Configuring the switch

Once you have configured Captive Portal, you can configure the switch. To configure the switch, you must first configure the switch as a RADIUS client, then configure the ports that will be used for Captive Portal, as follows:

  1. Configure the switch as a RADIUS client. In this example, the ClearPass IP address is and secret is the secret key shared with the RADIUS server:
    1. switch(config)# radius-server host key "secret"
    2. switch(config)# radius-server host dyn-authorization
    3. switch(config)# radius-server host time-window 0

      Make sure to set your time-window to 0. See Event Timestamp not working.

  2. Configure the ports that will be used for Captive Portal. In this example, the commands enable ports B3-B5 for MAC Authentication:
    1. switch(config)# aaa authentication port-access chap-radius
    2. switch(config)# aaa port-access mac-based B3-B5
  3. If you configured the Security Hash to Deny login on validation error in Create a ClearPass guest self-registration, configure the URL key.
  4. Configure the certificate. See Configuring a certificate for Captive Portal usage
  5. Enable Captive portal:
    switch(config)# aaa authentication captive-portal enable

    By default, Captive Portal is disabled. Once enabled, you are redirected to the URL supplied via the HPE-Captive-Portal-URL VSA. Captive Portal is enabled on a global/switch wide basis.