- play_arrow Login Classes and Login Settings
- play_arrow User Accounts
- play_arrow Passwords for User Access
- play_arrow Trusted Platform Module
- play_arrow User Authentication
- play_arrow Remote Access Management
- play_arrow Access Control
- Access Control Authentication Methods
- Preventing Unauthorized Access to EX Series Switches Using Unattended Mode for U-Boot
- Preventing Unauthorized Access to EX Series Switches Using Unattended Mode for U-Boot
- RADIUS Server Configuration for Authentication
- RADIUS over TLS (RADSEC)
- 802.1X Authentication
- MAC RADIUS Authentication
- Service-Type Attribute and Jumbo Frame Handling Overview
- 802.1X and RADIUS Accounting
- Example: Setting Up 802.1X for Single-Supplicant or Multiple-Supplicant Configurations on an EX Series Switch
- Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access to Corporate Visitors on an EX Series Switch
- Interfaces Enabled for 802.1X or MAC RADIUS Authentication
- Static MAC Bypass of 802.1X and MAC RADIUS Authentication
- Configuring PEAP for MAC RADIUS Authentication
- Captive Portal Authentication
- Flexible Authentication Order on EX Series Switches
- Server Fail Fallback and Authentication
- Authentication Session Timeout
- Central Web Authentication
- Dynamic VLAN Assignment for Colorless Ports
- VoIP on EX Series Switches
- play_arrow Configuring IEEE 802.1x Port-Based Network Access Control
- play_arrow Device Discovery
- play_arrow Domain Name Security
- play_arrow Permission Flags
- access
- access-control
- admin
- admin-control
- all
- clear
- configure
- control
- field
- firewall
- firewall-control
- floppy
- flow-tap
- flow-tap-control
- flow-tap-operation
- idp-profiler-operation
- interface
- interface-control
- maintenance
- network
- pgcp-session-mirroring
- pgcp-session-mirroring-control
- reset
- rollback
- routing
- routing-control
- secret
- secret-control
- security
- security-control
- shell
- snmp
- snmp-control
- system
- system-control
- trace
- trace-control
- view
- view-configuration
- play_arrow Configuration Statements and Operational Commands
Understanding Captive Portal Authentication on the MX Series Routers
Starting with Junos OS Release 14.2, captive portal authentication (hereafter referred to as captive portal) allows you to authenticate users on MX Series routers by redirecting Web browser requests to a login page that requires users to input a username and password before they are allowed access to the network.Captive portal controls network access by requiring users to provide information that is authenticated against a RADIUS server database using EAP-MD5, You can also use captive portal to display an acceptable-use policy to users before they access your network.
Juniper Networks Junos Software for MX Series routers provides a template that allows you to easily design and modify the look of the captive portal login page. You enable specific interfaces for captive portal. The first time a client connected to a captive portal interface attempts to access a webpage, the switch presents the captive portal login page. Upon successful authentication, the user is allowed access to the network and to continue to the original page requested.
If Hypertext Transfer Protocol Secure (HTTPS) is enabled, Hypertext Transfer Protocol (HTTP) requests are redirected to an HTTPS connection for the captive portal authentication process. After authentication, the client is returned to the HTTP connection.
If there are clients that are not HTTP-enabled connected to the captive portal interface, you can allow them to bypass captive portal authentication by adding their MAC address to an authentication allowlist. (If the MAC address has already been learned on the interface, you must clear it using the clear captive-portal interface interface-name) before adding it to the allowlist.)
When the user is authenticated by the RADIUS server, any per-user policies (attributes) associated with that user are also sent to the switch.
Limitations of Captive Portal
Captive portal on MX Series routers has the following limitations:
The captive portal interface must be configured for family ethernet-switching and set to port mode access. The VLAN must be configured with a routed VLAN interface (RVI).
The DHCP gateway IP address for the switch must be configured as the IP address of the routed VLAN interface.
Captive portal does not support dynamic assignment of VLANs downloaded from the RADIUS server.
If the user is idle for more than about 5 minutes and there is no traffic passed, the user is required to log back in to the captive portal.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.
