6.5. Captive Portal Configuration

The captive portal makes it possible to authorize Unknown users with the help of authentication methods that use Active Directory, RADIUS, TACACS+, SAML IDP, Kerberos or NTLM directories or a local user database. Moreover, using the captive portal, you can configure user self-registration with email or SMS verification.

Remember that:

  • Identified users, such as those with an explicitly set IP address in the user profile or those identified using authorization agents for terminal servers or Windows systems, are not authorized at the captive portal. These users are already classified as Known and do not require further identification.

  • Captive portal authorization is only possible for HTTP and HTTPS protocols. For example, if you have created a firewall rule that allows Internet access using the FTP protocol only for Known users, users will not get Internet access using this protocol until they are identified; that is, they launch a browser on their device and pass authorization at the captive portal.

  • To authorize users that use HTTPS, you need to configure SSL inspection, or authorization will not work.

  • If the captive portal uses the Active Directory authentication method, the user must specify their login name as DOMAIN\username or username@domain.

To configure the captive portal, follow these steps:

Task

Description

Step 1. Create an authentication method, e.g., Active Directory domain-based authentication.

In the UserGate console, go to the Users and devices --> Auth servers section, click Add, and create an authentication server.

Step 2. Create an authentication profile with the desired authentication methods.

In the UserGate console, go to the Users and devices --> Auth profiles section, click Add, and create an authentication profile using the authentication method added earlier.

Step 3. Create a captive profile with the desired authentication profile.

In the UserGate console, go to the Users and devices --> Captive profiles section, click Add, and create a captive profile using the authentication profile added earlier.

Step 4. Create a captive portal rule.

A captive portal rule determines the type of traffic to which the user authentication methods specified in the captive profile should be applied. In the UserGate console, go to the Users and devices --> Captive portal section, click Add, and create a captive portal rule.

Step 5. Configure DNS for the auth.captive and logout.captive domains.

The internal auth.captive and logout.captive domain names are used by UserGate for user authorization. If the clients use UserGate as the DNS server, you do not need to do anything. Otherwise, you need to specify the IP address of the UserGate server interface connected to the client network as the IP address for these domains. An alternative solution is to configure the Captive portal auth domain and Captive portal logout domain settings. For more details on these settings, see the section General Settings.

You can find an in-depth discussion of how to add authentication methods in the previous chapters. Let us now consider the creation of a captive profile and captive portal rules in more detail.

To create a captive profile, go to the Captive profiles section, click Add, and provide the desired settings:

Name

Description

Name

Captive profile name.

Description

Captive profile description.

Auth page template

Select a template for the auth page. You can create auth page templates in the Libraries --> Response pages section. If you need to configure user self-registration with SMS or email verification, select the corresponding template type (Captive portal: SMS auth / Captive portal: Email auth).

Authentication mode

The method that UserGate will use to remember this user. There are two options:

  • Use IP address. Having successfully authorized the user at the captive portal, UserGate saves their IP address, and all subsequent connections from that IP address will be associated with this user. This method allows identification of data transmitted using any protocol of the TCP/IP family but will not work correctly if there is a NAT-connection between the users and the UserGate server.

    This is the recommended value set by default.

  • Use COOKIE. After a user successfully authenticates through the Captive portal, UserGate adds a cookie to the user's browser to identify subsequent connections by that user. This method allows authorization of users who are behind a NAT device but only for the HTTP(S) protocol and only in the same browser that was used for Captive portal authorization. Moreover, to authorize the user's HTTPS sessions, UserGate will decrypt all HTTPS connections on a mandatory basis. For firewall rules, a user authenticated using a cookie will always be classified as Unknown.

Auth profile

The profile created earlier that defines the authentication methods to use.

Redirect URL

URL to redirect the user to after successful authentication using the Captive portal. If not specified, the user is redirected to the URL they requested.

Allow browsers to keep auth

Enables storing of the authorization in the browser for the specified time in hours. To store the authorization information, cookies are used.

Show AD/LDAP domain selector on Captive portal auth page

If enabled, this parameter allows the user to select the domain name from a list on the auth page if the Active Directory authentication method is used. If this parameter is not enabled, the user must explicitly specify the domain as DOMAIN\username or username@domain.

Protect with CAPTCHA

If this option is enabled, the user will be prompted to enter a code shown to them on the captive portal's auth page. This is recommended to protect against bots that guess user passwords.

HTTPS for auth page

Use HTTPS for displaying the captive portal's auth page to users. A properly configured captive portal SSL certificate is required. For more details on certificates, see the section Certificate Management.

To set up user self-registration with password verification using SMS or email, you need to configure settings on the Guest users registration tab. Remember to use the appropriate template type in this case (Captive portal: SMS auth / Captive portal: Email auth).

Name

Description

Notification profile

The notification profile that will be used for sending information on the newly created user and their password. Two types of notification are possible, SMS and email. For more details on creating a notification profile, see the chapter Notification Profiles.

From

The person or entity in whose name notifications will be sent.

Notification subject

The subject of notifications (only for email notifications).

Notification body

The body of the notification message. In the message body, you can use special variables named {login} and {password} that will be replaced with the username and password, respectively.

Expiration date and time

The date and time when the guest account will be disabled.

Guest user TTL

The length of time from the guest user's first login after which their user account will be disabled.

Password length

Sets the password length for a guest user.

Password complexity

Sets the password complexity for a guest user. The available options are:

  • Numeric.

  • Alphanumeric.

  • Alphanumeric+special.

Groups

The groups to which the created guest users will be added. For more details on guest user groups, see the chapter Guest Portal.

To create a captive portal rule, go to the Captive portal section, click Add, and provide the desired settings:

Name

Description

Name

The name of the captive portal rule.

Description

A description of the captive portal rule.

Captive profile

Select a captive profile created earlier. An option is available called Skip captive portal page which, if enabled, waives the authentication requirement.

Enable logging

If this is enabled, instances of the rule being triggered will be recorded in the corresponding statistics log.

Source

The source addresses. You can use a specific zone, such as the LAN zone, or an IP address range as the source. Country IP addresses (GeoIP) can also be used.

Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15.

Important! Traffic processing performed with the following statements:

  • applying logic OR if several IP lists and/or domain lists are specified;

  • applying logic AND if several GeoIP and lists of IPs and/or domains are specified.

Destination

The destination addresses. You can use a specific zone, such as the WAN zone, or an IP address range as the destination. Country IP addresses (GeoIP) can also be used.

Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15.

Important! Traffic processing performed with the following statements:

  • applying logic OR if several IP lists and/or domain lists are specified;

  • applying logic AND if several GeoIP and lists of IPs and/or domains are specified.

Categories

The URL filtering categories to which the rule will be applied. You need to have the appropriate license for URL filtering.

URL

The URL lists to which the rule will be applied.

Time

The time when this rule will be active.

Usage

The rule triggering statistics: the total number of triggers, the time of the first and last triggers.

To reset statistics, select rules in the list and click Reset hit counts.

History

The time when the rule was created and last modified, as well as the event log entries related to this rule: adding, updating the rule, changing the position of the rule in the list, etc.

By creating several captive portal rules, you can configure different user identification policies for different zones, URL categories, and time.

Note

The conditions specified in the rule's tabs are combined with a Boolean AND, i.e., all conditions must be met to trigger the rule. If you need to use the OR logic instead, this can be achieved by creating several rules.

Note

The rules are applied in the order they are listed in the console. You can reorder the rules using the corresponding buttons.

Note

When there are multiple matching rules, only the first triggered rule is applied.

To change the user after logging in to the system or to log out, go to URL http://logout.captive and click Logout.