Supported Platforms
Configuring Captive Portal Authentication (CLI Procedure)
 | Note: This task uses Junos OS for EX Series switches with support for the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that does not support ELS, see Configuring Captive Portal Authentication (CLI Procedure). For ELS details, see Getting Started with Enhanced Layer 2 Software. |
Configure captive portal authentication (hereafter referred to as captive portal) on an EX Series switch so that users connected to the switch are authenticated before being allowed to access the network. When the user requests a webpage, a login page is displayed that requires the user to input a username and password. Upon successful authentication, the user is allowed to continue with the original page request and subsequent access to the network.
Before you begin, be sure you have:
- Performed basic bridging and VLAN configuration on the switch. See Example: Setting Up Basic Bridging and a VLAN for an EX Series Switch.
- Generated an SSL certificate and installed it on the switch. See Generating SSL Certificates to Be Used for Secure Web Access.
- Configured basic access between the EX Series switch and the RADIUS server. See Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch.
- Designed your captive portal login page. See Designing a Captive Portal Authentication Login Page on an EX Series Switch.
This topic includes the following tasks:
- Configuring Secure Access for Captive Portal
- Enabling an Interface for Captive Portal
- Configuring Bypass of Captive Portal Authentication
Configuring Secure Access for Captive Portal
To configure secure access for captive portal:
- Associate the security certificate with the Web server
and enable HTTPS on the switch:
[edit]
user@switch# set system services web-management https local-certificate my-signed-certNote: You can enable HTTP instead of HTTPS, but we recommend HTTPS for security purposes.
- Configure captive portal to use HTTPS:
[edit]
user@switch# set services captive-portal secure-authentication https
Enabling an Interface for Captive Portal
To enable an interface for use with captive portal authentication:
[edit]
user@switch# set services
captive-portal interface ge-0/0/10Configuring Bypass of Captive Portal Authentication
You can allow specific clients to bypass captive portal authentication:
[edit]
user@switch# set switch-options
authentication-whitelist 00:10:12:e0:28:22 | Note: Optionally, you can use set switch-options authentication-whitelist 00:10:12:e0:28:22 interface ge-0/0/10.0 to limit the scope to the interface. |
| Note: If the client is already attached to the switch, you must clear its MAC address from the captive portal authentication by using the clear captive-portal mac-address session-mac-addr command after adding its MAC address to the whitelist. Otherwise the new entry for the MAC address will not be added to the Ethernet switching table and the authentication bypass will not be allowed. |
