Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Understanding Captive Portal Authentication on the MX Series Routers

Starting with Junos OS Release 14.2, captive portal authentication (hereafter referred to as captive portal) allows you to authenticate users on MX Series routers by redirecting Web browser requests to a login page that requires users to input a username and password before they are allowed access to the network.Captive portal controls network access by requiring users to provide information that is authenticated against a RADIUS server database using EAP-MD5, You can also use captive portal to display an acceptable-use policy to users before they access your network.

Juniper Networks Junos Software for MX Series routers provides a template that allows you to easily design and modify the look of the captive portal login page. You enable specific interfaces for captive portal. The first time a client connected to a captive portal interface attempts to access a webpage, the switch presents the captive portal login page. Upon successful authentication, the user is allowed access to the network and to continue to the original page requested.

Note:

If Hypertext Transfer Protocol Secure (HTTPS) is enabled, Hypertext Transfer Protocol (HTTP) requests are redirected to an HTTPS connection for the captive portal authentication process. After authentication, the client is returned to the HTTP connection.

If there are clients that are not HTTP-enabled connected to the captive portal interface, you can allow them to bypass captive portal authentication by adding their MAC address to an authentication allowlist. (If the MAC address has already been learned on the interface, you must clear it using the clear captive-portal interface interface-name) before adding it to the allowlist.)

When the user is authenticated by the RADIUS server, any per-user policies (attributes) associated with that user are also sent to the switch.

Limitations of Captive Portal

Captive portal on MX Series routers has the following limitations:

  • The captive portal interface must be configured for family ethernet-switching and set to port mode access. The VLAN must be configured with a routed VLAN interface (RVI).

  • The DHCP gateway IP address for the switch must be configured as the IP address of the routed VLAN interface.

  • Captive portal does not support dynamic assignment of VLANs downloaded from the RADIUS server.

  • If the user is idle for more than about 5 minutes and there is no traffic passed, the user is required to log back in to the captive portal.

Release History Table
Release
Description
14.2
Starting with Junos OS Release 14.2, captive portal authentication (hereafter referred to as captive portal) allows you to authenticate users on MX Series routers by redirecting Web browser requests to a login page that requires users to input a username and password before they are allowed access to the network.