Users Guide

ManualsBrandsDell ManualsAccess PlatformsW-3200

371

372

373

374

375

376

377

378

379

380

Configuring Captive Portal in the CLI

To configure captive portal with the PEFNG license via the command-line interface, access the CLI in config

mode and issue the following commands:

(host)(config) #aaa authentication captive-portal c-portal

d>efault-role employee

server-group cp-srv

(host)(config) #user-role logon

captive-portal c-portal

(host)(config) #aaa profile aaa_c-portal

initial-role logon

(host)(config) #wlan ssid-profile ssid_c-portal

essid c-portal-ap

vlan 20

(host)(config) #wlan virtual-ap vp_c-portal

aaa-profile aaa_c-portal

ssid-profile ssid_c-portal

Sample Authentication with Captive Portal

In the following example:

l Guest clients associate to the guestnet SSID which is an open wireless LAN. Guest clients are placed into

VLAN 900 and assigned IP addresses by the controller’s internal DHCP server. The user has no access to

network resources beyond DHCP and DNS until they open a web browser and log in with a guest account

using captive portal.

l Guest users are given a login and password from guest accounts created in the controller’s internal

database. The temporary guest accounts are created and administered by the site receptionist.

l Guest users must enter their assigned login and password into the captive portal login before they are given

access to use web browsers (HTTP and HTTPS), POP3 email clients, and VPN clients (IPsec, PPTP, and L2TP)

on the Internet and only during specified working hours. Guest users are prohibited from accessing internal

networks and resources. All traffic to the Internet is source-NATed.

This example assumes a Policy Enforcement Firewall Next Generation (PEFNG) license is installed in the

controller.

In this example, you create two user roles:

l guest-logon is a user role assigned to any client who associates to the guestnet SSID. Normally, any client

that associates to an SSID will be placed into the logon system role. The guest-logon user role is more

restrictive than the logon role.

l auth-guest is a user role granted to clients who successfully authenticate via the captive portal.

Creating a Guest User Role

The guest-logon user role consists of the following ordered policies:

l captiveportal is a predefined policy that allows captive portal authentication.

l guest-logon-access is a policy that you create with the following rules:

n Allows DHCP exchanges between the user and the DHCP server during business hours while blocking

other users from responding to DHCP requests.

n Allows ICMP exchanges between the user and the controller during business hours.

l block-internal-access is a policy that you create that denies user access to the internal networks.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Captive Portal Authentication | 378