8.3 9 Configuring A Captive Portal

8.3 9 configuring a captive portal is a fundamental skill for network administrators who need to provide secure guest access while maintaining control over wireless LANs. A captive portal intercepts unauthenticated users and redirects them to a login or acceptance page before granting network access. This process is commonly used in hotels, campuses, coffee shops, and enterprise environments where visitors must agree to terms of service or authenticate via credentials. In this guide, we will walk through the concepts, prerequisites, detailed configuration steps (both GUI and CLI), verification methods, troubleshooting tips, and best practices to ensure a reliable captive‑portal deployment.

Understanding Captive Portals

A captive portal is a web‑based authentication mechanism that sits between a wireless client and the network infrastructure. When a device associates with an SSID that has web authentication enabled, the client’s HTTP/HTTPS traffic is intercepted and redirected to a predefined splash page. Only after the user successfully authenticates—whether through a local username/password database, RADIUS server, social login, or simple acceptance of an terms‑of‑service page—is traffic allowed to pass.

Key components involved in 8.3 9 configuring a captive portal include:

• WLAN Controller (WLC) or access point that enforces the redirection.
• Authentication server (local user database, RADIUS, LDAP, or external portal).
• Splash page (HTML file hosted on the controller or an external web server).
• ACL or port‑based policies that define what traffic is allowed before and after authentication.
• RADIUS accounting (optional) for tracking session usage.

Understanding how these pieces interact helps you avoid common pitfalls such as misdirected redirects, authentication loops, or unintended open access.

Prerequisites Before Configuration

Before diving into the actual configuration, verify that the following conditions are met:

1. Firmware Version – Ensure the wireless LAN controller runs a release that supports web authentication (typically 8.0 or later for Cisco Catalyst 9800 series, or 8.5+ for Cisco 5500/8500 WLCs).
2. Network Connectivity – The controller must have reachability to the authentication server (RADIUS/LDAP) and, if using an external splash page, to the web server hosting that page.
3. IP Addressing – Configure a dedicated VLAN or subnet for guest users if isolation is required. Assign an appropriate DHCP scope or static IP pool.
4. Certificates – For HTTPS redirection, upload a valid server certificate to the controller (or use a self‑signed certificate for testing).
5. Access Credentials – Have administrative access to the controller’s GUI or CLI, and know the RADIUS shared secret if using an external server.
6. Backup – Always export the current configuration before making changes, so you can roll back if needed.

Meeting these prerequisites reduces the chance of configuration errors and speeds up the verification phase.

Step‑by‑Step Configuration (GUI Method)

Most administrators prefer the graphical user interface for its visual feedback. Below is a detailed walkthrough for 8.3 9 configuring a captive portal on a Cisco Catalyst 9800 Series WLC (the steps are analogous on other platforms).

1. Create the Guest WLAN

1. Log in to the WLC GUI → WLANs → Create New.
2. Enter a Profile Name (e.g., Guest_WLAN) and SSID.
3. Set WLAN ID (e.g., 20) and click Apply.
4. Under the Security tab:
   • Choose Layer 3 Web Authentication.
   • Select Authentication → RADIUS (or Local if using the built‑in user database).
   • If using RADIUS, fill in the server IP, shared secret, and authentication port (default 1812).
   • Enable Authentication List and select the appropriate RADIUS server group.
5. Under the Advanced tab:
   • Tick WebAuth Authentication.
   • Choose Splash Page Redirect → External (if hosting on an outside web server) or Internal (if using the controller’s built‑in page).
   • For internal, click Edit to upload your custom HTML splash page or use the default.
   • Set HTTP/HTTPS Port (usually 80/443) for redirection.
6. Click Apply to save the WLAN.

