Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configuring Captive Portal Authentication on MX Series Routers in Enhanced LAN Mode

Note:

This example uses Junos OS for MX Series routers with support for the Enhanced LAN mode configuration style. If your router does not run MX-LAN mode, you cannot configure port-based authentication settings in the same manner as described in this section. If you remove the network-services lan statement at the [edit chassis] hierarchy level, the system does not run in MX-LAN mode. Therefore, all of the settings that are supported outside of the MX-LAN mode are displayed and are available for definition in the CLI interface. In such a scenario, you must use the statements at the [edit protocols dot1x] hierarchy level to configure 802.1x and MAC RADIUS authentication, and the options at the [edit services captive-portal] hierarchy level to configure captive portal authentication. In MX-LAN mode, you can configure all the port-based network access control methodologies using the statements at the [edit protocols authentication-access-control] hierarchy level.

Configure captive portal authentication (hereafter referred to as captive portal) on an MX Series router so that users connected to the router are authenticated before being allowed to access the network. When the user requests a webpage, a login page is displayed that requires the user to input a username and password. Upon successful authentication, the user is allowed to continue with the original page request and subsequent access to the network.

Before you begin, be sure you have:

  • Performed basic bridging and VLAN configuration on the router.

  • Generated an SSL certificate and installed it on the router.

  • Configured basic access between the MX Series router and the RADIUS server.

  • Designed your captive portal login page.

This topic includes the following tasks:

Configuring Secure Access for Captive Portal

To configure secure access for captive portal:

  1. Associate the security certificate with the Web server and enable HTTPS on the router:
    Note:

    You can enable HTTP instead of HTTPS, but we recommend HTTPS for security purposes.

  2. Configure captive portal to use HTTPS:

Enabling an Interface for Captive Portal

To enable an interface for use with captive portal authentication:

Configuring Bypass of Captive Portal Authentication

You can allow specific clients to bypass captive portal authentication:

Note:

Optionally, you can use set authentication-access-control static 00:10:12:e0:28:22 interface ge-0/0/10.0 to limit the scope to the interface.

Note:

If the client is already attached to the router, you must clear its MAC address from the captive portal authentication by using the clear captive-portal mac-address session-mac-addr command after adding its MAC address to the allowlist. Otherwise the new entry for the MAC address will not be added to the Ethernet switching table and the authentication bypass will not be allowed.