Technical Documentation

Example: Setting Up Captive Portal Authentication on an EX Series Switch

You can set up captive portal authentication (hereafter referred to as captive portal) on a switch to redirect Web browser requests to a login page that requires the user to input a username and password. Upon successful authentication, the user is allowed to continue with the original page request and subsequent access to the network.

This example describes how to set up captive portal on an EX Series switch:


This example uses the following hardware and software components:

  • JUNOS Release 10.1 or later for EX Series switches
  • An EX3200 or EX4200 Series switch

Before you begin, be sure you have:

Overview and Topology

This example shows the configuration required on the switch to enable captive portal on an interface. To permit a printer connected to the captive portal interface to access the LAN, add its MAC address to the authentication whitelist. The MAC addresses on this list are permitted access on the interface without captive portal authentication.

The topology for this example consists of one EX Series switch connected to a RADIUS authentication server. One interface on the switch is configured for captive portal. In this example, the interface is configured in single supplicant mode.


To configure captive portal on your switch:

CLI Quick Configuration

To quickly configure captive portal on the switch after completing the tasks in the Requirements section, copy the following commands and paste them into the switch terminal window:

set system services web-management https local-certificate my-signed-cert
set services captive-portal secure-authentication https
set services captive-portal interface ge-0/0/10.0
set ethernet-switching-options authentication-whitelist 00:10:12:e0:28:22
set custom-options post-authentication-url

Step-by-Step Procedure

To configure captive portal on the switch:

  1. To create a secure channel for Web access to the switch, configure captive portal for HTTPS:
    1. Associate the security certificate with the Web server and enable HTTPS on the switch:

      user@switch# set system services web-management https local-certificate my-signed-cert

      Note: You can enable HTTP instead of HTTPS, but we recommend HTTPS for security purposes.

    2. Configure captive portal to use HTTPS:

      user@switch# set services captive-portal secure-authentication https
  2. Enable an interface for captive portal:

    user@switch# set services captive-portal interface ge-0/0/10
  3. (Optional) Allow specific clients to bypass captive portal authentication:

    user@switch# set ethernet-switching-options authentication-whitelist 00:10:12:e0:28:22

    Note: Optionally, you can use set ethernet-switching-options authentication-whitelist 00:10:12:e0:28:22 interface ge-0/0/10.0 to limit the scope to the interface.

    If the MAC address has already been learned on the interface, you must clear it using the clear captive-portal interface interface-name) before adding it to the whitelist. Otherwise the new entry for the MAC address will not be added to the ethernet switching table and the authentication bypass will not be allowed.

  4. (Optional) To redirect clients to a specified page rather than the page they originally requested, configure the post-authentication URL:

    [edit services captive-portal]
    user@switch# set custom-options post-authentication-url


Display the results of the configuration:

[edit]user@switch# show system {services {web-management {https {local-certificate my-signed-cert;}}}}security {certificates {local {my-signed-cert {"-----BEGIN RSA PRIVATE KEY-----\nMIICXwIBAAKBgQDk8sUggnXdDUmr7T vLv63yJq/LRpDASfIDZlX3z9ZDe1Kfk5C9\nr/tkyvzv
Pt5YmvWDoGo0mSjoE/liH0BqYdh9YGqv3T2IEUfflSTQQHEOShS0ogWDHF\ nnyOb1O/vQtjk20X9NVQg JHBwidssY9eRp\n-----END CERTIFICATE-----\n"; ## SECRET-DATA
}services {captive-portal {interface {ge-0/0/10.0;}secure-authentication https;}}ethernet-switching-options {authentication-whitelist {00:10:12:e0:28:22/48;}}


To confirm that captive portal authentication is configured and working properly, perform these tasks:

Verifying That Captive Portal Is Enabled on the Interface


Verify that captive portal is configured on interface ge-0/0/10.


Use the operational mode command show captive-portal interface interface-name detail:

user@switch> show captive-portal interface ge-0/0/10.0 detail
  Supplicant mode: Single
  Number of retries: 3
  Quiet period: 60 seconds
  Configured CP session timeout: 3600 seconds
  Server timeout: 15 seconds


The output confirms that captive portal is configured on interface ge-0/0/10 with the default settings for number of retries, quiet period, CP session timeout, and server timeout.

Verify That Captive Portal Is Working Correctly


Verify that captive portal is working on the switch.


Connect a client to interface ge-0/0/10. From the client, open a Web browser and request a webpage. The captive portal login page that you designed should be displayed. After you enter your login information and are authenticated against the RADIUS server, the Web browser should display either the page you requested or the post-authentication URL that you configured.


To troubleshoot captive portal, perform these tasks:

Troubleshooting Captive Portal


The switch does not return the captive portal login page when a user connected to a captive portal interface on the switch requests a Web page.


You can examine the ARP, DHCP, HTTPS, and DNS counters—if one or more of these counters are not incrementing, this provides an indication of where the problem lies. For example, if the client cannot get an IP address, you might check the switch interface to determine whether the DHCP counter is incrementing—if the counter increments, the DHCP packet was received by the switch.

user@switch> show captive-portal firewall ge-0/0/10.0
  Filter name: dot1x_ge-0/0/10
Name                          Bytes              Packets
dot1x_ge-0/0/10_CP_arp         7616                  119
dot1x_ge-0/0/10_CP_dhcp           0                    0
dot1x_ge-0/0/10_CP_http           0                    0
dot1x_ge-0/0/10_CP_https          0                    0
dot1x_ge-0/0/10_CP_t_dns          0                    0
dot1x_ge-0/0/10_CP_u_dns          0                    0

Published: 2010-09-16

My Account
Log Out