Example: Creating a Captive Portal Policy on the JUNOS Enforcer (CLI)

To configure the captive portal feature, you must create a captive portal policy. This example shows a simple configuration to illustrate the basic steps for creating a captive portal policy on the JUNOS Enforcer. In this example, you deploy a JUNOS Enforcer in front of the data center resources you want to protect and configure the captive portal feature on the JUNOS Enforcer. The JUNOS Enforcer then automatically redirects HTTP traffic destined for the protected resource to the Infranet Controller for authentication.

Before you configure the captive portal feature, be sure you have performed the following steps:

In this example, you want to protect the trusted zone from users on the LAN by making sure that only compliant and authenticated users are granted access. New users join your network every month. You want to configure the captive portal feature on your system so that unauthenticated users are redirected to the Infranet Controller automatically without requiring new users to remember to log in to the Infranet Controller.

To configure the captive portal feature on the JUNOS Enforcer:

  1. Create a security policy to be associated with the captive portal policy.
    [edit]user@host# edit security policies from-zone untrust to-zone trust policy my-policy
  2. Specify the match condition for my-policy.
    [edit security policies from-zone untrust to-zone trust policy my-policy]user@host# set match destination-address any source-address any application any
  3. Specify the captive portal policy as part of the UAC policy to be applied on the traffic that matches the specified conditions.
    [edit security policies from-zone untrust to-zone trust policy my-policy]user@host# set then permit application-services uac-policy captive-portal my-captive-portal-policy
  4. Navigate to the services unified-access-control level of the configuration hierarchy.
    [edit security policies from-zone untrust to-zone trust policy my-policy]user@host# top[edit]user@host# edit services unified-access-control
  5. Specify to redirect all unauthenticated traffic to the Infranet Controller.
    [edit services unified-access-control]user@host# set captive-portal my-captive-portal-policy redirect-traffic unauthenticated
  6. Navigate to the top level of the configuration hierarchy.
    [edit services unified-access-control]user@host# top
  7. Confirm your configuration by entering the show services and the show security policies commands from configuration mode. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    For brevity, this show output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

    [edit]user@host# show servicesunified-access-control {captive-portal my-captive-portal-policy {redirect-traffic unauthenticated;}}
    [edit]user@host# show security policies...from-zone untrust to-zone trust {policy my-policy {match {source-address any;destination-address any;application any;}then {permit {application-services {uac-policy {captive-portal my-captive-portal-policy;}}}}}}
  8. Commit the configuration if you are done configuring the device.
    [edit]user@host# commit

For more information about the configuration statements used in this example, see the JUNOS Software CLI Reference.

Related Topics