive-portal interface interface-name supplicant multiple - (Optional) Specify which clients are to bypass captive
portal authentication:
[edit]
user@switch# set ethernet-switching-options authentication-whitelist mac-addressNote: You can use set ethernet-switching-options authentication-whitelist mac-address interface interface-name to limit the scope to the interface.
Note: If the client is already attached to the switch, you must clear its MAC address from captive portal authentication by using the clear captive-portal mac-address mac-address command after adding its MAC address to the authentication whitelist. Otherwise the new entry for the MAC address will not be added to the Ethernet switching table and the authentication bypass will not be allowed.
