Hi Moh,

Can you please explain to me:

1) why you can configure 2 captive portal instances? What use would that be if you only have 1 vlan?

2) why does cisco restrict the free choice of a vlan id? Nobody wants to use vlan 1 for a guest vlan. Never. I expect I don't have to explain why.

can you please discuss this with the product manager of the wap series ap's? Even for a small office device these restrictions are killing its market potential.

regards,

Martijn

I cannot tell you how much I agree with Martijn,

captive portal capability was one reason for me to buy this 321 piece. In my small environment I definitely need more than one VLAN. From a personal perspective I can partly understand why Cisco is limiting this functionality here out of political reason, just in order to get the more expensive pieces sold. But from a manufacturer like Cisco, on the other hand, I would have expected to found this limitation mentioned somewhere in the description. This politic reminds me to the very early times in the 80th where anybody built his crap box without or with missleading documentation.

Lets stay on the floor: Although this WAP321 piece is for use in Small Business and there are - most likely - better boxes from Cisco around with more functionality, but the 321 is NOT a cheap network equipment from any garage manufacturer.

as a result of marketing politics like that Cisco will lose a big piece it's reputation

just forgot one thing technically: I found some time to play aroung a bit with my switch configuration and the 321s. It seems to me the captive portal as a whole needs some redisign:

- I was able to access the CP through VLAN1 set as management VLAN, but only after I put in the WAPs IP address in my browser manually; the first access came up with a 404 error, after the local cache was filled it seems to work

- following the ideas above and setting up my guest VLAN as a management VLAN I got redirected to the WAP admin login screen instead the CP ?!?!

- it looks like the CP functionality is bound to DHCP, so it might help to enable IPHelper (I did not test this so far)

- I personally use DHCP, but what if someone does not, which is not seldom in a small environment?

Would you mind offering a little more info on how you got this to work? 

I’m struggling a little! I can only make this function on VLAN1 (basically useless, I'm with Martijn on that..)

Thanks in advance.

Below are the needed pieces of info to make this all work step by step.  These screenshots are for the WAP321, but the same conditions and requirements also apply to the WAP561.

Step 1:  Configure Multiple networks & vlans as needed (see attachment named networks.jpg)

Step 2: Create/configure the Captive Portal instance and enable it (see attachment named cp_instance.jpg).  Note: in this example, the verification method is set as 'guest' so that no real user credentials are required at the captive portal.  If you want actual authentication at the CP, you would need to select and configure the appropriate authentication system.

Step 3: Associate the CP instance with the appropriate VAP/VLAN (see attachment named cp_instance_association.jpg)

Step 4: Create/modify a Captive Portal Web Local and connect it with the appropriate CP instance.  This is the part that I struggled with because the documentation seems to indicate that this is optional, but it is not!  Even if you just keep the default values and settings it is needed (see attachment named cp_customization.jpg)

Step 5: This is also an important requirement and your method to complete this step will probably be different than my exact method here depending on your actual network.  This step might be where some people are stumbling and it is not done on the WAP's, it needs to be set on a device with some routing capability - an L3 switch or router.  Remember, by definition VLANS are seperate, distinct networks.  With these devices, the Captive Portal that we have created can only be accessed on the default VLAN (in this example this is VLAN 1 but may or may not be the default VLAN for everyone).  For this reason, some method of inter-vlan routing is needed here!  This can be done with managed switches or routers and there are potential security issues so be sure that you understand what you are doing.  For this example, this screenshot is from a firewall/router appliance configured with a policy to allow the various VLANs being discussed http only access to the IP addresses of the WAP321's on the default VLAN (see attachment named vlan_routing_to_cp.jpg)

Step 6: Turn on the Captive Portals and see it work (see attachment named cp_enable.jpg)

If this helps, remember to rate this post well so that others can find it.

Thanks so much. Very clear, I'll work through it over the weekend.

J