Device Security 127
All new captive portal instances are also assigned to the "Default" group. The administrator can create
new groups and modify the user/group association to only allow a subset of users access to a specific
captive portal instance. Network access is granted upon successful verification of user credentials.
A remote RADIUS server can be used for client authentication. RADIUS authentication and accounting
servers are configured separately from the captive portal configuration. In order to perform
authentication/accounting via RADIUS, the administrator configures one or more RADIUS servers and
then references the server(s) using their name in the captive portal configuration (each captive portal
instance can be assigned one RADIUS authentication server and one RADIUS accounting server). If
RADIUS is enabled for a captive portal configuration and no RADIUS servers are assigned, the captive
portal activation status indicates the instance is disabled with an appropriate reason code.
The Table 5-1 shows the RADIUS attributes that are used to configure captive portal users. The table
indicates both RADIUS attributes and vendor specific attributes (VSA) that are used to configure
Captive Portal. VSAs are denoted in the id column and are comma delimited (vendor id, attribute id).
Table 5-1. Captive Portal RADIUS Attributes
A Captive Portal instance can be configured to use the HTTPS protocol during its user verification
process. The connection method for HTTPS uses the Secure Sockets Layer (SSL) protocol which
requires a certificate to provide encryption. The certificate is presented to the user at connection time.
The Captive Portal component uses the same certificate that is used by the switch for Secure HTTP
connections. This certificate can be generated by the administrator using a CLI command. If a captive
portal instance is configured for the HTTPS protocol and there is not a valid certificate present on the
system, the captive portal instance status shows Disabled with an appropriate reason code.
Client Authentication Logout Request
The administrator can configure and enable 'user logout'. This feature allows the authenticated client to
deauthenticate from the network.
Radius Attribute # Description Range Usage Default
User-Name 1 User name to be authorized 1-32 characters Required None
User-Password 2 User password 8-64 characters Required None
Session-Timeout 27 Logout once session timeout is
reached (seconds). If the attribute is 0
or not present then use the value
configured for the captive portal.
Integer
(seconds)
Optional 0
Captive-Portal-
Groups
6231,
127
A comma-delimited list of group
names that correspond to the
configured CP instance
configurations.
String Optional None; the
default group
is used if not
defined here.