Example: Creating a Captive Portal Policy on the JUNOS Enforcer (CLI)

To configure the captive portal feature, you must create a captive portal policy. This example shows a simple configuration to illustrate the basic steps for creating a captive portal policy on the JUNOS Enforcer. In this example, you deploy a JUNOS Enforcer in front of the data center resources you want to protect and configure the captive portal feature on the JUNOS Enforcer. The JUNOS Enforcer then automatically redirects HTTP traffic destined for the protected resource to the Infranet Controller for authentication.

Before you configure the captive portal feature, be sure you have performed the following steps:

• Deploy the Infranet Controller in the network so that users can access the device. Use the internal port on the Infranet Controller to connect users, the JUNOS Enforcer (an SRX210 device in this example), and authentication servers. For instructions on how to configure the Infranet Controller, see Configuring Communications Between the JUNOS Enforcer and the Infranet Controller (CLI Procedure).
• Set up security zones and interfaces on the JUNOS Enforcer. Make sure that end users are in a different security zone than protected resources. For example, protected resources in the data center are configured in the trusted zone and users in an untrusted zone.
• Add individual users to either an external authentication server or the local authentication server. Set up roles and realms for individual users. You can provision access to protected resources based on your network security needs. For more information about authentication tables and user roles, see the Unified Access Control Administration Guide.

In this example, you want to protect the trusted zone from users on the LAN by making sure that only compliant and authenticated users are granted access. New users join your network every month. You want to configure the captive portal feature on your system so that unauthenticated users are redirected to the Infranet Controller automatically without requiring new users to remember to log in to the Infranet Controller.

To configure the captive portal feature on the JUNOS Enforcer:

1. Create a security policy to be associated with the captive portal policy.
   [edit]user@host# edit security policies from-zone untrust to-zone trust policy my-policy
2. Specify the match condition for my-policy.
   [edit security policies from-zone untrust to-zone trust policy my-policy]user@host# set match destination-address any source-address any application any
3. Specify the captive portal policy as part of the UAC policy to be applied on the traffic that matches the specified conditions.
   [edit security policies from-zone untrust to-zone trust policy my-policy]user@host# set then permit application-services uac-policy captive-portal my-captive-portal-policy
4. Navigate to the services unified-access-control level of the configuration hierarchy.
   [edit security policies from-zone untrust to-zone trust policy my-policy]user@host# top[edit]user@host# edit services unified-access-control
5. Specify to redirect all unauthenticated traffic to the Infranet Controller.
   [edit services unified-access-control]user@host# set captive-portal my-captive-portal-policy redirect-traffic unauthenticated
6. Navigate to the top level of the configuration hierarchy.
   [edit services unified-access-control]user@host# top
7. Confirm your configuration by entering the show services and the show security policies commands from configuration mode. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

   For brevity, this show output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

   [edit]user@host# show servicesunified-access-control {captive-portal my-captive-portal-policy {redirect-traffic unauthenticated;}}
   [edit]user@host# show security policies...from-zone untrust to-zone trust {policy my-policy {match {source-address any;destination-address any;application any;}then {permit {application-services {uac-policy {captive-portal my-captive-portal-policy;}}}}}}
8. Commit the configuration if you are done configuring the device.
   [edit]user@host# commit

For more information about the configuration statements used in this example, see the JUNOS Software CLI Reference.

Related Topics

• JUNOS Software Feature Support Reference for SRX Series and J Series Devices
• Understanding UAC in a JUNOS Environment
• Understanding the Captive Portal on the JUNOS Enforcer
• Understanding Captive Portal Configuration on the JUNOS Enforcer
• Understanding the Captive Portal Redirect URL Options
• Example: Configuring a Redirect URL for Captive Portal (CLI)