Example: Setting Up Captive Portal Authentication on an EX Series Switch

Requirements

This example uses the following hardware and software components:

• Junos OS Release 10.1 or later for EX Series switches
• An EX3200 or EX4200 Series switch

Before you begin, be sure you have:

• Performed basic bridging and VLAN configuration on the switch. See Example: Setting Up Basic Bridging and a VLAN for an EX Series Switch.
• Generated an SSL certificate and installed it on the switch. See Generating SSL Certificates to Be Used for Secure Web Access.
• Configured basic access between the EX Series switch and the RADIUS server. See Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch.
• Designed your captive portal login page. See Designing a Captive Portal Authentication Login Page on an EX Series Switch.

Overview and Topology

This example shows the configuration required on the switch to enable captive portal on an interface. To permit a printer connected to the captive portal interface to access the LAN, add its MAC address to the authentication whitelist. The MAC addresses on this list are permitted access on the interface without captive portal authentication.

The topology for this example consists of one EX Series switch connected to a RADIUS authentication server. One interface on the switch is configured for captive portal. In this example, the interface is configured in single supplicant mode.

Configuration

To configure captive portal on your switch:

CLI Quick Configuration

To quickly configure captive portal on the switch after completing the tasks in the Requirements section, copy the following commands and paste them into the switch terminal window:

Step-by-Step Procedure

To configure captive portal on the switch:

1. To create a secure channel for Web access to the switch, configure captive portal for HTTPS:

   Step-by-Step Procedure

   1. Associate the security certificate with the Web server and enable HTTPS on the switch:
      
      

      [edit]
user@switch# set system services web-management https local-certificate my-signed-cert

      Note: You can enable HTTP instead of HTTPS, but we recommend HTTPS for security purposes.

   2. Configure captive portal to use HTTPS:
      
      

      [edit]
user@switch# set services captive-portal secure-authentication https
2. Enable an interface for captive portal:
   
   

   [edit]
user@switch# set services captive-portal interface ge-0/0/10
3. (Optional) Allow specific clients to bypass captive portal authentication:

   Note: If the client is already attached to the switch, you must clear its MAC address from the captive portal authentication by using the clear captive-portal mac-address mac-address command after adding its MAC address to the whitelist. Otherwise the new entry for the MAC address will not be added to the ethernet switching table and the authentication bypass will not be allowed.

   
   

   [edit]
user@switch# set ethernet-switching-options authentication-whitelist 00:10:12:e0:28:22

   Note: Optionally, you can use set ethernet-switching-options authentication-whitelist 00:10:12:e0:28:22 interface ge-0/0/10.0 to limit the scope to the interface.

4. (Optional) To redirect clients to a specified page rather than the page they originally requested, configure the post-authentication URL:
   
   

   [edit services captive-portal]
user@switch# set custom-options post-authentication-url http://www.my-home-page.com

Results

Display the results of the configuration:

Verification

To confirm that captive portal authentication is configured and working properly, perform these tasks:

• Verifying That Captive Portal Is Enabled on the Interface
• Verify That Captive Portal Is Working Correctly

Verifying That Captive Portal Is Enabled on the Interface

Purpose

Verify that captive portal is configured on interface ge-0/0/10.

Action

ge-0/0/10.0
  Supplicant mode: Single
  Number of retries: 3
  Quiet period: 60 seconds
  Configured CP session timeout: 3600 seconds
  Server timeout: 15 seconds

Meaning

The output confirms that captive portal is configured on interface ge-0/0/10 with the default settings for number of retries, quiet period, CP session timeout, and server timeout.

Verify That Captive Portal Is Working Correctly

Purpose

Verify that captive portal is working on the switch.

Action

Connect a client to interface ge-0/0/10. From the client, open a Web browser and request a webpage. The captive portal login page that you designed should be displayed. After you enter your login information and are authenticated against the RADIUS server, the Web browser should display either the page you requested or the post-authentication URL that you configured.

Troubleshooting

To troubleshoot captive portal, perform these tasks:

• Troubleshooting Captive Portal

Troubleshooting Captive Portal

Problem

The switch does not return the captive portal login page when a user connected to a captive portal interface on the switch requests a Web page.

Solution

You can examine the ARP, DHCP, HTTPS, and DNS counters—if one or more of these counters are not incrementing, this provides an indication of where the problem lies. For example, if the client cannot get an IP address, you might check the switch interface to determine whether the DHCP counter is incrementing—if the counter increments, the DHCP packet was received by the switch.

ge-0/0/10.0
  Filter name: dot1x_ge-0/0/10
Counters:
Name                          Bytes              Packets
dot1x_ge-0/0/10_CP_arp         7616                  119
dot1x_ge-0/0/10_CP_dhcp           0                    0
dot1x_ge-0/0/10_CP_http           0                    0
dot1x_ge-0/0/10_CP_https          0                    0
dot1x_ge-0/0/10_CP_t_dns          0                    0
dot1x_ge-0/0/10_CP_u_dns          0                    0