2. Configure the Authentication Server (if RADIUS)

1. Navigate to Security → AAA → RADIUS.
2. Click Add to define a new RADIUS server.
3. Enter:
   • Server Name (e.g., RADIUS-Guest).
   • IP Address of the RADIUS server.
   • Shared Secret (matching the server’s configuration).
   • Authentication Port (1812) and Accounting Port (1813 if accounting is required).
4. Click Apply, then Create Server Group if you want to group multiple servers.
5. Return to the WLAN’s Security tab and select the newly created server group under Authentication List.

3. Define Pre‑Authentication ACL (Optional but Recommended)

To limit what unauthenticated guests can do (e.g., only allow DNS and HTTP/HTTPS to the splash page), create an ACL:

1. Go to Security → ACL → Preauthentication ACL.
2. Click Add, name it (e.g., PRE_AUTH_GUEST).
3. Add rules:
   • Permit UDP any any eq 53 (DNS).
   • Permit TCP any any eq 80 (HTTP) and eq 443 (HTTPS) only to the splash page IP address.
   • Deny all other traffic (implicit deny at the end).
4. Save the ACL.
5. In the WLAN’s Advanced tab, under Preauthentication ACL, select the ACL you just created.

4. Enable the WLAN and Apply Changes

1. Return to the WLANs list.
2. Locate your guest WLAN and check the Status box to enable it.
3. Click Apply and then Save Configuration.

Step‑by‑Step Configuration (CLI Method)

For those who prefer command‑line or need to script the deployment, the following CLI commands achieve the same result on a Cisco Catalyst 9800 WLC. Adjust names, IPs, and secrets as needed.

! 1. Enter configuration mode
configure terminal

! 

! 2. Create the Guest WLAN
wlanid 
name Guest_WiFi
security-policy Guest_Policy
! 3. Create a Security Policy
security-policy Guest_Policy
  authentication-type wpa2-eap
  radius-authentication-server radius-server
    server-group Guest_RADIUS_Group
  web-authentication
    splash-page-redirect external
    http-port 80
    https-port 443
! 4. Create a RADIUS Server Group
radius-server-group Guest_RADIUS_Group
  radius-server  community 
! 5. Create a Preauthentication ACL
acl PreauthGuest
  permit udp any any eq 53
  permit tcp any any eq 80 eq 443 tcp dst-port 
  deny ip any any
exit

! 6. Apply the ACL to the WLAN
wlanid 
acl PreauthGuest
  apply

! 7. Enable the WLAN
wlan enable 

Troubleshooting and Common Issues

Even with careful configuration, issues can arise. Here’s a breakdown of common problems and how to address them:

• Authentication Failures: Verify the shared secret matches exactly on both the WLC and the RADIUS server. Double-check IP addresses and port numbers. Ensure the RADIUS server is reachable from the WLC.
• Splash Page Not Displaying: Confirm the HTTP/HTTPS port is correctly configured. If using an external splash page, ensure DNS resolution is working correctly and the external server is accessible. Check the firewall on the external server.
• Limited Connectivity: The Preauthentication ACL is crucial. Review the rules to ensure they are allowing the necessary traffic while blocking unwanted access. Incorrect ACL rules are a frequent cause of connectivity problems.
• RADIUS Server Errors: Examine the RADIUS server logs for errors. Common issues include incorrect shared secrets, overloaded servers, or network connectivity problems.
• WLAN Not Enabled: Ensure the WLAN is enabled in the GUI and that the configuration has been successfully applied. A failed save can leave the WLAN in a disabled state.

Conclusion

Configuring a guest Wi-Fi network on a Cisco Catalyst 9800 Wireless LAN Controller involves a multi-step process, encompassing WLAN creation, security policy definition, RADIUS server integration (if applicable), and ACL configuration. By meticulously following the outlined procedures, both through the GUI and the CLI, administrators can establish a secure and functional guest access point. Remember that thorough testing and ongoing monitoring are essential to ensure optimal performance and security. Regularly reviewing the configuration and logs will help proactively identify and resolve potential issues, maintaining a reliable and user-friendly guest Wi-Fi experience.