In a scenario where a tunnel mode SSID or a VLAN sub-interface of an SSID is bridged with other interfaces via a software switch, captive portal authentication on the SSID or VLAN sub-interface is now allowed. This requires the
intra-switch-policy to be set to
explicit when the switch interface is created. Users accessing the SSID will be redirected to the captive portal for authentication.
- Configure the local user:
config user local edit "user1" set passwd ********* next end
- Configure the user group:
config user group edit "wifi-group" set member "user1" next end
- Configure the VAP:
config wireless-controller vap edit "test-captive" set ssid "test-captive" set security captive-portal set portal-type auth+disclaimer set selected-usergroups "wifi-group" set schedule "always" next end
- Create a software switch interface consisting of a tunnel VAP with captive portal security and a physical interface (port7):
config system switch-interface edit "test-ssw" set vdom "vdom1" set member "port7" "test-captive" set intra-switch-policy explicit next end
- Create the firewall policy:
config firewall policy edit 1 set srcintf "test-captive" "port7" set dstintf "port7" "test-captive" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat disable next end
- Connect the external DHCP server to the physical interface.
- Connect a WiFi client to the tunnel VAP. The client will get an IP assignment from the DHCP server and pass the captive portal authentication.
- Verify the authenticated firewall users list:
# diagnose firewall auth list 10.100.250.250, u1 src_mac: fc:d8:d0:9a:8b:85 type: fw, id: 0, duration: 29, idled: 12 expire: 288, allow-idle: 300 flag(100): wsso packets: in 229 out 162, bytes: in 192440 out 22887 user_id: 16777218 group_id: 2 group_name: wifi ----- 1 listed, 0 filtered ------