Configuring Captive Portal Authentication on MX Series Routers in Enhanced LAN Mode
This example uses Junos OS for MX240, MX480, and MX960
routers with support for the Enhanced LAN mode configuration style.
If your router does not run MX-LAN mode, you cannot configure port-based
authentication settings in the same manner as described in this section.
If you remove the network-services lan statement at the [edit chassis]
hierarchy level, the system does not run in MX-LAN mode. Therefore,
all of the settings that are supported outside of the MX-LAN mode
are displayed and are available for definition in the CLI interface.
In such a scenario, you must use the statements at the [edit
protocols dot1x]
hierarchy level to configure 802.1x and MAC
RADIUS authentication, and the options at the [edit services
captive-portal]
hierarchy level to configure captive portal
authentication. In MX-LAN mode, you can configure all the port-based
network access control methodologies using the statements at the [edit protocols authentication-access-control]
hierarchy level.
Starting with Junos OS Release 14.2, configure captive portal authentication (hereafter referred to as captive portal) on an MX Series router so that users connected to the router are authenticated before being allowed to access the network. When the user requests a webpage, a login page is displayed that requires the user to input a username and password. Upon successful authentication, the user is allowed to continue with the original page request and subsequent access to the network.
Before you begin, be sure you have:
Performed basic bridging and VLAN configuration on the router.
Generated an SSL certificate and installed it on the router.
Configured basic access between the MX Series router and the RADIUS server.
Designed your captive portal login page.
This topic includes the following tasks:
Configuring Secure Access for Captive Portal
To configure secure access for captive portal:
Enabling an Interface for Captive Portal
To enable an interface for use with captive portal authentication:
[edit] user@router# set authentication-access-control interface ge-0/0/10
Configuring Bypass of Captive Portal Authentication
You can allow specific clients to bypass captive portal authentication:
[edit] user@router# set authentication-access-control static 00:10:12:e0:28:22
Optionally, you can use set authentication-access-control
static 00:10:12:e0:28:22 interface ge-0/0/10.0
to limit the
scope to the interface.
If the client is already attached to the router, you must
clear its MAC address from the captive portal authentication by using
the clear captive-portal mac-address session-mac-addr
command after adding its MAC address to the allowlist. Otherwise
the new entry for the MAC address will not be added to the Ethernet
switching table and the authentication bypass will not be allowed.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.