Configure the URL key

You can optionally configure a URL hash key to provide some security for the Captive Portal exchange with CPPM. The key is a shared secret between CPPM and the switch. When configured, the switch generates a HMAC-SHA1 hash of the entire redirect URL, and appends the hash to the URL to be sent to CPPM as part of the HTTP redirect. If CPPM is configured to check the hash, it will generate the hash of the URL using its version of the URL hash key and compare against the value provided by the switch. The action taken by CPPM upon a match or mismatch is determined by what is configured on CPPM.

CPPM provides the following options: 
  • Do not check - login will always be permitted 

  • Deny login on validation error - login will not be permitted

The URL hash key is globally configured and will be used for all redirects to Captive Portal. This key is not configured on a per CPPM or RADIUS server basis. If the key is not specified, the hash is not added to the URL. The URL hash key is an ASCII string with a maximum length of 64 characters.

The URL key supports the FIPS certification feature encrypt-credentials and can optionally be encrypted for more robust security. This option is only available when the global encrypt-credentials is enabled.

To configure a plain text captive-portal URL key: 
switch(config)# aaa authentication captive-portal url-hash-key plaintext <KEY>
To configure an encrypted captive-portal URL key when encrypt-credentials is enabled:
switch(config)# aaa authentication captive-portal url-hash-key encrypted <ENCRYPTED-KEY> 
To clear a captive-portal URL key: 
switch(config)# no aaa authentication captive-portal url-hash-key