Captive Portal Using only AD ( without NAC)

  • 1
  • 1
  • Question
  • Updated 2 years ago
  • Answered
Dear Team,
I have query and need your suggestion to achieve this challenge,

I have a scenario like " I have a Wireless controller - V2110 with "GUEST- SSID" and i need to configure CAPTIVE PORTAL for this Guest SSID with only AD Authentication (Without using NAC).
Once the authentication done by the AD, The Guest PC and AD will never Communication again.
Without using NAC i need to achieve this, so kindly help me in this...!!!!!

Thanks & Regards,
Boopathy Chandrasekar.
Photo of Boopathy Chandrasekar

Posted 2 years ago

  • 1
  • 1
Photo of Bin

Bin, Employee

  • 5,372 Points 5k badge 2x thumb
Hello Boopathy, 

You need that let your WLAN to connect AD server, not NAC. Then, wireless controller could send authentication request to AD server. 

For example,

Photo of Nathiya Munuswamy

Nathiya Munuswamy, Employee

  • 1,706 Points 1k badge 2x thumb
Hi Boopathy,
Based on your requirement below is my suggestion.

This can be achieved by selecting Internal Captive Portal on the controller. Internal Captive Portal page displayed by the controller, and the authentication request from the controller sent to the RADIUS server.

Nathiya M
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,216 Points 2k badge 2x thumb
HI Boopathy, maybe this previous discussion can help you a little bit on this configuration:
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 50,114 Points 50k badge 2x thumb
The controller is not able to query the AD dircectly i.e via LDAP.
You always need a RADIUS server to query the AD as mentioned in the previous posts.

But you'd add the RADIUS role to the same machine that runs the AD => Microsoft IAS / NPS.
Photo of Ostrovsky, Yury

Ostrovsky, Yury, Employee

  • 3,050 Points 3k badge 2x thumb
The second problem is 'never communicate again'. I can suggest that your RADIUS server will send back the 'session-time-out' attribute which will be very big number, then the idle-timeout on the controller should be changed as well. If the number of guests is more or less known, then probably you can manage that. If its unknown/large, it can end up hitting the session number limits on the controller.
Once session removed from controller (either by session or by idle timeout) client will be offered to register again.
Thanks a lot for the response TEAM..!!!! Its really helpful..!!!!