Captive portal authentication when bridged via software switch
In a scenario where a tunnel mode SSID or a VLAN sub-interface of an SSID is bridged with other interfaces via a software switch, captive portal authentication on the SSID or VLAN sub-interface is now allowed. This requires the intra-switch-policy
to be set to explicit
when the switch interface is created. Users accessing the SSID will be redirected to the captive portal for authentication.
To configure captive portal authentication on an SSID or VLAN sub-interface:
- Configure the local user:
config user local edit "user1" set passwd ********* next end
- Configure the user group:
config user group edit "wifi-group" set member "user1" next end
- Configure the VAP:
config wireless-controller vap edit "test-captive" set ssid "test-captive" set security captive-portal set portal-type auth+disclaimer set selected-usergroups "wifi-group" set schedule "always" next end
- Create a software switch interface consisting of a tunnel VAP with captive portal security and a physical interface (port7):
config system switch-interface edit "test-ssw" set vdom "vdom1" set member "port7" "test-captive" set intra-switch-policy explicit next end
- Create the firewall policy:
config firewall policy edit 1 set srcintf "test-captive" "port7" set dstintf "port7" "test-captive" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat disable next end
- Connect the external DHCP server to the physical interface.
- Connect a WiFi client to the tunnel VAP. The client will get an IP assignment from the DHCP server and pass the captive portal authentication.
- Verify the authenticated firewall users list:
# diagnose firewall auth list 10.100.250.250, u1 src_mac: fc:d8:d0:9a:8b:85 type: fw, id: 0, duration: 29, idled: 12 expire: 288, allow-idle: 300 flag(100): wsso packets: in 229 out 162, bytes: in 192440 out 22887 user_id: 16777218 group_id: 2 group_name: wifi ----- 1 listed, 0 filtered ------