Captive portal authentication (external web authentication)

Captive portal authentication provides a means to authenticate clients through an external web server. A client that seeks web access to a network is redirected to the authentication web login page hosted on an external network access control (NAC) server (such as Ruckus Cloudpath, Aruba ClearPass, or Cisco ISE) that is integrated with the RADIUS server.

Note: Because the authentication server and web login page reside in an external server, captive portal authentication may also be referred to as external web authentication. These two terms are used interchangeably.
To equip the ICX switch to handle the HTTP redirection mechanism, configuration details specific to the NAC server such as virtual IP address, HTTP or HTTPS protocol port number, and login page details hosted on the NAC server must be specified on the switch. Upon receiving the redirected web access request, the NAC server honors the login page to the client which in turn submits the user login credentials. The NAC server reverts the credentials and sends the username, password, and default URL of the web page to the network-attached storage (NAS) or switch.
Note: For details on configuring external captive portal on a NAC server, refer to the user manual for the NAC server being used. ICX switches support Ruckus Cloudpath, Aruba ClearPass, and Cisco ISE servers.
  • For the Ruckus Cloudpath server, refer to the Cloudpath ES 5.2 Deployment Guide (at this URL: https://support.ruckuswireless.com/documents/2006).
  • For the Aruba ClearPass server, refer to the Aruba ClearPass Guest User Guide. Refer to the ClearPass Guest 6.4 User Guide, as the version used for validation is 6.4.
  • For the Cisco ISE server, refer to Cisco Identity Services Engine documentation.
The ICX switch makes use of the credentials for initiating the authentication process through the RADIUS server, which is integrated with NAC server.
Note: The RADIUS server on the ICX switch and the one integrated with the NAC server must have the same configuration.

The RADIUS server validates the user credential information and, if the client is authenticated, the client is redirected to the URL provided by the server. For information about re-authentication and login failure behavior, refer to Configuring the re-authentication period and Defining the web authentication cycle.