Example: Setting Up Captive Portal Authentication on an MX Series Router
Starting with Junos OS Release 14.2, you can set up captive portal authentication (hereafter referred to as captive portal) on a router to redirect Web browser requests to a login page that requires the user to input a username and password. Upon successful authentication, the user is allowed to continue with the original page request and subsequent access to the network.
This example describes how to set up captive portal on an MX Series router:
Requirements
This example uses the following hardware and software components:
An MX Series router that supports captive portal
Junos OS Release 14.2 or later for MX Series routers
Before you begin, be sure you have:
Performed basic bridging and VLAN configuration on the router.
Generated an SSL certificate and installed it on the router.
Configured basic access between the MX Series router and the RADIUS server.
Designed your captive portal login page. .
Overview and Topology
This example shows the configuration required on the router to enable captive portal on an interface. To permit a printer connected to the captive portal interface to access the LAN without going through captive portal, add its MAC address to the authentication allowlist. The MAC addresses in this list are permitted access on the interface without captive portal.
Topology
The topology for this example consists of one MX Series router connected to a RADIUS authentication server. One interface on the router is configured for captive portal. In this example, the interface is configured in multiple supplicant mode.
Configuration
To configure captive portal on your router:
CLI Quick Configuration
To quickly configure captive portal on the router after completing the tasks in the Requirements section, copy the following commands and paste them into the router terminal window:
[edit] set system services web-management http set system services web-management https local-certificate my-signed-cert set protocols captive-portal-custom-options secure-authentication https set protocols authentication-access-control interface ge-0/0/10.0 supplicant multiple set protocols authentication-access-control static 00:10:12:e0:28:22 set protocols captive-portal-custom-options post-authentication-url http://www.my-home-page.com
Procedure
Step-by-Step Procedure
To configure captive portal on the router:
Enable HTTP access on the router:
[edit] user@router# set system services web-management http
To create a secure channel for Web access to the router, configure captive portal for HTTPS:
Note:You can enable HTTP without enabling HTTPS, but we recommend HTTPS for security purposes.
Step-by-Step Procedure
Associate the security certificate with the Web server and enable HTTPS access on the router:
[edit] user@router# set system services web-management https local-certificate my-signed-cert
Configure captive portal to use HTTPS:
[edit] user@router# set protocols captive-portal-custom-options secure-authentication https
Enable an interface for captive portal:
[edit] user@router# set protocols authentication-access-control interface ge-0/0/10.0 supplicant multiple
(Optional) Allow specific clients to bypass captive portal:
Note:If the client is already attached to the router, you must clear its MAC address from the captive portal authentication by using the
clear captive-portal mac-address mac-address
command after adding its MAC address to the allowlist. Otherwise the new entry for the MAC address will not be added to the Ethernet routering table and authentication bypass will not be allowed.[edit] user@router# set protocols authentication-access-control static 00:10:12:e0:28:22
Note:Optionally, you can use
set ethernet-switching-options authentication-whitelist 00:10:12:e0:28:22 interface ge-0/0/10.0
to limit the scope to the interface.(Optional) To redirect clients to a specified page rather than the page they originally requested, configure the post-authentication URL:
[edit services captive-portal] user@router# set protocols captive-portal-custom-options post-authentication-url http://www.my-home-page.com
Results
Display the results of the configuration:
[edit] user@router> show system { services { web-management { http; https { local-certificate my-signed-cert; } } } } security { certificates { local { my-signed-cert { "-----BEGIN RSA PRIVATE KEY-----\nMIICXwIBAAKBgQDk8sUggnXdDUmr7T vLv63yJq/LRpDASfIDZlX3z9ZDe1Kfk5C9\nr/tkyvzv ... Pt5YmvWDoGo0mSjoE/liH0BqYdh9YGqv3T2IEUfflSTQQHEOShS0ogWDHF\ nnyOb1O/vQtjk20X9NVQg JHBwidssY9eRp\n-----END CERTIFICATE-----\n"; ## SECRET-DATA } } } } protocols { authentication-access-control { static 00:10:12:e0:28:22/48; interface { ge-0/0/10.0 { supplicant multiple; } } custom-captive-portal-options { secure-authentication https; post-authentication-url http://www.my-home-page.com; } }
Verification
To confirm that captive portal is configured and working properly, perform these tasks:
- Verifying That Captive Portal Is Enabled on the Interface
- Verify That Captive Portal Is Working Correctly
Verifying That Captive Portal Is Enabled on the Interface
Purpose
Verify that captive portal is configured on interface ge-0/0/10.
Action
Use the operational mode command show captive-portal
interface interface-name detail
:
user@router> show captive-portal interface ge-0/0/10.0 detail ge-0/0/10.0 Supplicant mode: Multiple Number of retries: 3 Quiet period: 60 seconds Configured CP session timeout: 3600 seconds Server timeout: 15 seconds
Meaning
The output confirms that captive portal is configured on interface ge-0/0/10 with the default settings for number of retries, quiet period, CP session timeout, and server timeout.
Verify That Captive Portal Is Working Correctly
Purpose
Verify that captive portal is working on the router.
Action
Connect a client to interface ge-0/0/10. From the client, open a Web browser and request a webpage. The captive portal login page that you designed should be displayed. After you enter your login information and are authenticated against the RADIUS server, the Web browser should display either the page you requested or the post-authentication URL that you configured.
Troubleshooting
To troubleshoot captive portal, perform these tasks:
Troubleshooting Captive Portal
Problem
The router does not return the captive portal login page when a user connected to a captive portal interface on the router requests a Web page.
Solution
You can examine the ARP, DHCP, HTTPS, and DNS counters—if one or more of these counters are not incrementing, this provides an indication of where the problem lies. For example, if the client cannot get an IP address, check the router interface to determine whether the DHCP counter is incrementing—if the counter increments, the DHCP packet was received by the router.
user@router> show captive-portal firewall ge-0/0/10.0 ge-0/0/10.0 Filter name: dot1x_ge-0/0/10 Counters: Name Bytes Packets dot1x_ge-0/0/10_CP_arp 7616 119 dot1x_ge-0/0/10_CP_dhcp 0 0 dot1x_ge-0/0/10_CP_http 0 0 dot1x_ge-0/0/10_CP_https 0 0 dot1x_ge-0/0/10_CP_t_dns 0 0 dot1x_ge-0/0/10_CP_u_dns 0 0
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.