Configure wireless captive portals to work with Portnox Cloud

In this collection of documents, you will find specific instructions for configuring captive portals on wireless NAS devices to work with the Portnox™ Cloud guest network.

You can use captive portals with wireless NAS devices and Portnox Cloud in two ways: with guests managed by Cloud, or with guests managed by the NAS.

To learn more about configuring guest access in Portnox Cloud, read the following topic: Configure a guest Wi-Fi network.

Guests managed by Portnox Cloud

  1. The guest user connects to the guest SSID on the NAS.
  2. The guest’s device recognizes a captive portal and opens the guest’s browser.
  3. The guest’s browser opens a web page served by the NAS device’s internal web server.
  4. The NAS device’s internal web server redirects the guest’s browser to a URL managed by Portnox Cloud. This is usually either a meta-refresh or a 30x error redirect.
  5. Portnox Cloud manages the guest’s access according to Portnox guest network settings. For example: the guest might receive credentials via a text message or ask an employee (sponsor) to vouch for them.
  6. If the guest successfully authenticates based on the guest requirements, the Portnox Cloud back-end registers this in the Portnox Cloud RADIUS server.
  7. The guest’s browser is redirected back to a success URL, which the NAS device recognizes as confirmation of successful authorization.
  8. The NAS device validates this fact using the Portnox Cloud RADIUS server.
  9. The guest is granted access to the network.
Note: This is a recommended approach. All the topics in this collection describe this type of configuration.

There are several advantages of this approach:

  • Guests and employees are managed using a single platform (Portnox Cloud), providing greater flexibility, security, and scalability.
  • Guest management is platform-independent. You can manage multiple captive portals together, regardless of the NAS devices running the guest SSIDs.

The disadvantage of this approach is that Portnox Cloud supports it only for the following NAS device manufacturers: Cisco, Cisco Meraki, Aruba, Ruckus, Mist, and Aerohive (legacy). Other captive portals are currently not supported because there is no standard for captive portal integration with third parties. Each manufacturer’s captive portal interacts differently with third-party URLs and RADIUS servers, requiring custom integration for each manufacturer.

Guests managed by the internal NAS engine

  1. The guest user connects to the guest SSID. The guest’s device recognizes a captive portal and opens the guest’s browser.
  2. The NAS device directs the user to a URL controlled by the NAS device’s internal captive portal engine.
  3. The NAS device manages the user’s access according to its internal settings. Access options depend on the functionality of the NAS device’s captive portal engine.

In this approach, there is no involvement of Portnox Cloud. Guests can be managed fully by the NAS device without any Portnox Cloud involvement. However, you can use Portnox Cloud RADIUS servers to authenticate users if you want to use the captive portal for authenticated users, not just for guests.

The disadvantage of this approach is that each captive portal must be configured and managed independently, which consumes valuable human resources and makes unified security management much more difficult, especially for larger organizations. We recommend this approach only if Portnox Cloud does not support your manufacturer’s NAS equipment.