About captive portal (RADIUS)

Captive portal provides clients with Internet access based on http or https redirection. The client first gets authenticated using MAC or 802.1x authentication which results in application of the captive portal profile. The http or https request is then redirected to the captive portal server for user registration. Finally, with Change of Authorization (CoA) with the Port Bounce VSA from the RADIUS server, MAC, or 802.1X authentication occurs, providing the authenticated client with Internet access.

Captive portal is supported only for the clients getting authenticated through RADIUS servers.

For captive portal http or https redirection to occur, both of these requirements must be met:
  • The client must be successfully authenticated with either MAC or 802.1x based authentication.

  • The client must be assigned a role that includes a configured captive portal profile.

Captive portal is client-based. The redirect parameters (configured per client) can be configured using one of these three methods:
  • LUR (Local User Role): The captive portal and user role are configured on the switch. The role is sent from the RADIUS server in the authentication response packet (with the Radius-accept) to the switch as the authorization attribute VSA Aruba-User-Role. The role is then applied to the authenticated user. The role returned from the RADIUS server must have earlier been configured on the switch with a matching captive portal profile name. If the role (returned from the RADIUS server) is not present in the switch, the authentication fails.

  • DUR (Downloadable User Role): After successful SSL connection is established (using certificates) between the RADIUS server and switch, the captive portal and user role configurations are downloaded to the switch, creating the role internally on the switch which is then applied to the authenticated user. This method requires RADIUS server credentials configured on the switch and a RADIUS server root certificate installed on the switch.

  • RADIUS VSA (Vendor-Specific Attribute): The URL and policy rules are sent from the RADIUS server (with the Radius-accept) to the switch as authorization attribute VSAs Aruba-Captive-Portal-URL and Aruba-NAS-Filter-Rule. The role is created internally on the switch and then applied to the authenticated user.


The RADIUS server and captive portal server can be a ClearPass server acting as a RADIUS server or any other RADIUS server. For ClearPass, ClearPass Policy Manager (including Captive Portal), and related documentation, see https://asp.arubanetworks.com/downloads, filtering for "Aruba ClearPass."

Details of the Aruba-Captive-Portal-URL VSA:
 | Attribute Name           | Length   | Type   | Aruba Vendor ID | Aruba Attribute Type            |
 | Aruba-Captive-Portal-URL | <= 1024  | String | 14823           | 43                              |