Support for Captive Portal?

Answered Question
May 27th, 2010

I am trying to provide a captive portal with the support of some Cisco box.

The requirements are:

- "Unauthorized" source IP addresses on certain interfaces are redirected to an external node.

- There is an interface to change the status of an IP address, such as using Cisco.

- It is possible to define a walled-garden: destination IPs whose traffic is always allowed.

This seems to be supported by the SSG feature (service selection gateway), but I find information that it is end-of-life:

http://cisco.biz/en/US/docs/ios/ssg/configuration/guide/ssg_eol_15m.html

The replacement is ISG but it is supported only on high-end (7600 +) if it should support more than 8,000 subscribers.

So, can any one confirm SSG is EoL and there is no lighter feature than ISG?

I have this problem too.
0 votes
Correct Answer by Rick Arps about 6 years 7 months ago

We use an asa 5510 to do a captive portal for our guest wireless network.  The page isn't customizable, but it get's the job done.  You just need to add an AAA rule under the Firewall section in the ASDM.  You can have it require AAA based on source/destination and service.

Hope this helps

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Rick Arps Thu, 05/27/2010 - 09:58

We use an asa 5510 to do a captive portal for our guest wireless network.  The page isn't customizable, but it get's the job done.  You just need to add an AAA rule under the Firewall section in the ASDM.  You can have it require AAA based on source/destination and service.

Hope this helps

Rick

MCentrick2010 Wed, 06/02/2010 - 08:46

Thanks for the suggestion.

In my case, user experience is essential, we definately need to show a customized login page hosted in an external node.

Without hands-on knowledge on Cisco ASA, trying to be creative, I wonder if the following is possible:

1) Define the external login page as always allowed, not requiring authentication.

2) Redirect unauthenticated traffic to the host of the login page.

3) Within my login page, trigger a POST towards the Cisco ASA login page and this in turn a Radius, causing authentication to succeed.

It is point 2) that I am afraid is not possible.

Actions

This Discussion