Firewall Friendly External Captive Portal (FFECP) on the AP for B@AP topologies is an extension to Firewall Friendly Captive Portal on the controller for tunneled (B@AC and routed) topologies.
You can configure the FFECP with full authentication using a URI and signature, or you can configure a RADIUS server, authenticating with a user name and password; however, mobile user roaming is not supported with central RADIUS authentication.
The DHCP (Dynamic Host Configuration Protocol) IPv4 address pool used by un-authenticated clients must be large enough to provide additional IP addresses to all APs configured with Firewall Friendly External Captive Portal (ECP). This is because each AP creates a virtual interface on each non-authenticated policy VLAN and assigns an IP address to it from the pool.