¶ Introduction to Captive Portal on Cisco
This instruction shows how to configure HTTP/HTTPS redirection for logging in via Captive Portal on Cisco switches with IOS version 15. Unlike the Captive Portal (NACVIEW) manual, available on our website, it does not require connectivity to NACVIEW in the second layer (L2).
Remember to adapt the following markings to your environment in this document:
NACVIEW_SERV - NACVIEW server IP address.
WEBAUTH - name of the access list used to allow traffic on the port only to the CP (before authorization in the CP, after authorization by MAC).
WEBAUTH-SUCCESS - the name of the access list used to allow traffic after authorization. This example uses an allow list for all hosts on the network, but to ensure complete network security, it is essential that the target ACL only allows access to the necessary network resources and traffic only to the necessary protocols.
REDIRECT - the name of the access list used to intercept HTTP/HTTPS traffic and direct it to the CP.
¶ How to configure Captive Portal on Cisco IOS 15 switches?
It can be done in a few following steps.
¶ 1. Switch configuration
1.1. Configure the switch according to the appropriate instructions available on our website.
1.2. Use the following commands to configure three extended access lists:
C1000#configure terminal
C1000(config)#ip access-list extended WEBAUTH
C1000(config-ext-nacl)#permit udp any any eq domain
C1000(config-ext-nacl)#permit tcp any any eq domain
C1000(config-ext-nacl)#permit udp any eq bootps any
C1000(config-ext-nacl)#permit udp any any eq bootpc
C1000(config-ext-nacl)#permit udp any eq bootpc any
C1000(config-ext-nacl)#permit udp any any eq 5353
C1000(config-ext-nacl)#permit tcp any any eq 7443
C1000(config-ext-nacl)#permit tcp any any eq 7080
C1000(config-ext-nacl)#permit tcp any any eq 7081
C1000(config-ext-nacl)#permit tcp any any eq www
C1000(config-ext-nacl)#permit tcp any any eq 443
C1000(config-ext-nacl)#deny ip any any
C1000(config-ext-nacl)#exit
C1000(config)#ip access-list extended WEBAUTH_SUCCESS
C1000(config-ext-nacl)#10 permit ip any any
C1000(config-ext-nacl)#exit
C1000(config)#ip access-list extended REDIRECT
C1000(config-ext-nacl)#deny ip any host NACVIEW_SERV
C1000(config-ext-nacl)#permit tcp any any eq www
C1000(config-ext-nacl)#permit tcp any any eq 443
1.3. Configure the HTTP and HTTPS server on the switch by executing the following commands:
C1000(config)#ip http server
C1000(config)#ip http secure-server
1.4. On the interface used for authentication, configure MAB authorization, but without the command: authentication host-mode single-host.
You should also set this static destination VLAN on it switchport access vlan X and also: ACL ip access-group WEBAUTH in
¶ 2. Configuration of access policies
2.1. Go to the NACVIEW system. From the main menu select: Access Policies (section: Configuration), and then click: Add Policy.
2.2. Complete the form with the following data:
- Authorization method: MAC
- Action: VLAN access
- Whether to send VLAN Number: No
- Local CaptivePortal: Yes
Complete the rest of the form as required by your company's policy.
2.3. After saving the policy, find it in the list and click the Details button in the same row. Then select Return Attributes. Add the following parameters:
I. URL-Redirect
| I. URL-Redirect | |
|---|---|
| Parameter name: | Cisco-AVPair |
| Value: | url-redirect=https://NACVIEW_SERV:7443/?m=##M## |
| Active: | Parameter and value connector: = |
| Local captive portal: | YES (checked) |
| Active: | YES (checked) |
II. Redirect-ACL
| II. Redirect-ACL | |
|---|---|
| Parameter name: | Cisco-AVPair |
| Value: | url-redirect-acl= REDIRECT |
| Parameter and value connector: | = |
| Local captive portal: | YES (checked) |
| Active: | YES (checked) |
III. InACL
| III. InACL | |
|---|---|
| Parameter name: | Cisco-AVPair |
| Value: | inacl=WEBAUTH-SUCCESS |
| Parameter and value connector: | = |
| Local captive portal: | NO ( unchecked) |
| Active: | YES (checked) |
Please remember that some of the values marked in bold need to be adapted to the configuration of your environment. Please bare in mind particularly to replace only the IP address in the first parameter and leave this part unchanged: 7443/?m=###M###. The lack of this part in the address will result in incorrect operation of the CP.
2.4. Confirm the form with the Save button.
2.5. For the changes made to the access policies to take effect, additionally press the Install list button.
¶ 3. Captive Portal configuration
3.1. Staying in the NACVIEW system, select Captive Portal from the main menu (see: Configuration section)
3.2. Click: .png)
located in the row of the authorization portal and select: Edit (from the expanded list).
3.3. Complete the form by adding the network, to which authorization is to be performed- in the External Subnets field.
In the Captive Portal of the NACVIEW system you can also configure authorization via social networks (Facebook and Google), equally as well as the authorization via sponsor. Instructions how to do this you can find on our website
In the lower left corner of the Captive Portal edit form, there are three more drop-down lists with additional fields. In order to edit users authorization options- click login and registration settings.
After clicking Portal appearance (bottom left corner of the form), the editing fields for the message generated to the customer - in case of correct and incorrect authorization will open- the header and footer template included (in html).
3.4. Click: Save and exit.
3.5. Click the Install Configuration button in the upper right corner of the Captive Portal window.
3.6. Accept the changes by clicking Apply configuration.
3.7. Return to the portal list window and click the Captive Portal Global Settings button (upper right corner).
3.8. Enter your set number of hours for the identity authorization validity and save all.
¶ 4. Troubleshooting
I. Checking configuration status:
- Current interface configuration:
show running-config interface GigabitEthernet 1/0/2 - Current authentication configuration:
show running-config aaa - Current VLANs configuration:
show running-config vlan
II. Checking configuration operation:
- Summary of the authorization sessions present on a device (interface, IP, MAC, VLAN (if assigned by NACVIEW), session ID):
show epm session - Summary of the authorization sessions present on a device (interface, authorization method, status, session ID:
show authentication session - as above, but only only on a specific interface and authorization methods present on a given port:
show authentication session interface gigabitEthernet 1/0/2 - as above + info about what access list is present on the interface, whether there is a redirect list and redirect URL, what authorization method has been used and what its status is, and also: client IP and MAC, session ID, status and other detailed information on the authorization:
show authentication session interface gigabitEthernet 1/0/2 details - All authorization lists present on the device along with the traffic policies configured on them:
show ip access-list
III. Debugging:
- Information whether you are being redirected:
debug epm plugin redirect oraz debug ip http all - Info regarding individual stages of authorization:
debug aaa authenticationand:debug aaa authorization - Checking the communication of the network device with NACVIEW:
debug radius authentication - The log view - there are effects of debug commands saved (with the proper configuration according to the guide- these logs will also be available on NACVIEW):
show logging