Supported Platforms
Example: Setting Up Captive Portal Authentication on an EX Series Switch
You can set up captive portal authentication (hereafter referred to as captive portal) on a switch to redirect Web browser requests to a login page that requires the user to input a username and password. Upon successful authentication, the user is allowed to continue with the original page request and subsequent access to the network.
This example describes how to set up captive portal on an EX Series switch:
Requirements
This example uses the following hardware and software components:
- An EX Series switch that supports captive portal
- Junos OS Release 10.1 or later for EX Series switches
Before you begin, be sure you have:
- Performed basic bridging and VLAN configuration on the switch. See Example: Setting Up Basic Bridging and a VLAN for an EX Series Switch.
- Generated an SSL certificate and installed it on the switch. See Generating SSL Certificates to Be Used for Secure Web Access.
- Configured basic access between the EX Series switch and the RADIUS server. See Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch.
- Designed your captive portal login page. See Designing a Captive Portal Authentication Login Page on an EX Series Switch.
Overview and Topology
This example shows the configuration required on the switch to enable captive portal on an interface. To permit a printer connected to the captive portal interface to access the LAN without going through captive portal, add its MAC address to the authentication whitelist. The MAC addresses in this list are permitted access on the interface without captive portal.
The topology for this example consists of one EX Series switch connected to a RADIUS authentication server. One interface on the switch is configured for captive portal. In this example, the interface is configured in multiple supplicant mode.
Configuration
To configure captive portal on your switch:
CLI Quick Configuration
To quickly configure captive portal on the switch after completing the tasks in the Requirements section, copy the following commands and paste them into the switch terminal window:
[edit]
set system services web-management
http
set system services web-management https local-certificate
my-signed-cert
set services captive-portal secure-authentication
https
set services captive-portal interface ge-0/0/10.0
supplicant multiple
set ethernet-switching-options
authentication-whitelist 00:10:12:e0:28:22
set custom-options
post-authentication-url http://www.my-home-page.com
Step-by-Step Procedure
To configure captive portal on the switch:
- Enable HTTP access on the switch:
[edit]
user@switch# set system services web-management http - To create a secure channel for Web access to the switch,
configure captive portal for HTTPS:
Note: You can enable HTTP without enabling HTTPS, but we recommend HTTPS for security purposes.
- Associate the security certificate with the Web server
and enable HTTPS access on the switch:
[edit]
user@switch# set system services web-management https local-certificate my-signed-cert - Configure captive portal to use HTTPS:
[edit]
user@switch# set services captive-portal secure-authentication https
- Associate the security certificate with the Web server
and enable HTTPS access on the switch:
- Enable an interface for captive portal:
[edit]
user@switch# set services captive-portal interface ge-0/0/10 supplicant multiple - (Optional) Allow specific clients to bypass captive portal:
Note: If the client is already attached to the switch, you must clear its MAC address from the captive portal authentication by using the clear captive-portal mac-address mac-address command after adding its MAC address to the whitelist. Otherwise the new entry for the MAC address will not be added to the Ethernet switching table and authentication bypass will not be allowed.
[edit]
user@switch# set ethernet-switching-options authentication-whitelist 00:10:12:e0:28:22Note: Optionally, you can use set ethernet-switching-options authentication-whitelist 00:10:12:e0:28:22 interface ge-0/0/10.0 to limit the scope to the interface.
- (Optional) To redirect clients to a specified page rather
than the page they originally requested, configure the post-authentication
URL:
[edit services captive-portal]
user@switch# set custom-options post-authentication-url http://www.my-home-page.com
Results
Display the results of the configuration:
...
Pt5YmvWDoGo0mSjoE/liH0BqYdh9YGqv3T2IEUfflSTQQHEOShS0ogWDHF\ nnyOb1O/vQtjk20X9NVQg JHBwidssY9eRp\n-----END CERTIFICATE-----\n"; ## SECRET-DATA}}}}
Verification
To confirm that captive portal is configured and working properly, perform these tasks:
- Verifying That Captive Portal Is Enabled on the Interface
- Verify That Captive Portal Is Working Correctly
Verifying That Captive Portal Is Enabled on the Interface
Purpose
Verify that captive portal is configured on interface ge-0/0/10.
Action
Use the operational mode command show captive-portal interface interface-name detail:
user@switch> show captive-portal interface ge-0/0/10.0
detailge-0/0/10.0 Supplicant mode: Multiple Number of retries: 3 Quiet period: 60 seconds Configured CP session timeout: 3600 seconds Server timeout: 15 seconds
Meaning
The output confirms that captive portal is configured on interface ge-0/0/10 with the default settings for number of retries, quiet period, CP session timeout, and server timeout.
Verify That Captive Portal Is Working Correctly
Purpose
Verify that captive portal is working on the switch.
Action
Connect a client to interface ge-0/0/10. From the client, open a Web browser and request a webpage. The captive portal login page that you designed should be displayed. After you enter your login information and are authenticated against the RADIUS server, the Web browser should display either the page you requested or the post-authentication URL that you configured.
Troubleshooting
To troubleshoot captive portal, perform these tasks:
Troubleshooting Captive Portal
Problem
The switch does not return the captive portal login page when a user connected to a captive portal interface on the switch requests a Web page.
Solution
You can examine the ARP, DHCP, HTTPS, and DNS counters—if one or more of these counters are not incrementing, this provides an indication of where the problem lies. For example, if the client cannot get an IP address, check the switch interface to determine whether the DHCP counter is incrementing—if the counter increments, the DHCP packet was received by the switch.
user@switch> show captive-portal firewall ge-0/0/10.0ge-0/0/10.0 Filter name: dot1x_ge-0/0/10 Counters: Name Bytes Packets dot1x_ge-0/0/10_CP_arp 7616 119 dot1x_ge-0/0/10_CP_dhcp 0 0 dot1x_ge-0/0/10_CP_http 0 0 dot1x_ge-0/0/10_CP_https 0 0 dot1x_ge-0/0/10_CP_t_dns 0 0 dot1x_ge-0/0/10_CP_u_dns 0 0
