The captive portal makes it possible to authorize Unknown users with the help of authentication methods that use Active Directory, RADIUS, TACACS+, SAML IDP, Kerberos or NTLM directories or a local user database. Moreover, using the captive portal, you can configure user self-registration with email or SMS verification.
Remember that:
-
Identified users, such as those with an explicitly set IP address in the user profile or those identified using authorization agents for terminal servers or Windows systems, are not authorized at the captive portal. These users are already classified as Known and do not require further identification.
-
Captive portal authorization is only possible for HTTP and HTTPS protocols. For example, if you have created a firewall rule that allows Internet access using the FTP protocol only for Known users, users will not get Internet access using this protocol until they are identified; that is, they launch a browser on their device and pass authorization at the captive portal.
-
To authorize users that use HTTPS, you need to configure SSL inspection, or authorization will not work.
-
If the captive portal uses the Active Directory authentication method, the user must specify their login name as DOMAIN\username or username@domain.
To configure the captive portal, follow these steps:
|
Task |
Description |
|---|---|
|
Step 1. Create an authentication method, e.g., Active Directory domain-based authentication. |
In the UserGate console, go to the Users and devices --> Auth servers section, click Add, and create an authentication server. |
|
Step 2. Create an authentication profile with the desired authentication methods. |
In the UserGate console, go to the Users and devices --> Auth profiles section, click Add, and create an authentication profile using the authentication method added earlier. |
|
Step 3. Create a captive profile with the desired authentication profile. |
In the UserGate console, go to the Users and devices --> Captive profiles section, click Add, and create a captive profile using the authentication profile added earlier. |
|
Step 4. Create a captive portal rule. |
A captive portal rule determines the type of traffic to which the user authentication methods specified in the captive profile should be applied. In the UserGate console, go to the Users and devices --> Captive portal section, click Add, and create a captive portal rule. |
|
Step 5. Configure DNS for the auth.captive and logout.captive domains. |
The internal auth.captive and logout.captive domain names are used by UserGate for user authorization. If the clients use UserGate as the DNS server, you do not need to do anything. Otherwise, you need to specify the IP address of the UserGate server interface connected to the client network as the IP address for these domains. An alternative solution is to configure the Captive portal auth domain and Captive portal logout domain settings. For more details on these settings, see the section General Settings. |
You can find an in-depth discussion of how to add authentication methods in the previous chapters. Let us now consider the creation of a captive profile and captive portal rules in more detail.
To create a captive profile, go to the Captive profiles section, click Add, and provide the desired settings:
|
Name |
Description |
|---|---|
|
Name |
Captive profile name. |
|
Description |
Captive profile description. |
|
Auth page template |
Select a template for the auth page. You can create auth page templates in the Libraries --> Response pages section. If you need to configure user self-registration with SMS or email verification, select the corresponding template type (Captive portal: SMS auth / Captive portal: Email auth). |
|
Authentication mode |
The method that UserGate will use to remember this user. There are two options:
|
|
Auth profile |
The profile created earlier that defines the authentication methods to use. |
|
Redirect URL |
URL to redirect the user to after successful authentication using the Captive portal. If not specified, the user is redirected to the URL they requested. |
|
Allow browsers to keep auth |
Enables storing of the authorization in the browser for the specified time in hours. To store the authorization information, cookies are used. |
|
Show AD/LDAP domain selector on Captive portal auth page |
If enabled, this parameter allows the user to select the domain name from a list on the auth page if the Active Directory authentication method is used. If this parameter is not enabled, the user must explicitly specify the domain as DOMAIN\username or username@domain. |
|
Protect with CAPTCHA |
If this option is enabled, the user will be prompted to enter a code shown to them on the captive portal's auth page. This is recommended to protect against bots that guess user passwords. |
|
HTTPS for auth page |
Use HTTPS for displaying the captive portal's auth page to users. A properly configured captive portal SSL certificate is required. For more details on certificates, see the section Certificate Management. |
To set up user self-registration with password verification using SMS or email, you need to configure settings on the Guest users registration tab. Remember to use the appropriate template type in this case (Captive portal: SMS auth / Captive portal: Email auth).
|
Name |
Description |
|---|---|
|
Notification profile |
The notification profile that will be used for sending information on the newly created user and their password. Two types of notification are possible, SMS and email. For more details on creating a notification profile, see the chapter Notification Profiles. |
|
From |
The person or entity in whose name notifications will be sent. |
|
Notification subject |
The subject of notifications (only for email notifications). |
|
Notification body |
The body of the notification message. In the message body, you can use special variables named {login} and {password} that will be replaced with the username and password, respectively. |
|
Expiration date and time |
The date and time when the guest account will be disabled. |
|
Guest user TTL |
The length of time from the guest user's first login after which their user account will be disabled. |
|
Password length |
Sets the password length for a guest user. |
|
Password complexity |
Sets the password complexity for a guest user. The available options are:
|
|
Groups |
The groups to which the created guest users will be added. For more details on guest user groups, see the chapter Guest Portal. |
To create a captive portal rule, go to the Captive portal section, click Add, and provide the desired settings:
|
Name |
Description |
|---|---|
|
Name |
The name of the captive portal rule. |
|
Description |
A description of the captive portal rule. |
|
Captive profile |
Select a captive profile created earlier. An option is available called Skip captive portal page which, if enabled, waives the authentication requirement. |
|
Enable logging |
If this is enabled, instances of the rule being triggered will be recorded in the corresponding statistics log. |
|
Source |
The source addresses. You can use a specific zone, such as the LAN zone, or an IP address range as the source. Country IP addresses (GeoIP) can also be used. Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15. Important! Traffic processing performed with the following statements:
|
|
Destination |
The destination addresses. You can use a specific zone, such as the WAN zone, or an IP address range as the destination. Country IP addresses (GeoIP) can also be used. Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15. Important! Traffic processing performed with the following statements:
|
|
Categories |
The URL filtering categories to which the rule will be applied. You need to have the appropriate license for URL filtering. |
|
URL |
The URL lists to which the rule will be applied. |
|
Time |
The time when this rule will be active. |
|
Usage |
The rule triggering statistics: the total number of triggers, the time of the first and last triggers. To reset statistics, select rules in the list and click Reset hit counts. |
|
History |
The time when the rule was created and last modified, as well as the event log entries related to this rule: adding, updating the rule, changing the position of the rule in the list, etc. |
By creating several captive portal rules, you can configure different user identification policies for different zones, URL categories, and time.
Note
The conditions specified in the rule's tabs are combined with a Boolean AND, i.e., all conditions must be met to trigger the rule. If you need to use the OR logic instead, this can be achieved by creating several rules.
Note
The rules are applied in the order they are listed in the console. You can reorder the rules using the corresponding buttons.
Note
When there are multiple matching rules, only the first triggered rule is applied.
To change the user after logging in to the system or to log out, go to URL http://logout.captive and click Logout.