I am having problems getting Captive Portal to work for my guest network on my WAP321. I can see two or three similar threads on this forum, but have not been able to find a solution. Let me also say that I am not a network expert, so please forgive any lack of basic knowledge.
My setup is this:
Router = CISCO RV180
Switch = CISCO SG200-08
A/P = CISCO WAP321
On the router, I have created a Guest VLAN 5 and configured it with Inter LAN routing disabled and Tagged to Port 1 (the connection to the switch)
In the VLAN subnet settings, I have the DNS server address set to the IP address of the Router's default VLAN, to enable web access from the VLAN.
On the switch, the RV180 is connected to Port 1 and the WAP321 to Port 8. I have enabled Tagged port access to the guest VLAN on these two ports.
On the WAP321, I have assigned a static IP address and set the gateway to the IP address of the RV180.
I have created VLAN 5 as the Guest network on the WAP321.
With Captive Portal disabled, users can log onto the WAP321 on either VLAN and guest users correctly have no access to devices on the default LAN. Everything works perfectly.
However, as soon as I enable Captive Portal, although guest users can still get a connection and IP address to the Guest VLAN, as soon as they try to open a web page, nothing happens and the page times out. The Captive Portal login page is never displayed.
Interestingly, if I reconfigure the guest network to be on the default VLAN 1, everything works correctly and the Captive Portal login page is shown, However, using this method, the guests have access to devices on the LAN, which is not what is required.
The Captive Portal configuration and association is...
Can anyone please tell me what I am doing wrong? Any advice is truely welcomed.
My name is Chris, and I think I may have the answer for you.
The captive portal website is hosted on a URL that starts with an IP in the administrative/data VLAN. Since you have restricted access from the guest VLAN to the normal data VLAN the guests cannot access the captive portal website.
Try enabling inter-VLAN routing to let the guest and data VLANs communicate just to test, and see if the captive portal page comes up. Take a look at the URL it uses. It is the same as when you put the guest network in the data VLAN directly.
I don't have one of these in front of me right now, but I will look up my case notes and set this up in the lab tomorrow to try to come up with a way to get the guests to the portal page without letting them access the rest of the data VLAN.
I will post here with what I find.
Network Support Engineer - Cisco Small Business Support Center
I enabled inter-VLAN routing on the RV180 and this time when I connect to the guest VLAN I get the login page...of the WAP321 - NOT the Captive Portal login page
Any more ideas?????
I have posted some links which will refer you to articles regarding Inter-VLAN on the RV180, Captive Portal configurations on RV180 and Captive Portal setup for instance configuration. I hope you find these articles helpful.
Let me know if you have any further questions.
Cisco SBCD Engineer
Thank you for your reply, but if you read my original post you will see that I have configured the VLANS already on all of my CISCO devices. You will also see that if I have Captive Portal disabled on the WAP321, then everything works perfectly.
What I need is for somebody to tell me exactly why my configuration does not work, and the exact resolution to my specific problem rather than just a series of links to articles that simply copy what is written in the user guide, which I have already read.
I cannot believe that what I want to achieve is so unusual - simply two wireless networks - one tied into the company LAN and the other for guests requiring a captive portal "splash" screen to be accepted before internet access is allowed and without access to resources on the company LAN.
Indeed, even my much cheaper home router allows this "out of the box" without any complex configuration. The only reason for buying the WAP321 as opposed to the much cheaper WAP121 was in order to use the Captive Portal feature.
So far I am less than impressed with these CISCO small business products. Apart from this issue on the WAP321, the RV180W has terrible wireless range, making it unusable in even a small office over two floors, and has many bugs in the latest firmware, including the one which shows the IP address of all external connections as the internal router IP address. This has been reported my many users on this forum, but still no fix has been forthcoming.
Can somebody please offer me a proper solution to my problem regarding the Captive Portal.
My name is Nataliya and I am a Network Engineer at Cisco Small Business Support Centre.
Based on the information in the post I was able to replicate your configuration in our lab. My e-mail is firstname.lastname@example.org. Please send me your contact details. I would like to discuss this matter with you and open a case for you so we can work further on the issue.
Thank you and have a great day!
Cisco Small Business Support Centre
My name is Vijay. Thank you for using support forum. I have tested your case. I found that Captive Portal will only works on VLAN1 (Management VLAN). This is not a bug FYI. I understand that you would like have a separate network for guest users. You can do that by setting up a separate SSID password for guest network. This will work the same way as captive portal except for the URL re-direct feature. So I suggest that you dissociate Captive Portal instance and set up security for SSID 2 (Guest network).
Please let me know if you have any questions or require further assistance.
Vijay S. Venkitachalam
Thank you for your reply. I understand that CISCO have opened a case for me for this issue (case number 626599981). Is your reply related to this case number? Anyway, I cannot review the case on the support site as apparently I do not have the necessary authority to do so (pretty amazing that I cannot even see my own case ).
I do not understand what you mean when you say that setting up a separate SSID for the guest network will work the same as captive portal except for the URL re-direct. If you read my original post, you will see that I already have done this and everything works perfectly with captive portal disabled. However, this method is absolutely NOT the same as captive portal as it does not present the user with the Terms and Conditions of use which need to be accepted before access is granted.
You say that captive portal only works on VLAN1 and that this is not a bug, and yes, I can get it to work if I associate it with the main company LAN on VLAN1. However, this is NOT what I want. The whole point of a guest network is to run it as an isolated network with no access to assets on the main LAN! How can you say this this is not a bug?
Are you saying that what I want to do is not possible with this equipment? If so, then I believe that your company is seriously mis-selling this product, as it clearly does NOT do what it says "on the tin".
Can somebody from CISCO please respond once and for all with a clear and concise statement regarding this problem. Will this product support what I want to do or not? If so, then how do I need to configure it. If not, then please admit to the world that you are mis-selling this product according to its definition.
Well, it's official! Yesterday CISCO told me that this is not a bug, but by design! Officially, this hardware is not designed to enable captive portal on anything other than default VLAN. It is not impossible to set it up on an isolated guest network, which is where 99% of people would want it!
I recommend that people stay well away from this overpriced piece of crap and buy another brand whose products actually work and which have decent support rather than simply being constantly referred to sections in the user manual which offer no help whatsoever.
Sent from Cisco Technical Support iPad App
Sent from Cisco Technical Support iPad App
Hi, My name is Eric Moyers. I am a Network Support Engineer in the Cisco Small Business Support Center. Thank you for using the Cisco Community Post Forums.
I am so sorry that you have been unable to resolve this issue up to this point.
It is correct, that the WAP321 with Captive portal assigned to VAP1 or higher, basically needs to have access to the management vlan for DHCP assignment. However, I believe if you setup like this then you should be able to setup some ACL's to complete what you are trying to do. I am going to try this in our labs.
I have several projects going right now. So please be patient.
Eric Moyers .:|:.:|:.
Cisco Small Business US STAC Advanced Support Engineer
Mon - Fri 09:00 - 18:00 (UTC - 05:00)
I have excatly the same usecase I have, and I think a lot of other people. This behaviour is not for professional use cases an not for advanced private users. I will return the WAP.