How to Configure Captive Portal with External Webserver?

Zyxel_KathyLin Posts: 58  Zyxel Employee
Friend Collector First Answer First Comment
edited June 2022 in SSID

The example instructs how to set up captive portal redirect via the external web page. A captive portal can intercepts network traffic, according to the authentication policies, until the user authenticates his or her connection, usually through a specifically designated login web page. Typically, you often find captive portal pages in public hotspots. Here is an example when the customer wants to use an external captive portal for wireless client’s authentication.


Configure Interface 1      Go to CONFIGURATION > Network > Interface > VLAN, click vlan0 and edit it. Remove ge6 by selecting “no” in the Member Configuration. Set a fixed IP for the interface, and use DHCP server with DNS. Click OK to save.
  2      Go to CONFIGURATION > Network > Interface > Ethernet, select ge6 and Edit it. Change the Interface Type to external Click OK to save.  3      Go to CONFIGURATION > Network > Policy Route, click Add to add a routing rule for outgoing traffic. Click Show Advanced Settings. Check Enable in Configuration. Select Interface in Incoming and select to vlan0 in Please select one member. Change Type to Interface and select Interface ge6. Change Source Network Address Translation to outgoing-interface. Click OK.
  Configure Authentication Method Setting & Address 1      Go to CONFIGURATION > Object > User/Group, click add to create a new user ID and password. Stations can log in to the captive portal to access the Internet via this account. Enter the User Name as login ID for captive portal and User Type is guest. Enter the Password as the login password. The default of Authentication Timeout Setting is 1440 minutes, and usually it’s shorter for guests. Select Use Manual Settings to set Lease Time and Reauthentication Time. Click OK to save.
2      Go to CONFIGURATION > Object > Auth. Method, click add to create an authentication method. Enter the Name of this authentication method and select local in the Method List.
3      Go to CONFIGURATION > Object > Address > Address, click add to create an address range which needs to do captive portal authentication before accessing to the Internet. Enter profile Name and change Address Type to RANGE. In this example, the IP range for guest is to Click OK to save.  Configure Captive Portal 1      Go to CONFIGURATION > Captive Portal > Redirect on Controller > Authentication Policy Rule, click add to create a policy rule.
In User Auth Policy, change Source Address to CP_ex and Authentication is required. Check Force User Authentication, and change the Authentication Method to default. Click OK to save.
 2      In the same setting page as previous step, click the “Download” hyperlink to download the external web portal example. You can use the downloaded example to add in the http server as the external web-page.

3      Go to CONFIGURATION > Captive Portal > Captive Portal, check Enable Captive Portal. Click Apply to apply the settings.
  Configure AP Profile 1      Go to CONFIGURATION > Object > AP Profile > SSID > SSID List, double click add to add a SSID for wireless connection with external captive portal. Key in the SSID to CP_ex, and change Security Profile to default which sets none security. Click OK to save.
2      Go to CONFIGURATION > Wireless > AP Management > AP Group, click default to Edit. change #1 to CP_ex. Click Override Member AP Setting to apply the SSID to AP and click Yes in the pop-up window. Click OK.
3      Logout from NXC controller. Test the Result 1      Connect the station to the SSID ‘CP_ex’. Open a browser and visit a website after the computer and AP connect successfully. The browser redirects the webpage to external captive portal page and the user needs to enter the username and password for authentication before accessing the Internet.
2      After entering the username and password correctly, there’s a successful webpage. The connected station is able to access the Internet now.
  What Could Go Wrong 1      The DNS MUST be set in the DHCP server, or the captive portal might fail to redirect because NXC controller is not able to know the correct IP address of the website which stations want to access. 2      The captive portal fails to redirect the webpage if the station is log in to the NXC controller before and does not logout. 3      When USG is the gateway as shown in the topology below, the Forwarding Mode MUST be Tunnel mode to make sure the traffic from AP goes to NXC controller.
4     When using the NXC2500 as the controller, the uplink port MUST be ge1.