Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


interface (Captive Portal)


Hierarchy Level


Configure captive portal authentication for all interfaces or for specific interfaces.



All interfaces to be configured for captive portal authentication.


List of names of interfaces to be configured for captive portal authentication.

quiet-period seconds

Configure time, in seconds, after a user exceeds the maximum number of retries before they can attempt to authenticate.

  • Range: 1–65535 seconds

  • Default: 60 seconds

retries number-of-tries

Configure the number of times the user can attempt to submit authentication information.

  • Range: 1–65535 tries

  • Default: 3 tries

server-timeout seconds

Configure the time in seconds an interface will wait for a reply when relaying a response from the client to the authentication server before timing out and invoking the server-fail action.

  • Range: 1–65535 seconds

  • Default: 20 seconds

session-expiry seconds

Configure the number of seconds before the captive portal authentication session times out and the client must reattempt authentication.


If the authentication server sends an authentication session timeout to the client, this takes priority over the value configured locally using the session-expiry statement. The session timeout value is sent from the server to the client as an attribute of the RADIUS Access-Accept message.

  • Range: 1 through 65535 seconds

  • Default: 3600 seconds

supplicant (multiple | single | single-secure)

Configure the MAC-based method used to authenticate clients for captive portal authentication.

  • Values: Configure one of the following:

    • single—Authenticates only the first client that connects to an authenticator port. All other clients connecting to the authenticator port after the first are permitted free access to the port without further authentication. If the first authenticated client logs out, all other supplicants are locked out until a client authenticates again.

    • single-secure—Authenticates only one client to connect to an authenticator port. The host must be directly connected to the switch.

    • multiple—Authenticates multiple clients individually on one authenticator port. You can configure the number of clients per port. If you also configure a maximum number of devices that can be connected to a port through port security settings, the lower of the configured values is used to determine the maximum number of clients allowed per port.

  • Default: single

user-keepalive minutes

Extend a captive portal authentication session after the MAC table aging timer expires, by the configured number of minutes. The keep-alive timer is started when the MAC address of the authenticated host ages out of the Ethernet switching table. If traffic is received within the keep-alive timeout period, the timer is deleted. If there is no traffic within the keep-alive timeout period, the session is deleted, and the host must re-authenticate.

  • Default: Disabled. The captive portal authentication session ends when the associated MAC address ages out of the Ethernet switching table.

  • Range: 7 through 65535 minutes

The remaining statements are explained separately. Search for a statement in CLI Explorer or click a linked statement in the Syntax section for details.

Required Privilege Level

routing—To view this statement in the configuration.

routing–control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 10.1.

user-keepalive introduced in Junos OS Release 16.1 for EX Series switches.