6.5. Configuring a Captive portal

A Captive portal allows you to authorize Unknown users by means of Active Directory, Radius, TACACS+, SAML IDP, Kerberos or a local user database. In addition, you can allow users to register on their own in your Captive portal and confirm their registrations via SMS or by email.

Please keep in mind the following:

  • Identified users, e.g. those with assigned IP addresses in the properties as well as those identified via authentication agents of the Windows terminal servers, do not need to authorize on the Captive portal. Such users are treated as Known users and therefore do not need any additional identification.

  • Authentication via the Captive portal is possible only via HTTP and HTTPS. For example, if you have created a firewall rule to allow the Internet access via FTP only to the Known users, then users will gain the Internet access only after identification, i.e. after they launch their web browser and authorize on the Captive portal.

  • If the Captive portal uses authentication via Active Directory, then a user must enter their domain name in the DOMAIN\username or username@domain format as their username.

To configure the Captive portal, perform the following steps:

Name

Description

Step 1. Create a new authentication method, e.g. authentication via the Active Directory domain

In the UserGate console, go to the Users and devices-->Authentication servers section, click Add and then create a new authentication server.

Step 2. Create an authentication profile and add all authentication methods that you need.

In the UserGate console, go to Users and devices-->Auth profiles, click Add and create an authentication profile using the previously created authentication method.

Step 3. Create a new Captive profile and specify the auth profiles you want to use

In the UserGate console, go to the Users and devices-->Captive profiles section, click Add and then create a new captive profile based on the previously created authentication profile.

Step 4. Create a new rule for the Captive portal

A Captive portal rule defines a traffic to which the user identification methods specified in the Captive profile should be applied. In the UserGate console, go to the Users and devices-->Captive portal section, click Add and then create a new rule for the Captive portal.

Step 5. Configure DNS records for domains auth.captive and logout.captive

Special domain names auth.captive and logout.captive are used internally by UserGate for users' authentication. Nothing should be done if users use UserGate as DNS server. If another server is used, then these two domains should be resolved to the IP address of UserGate which is connected to users' network. Alternatively, it is possible to configure Captive portal auth domain and Captive portal logout domain. For more details refer to General settings section of this manual.

For more information on how to create authentication methods, please refer to the previous chapters. Let's consider creation of a new Captive profile and rules for the Captive portal in more detail.

To create a new Captive profile, click Add in the Captive profiles section and specify the following parameters:

Name

Description

Name

Name of the Captive profile

Description

Description of the Captive profile

Auth page template

Select an authentication page template. You can create authentication pages in the Libraries/Response pages' section. If you want to allow users register on their own with subsequent SMS/email confirmation, then choose a template of the corresponding type (Captive portal: SMS auth/ Captive portal: Email auth).

Authentication mode

Defines how UserGate should remember a user. The two options are possible:

  • Use IP address. Once a user has successfully authorized via the Captive portal, UserGate will remember its IP address and match all future connections from this IP address with this user. This method allows you to identify data passed via any protocol of the TCP/IP family, but will not be able to identify users behind NAT.
    This is the recommended value used by default.
  • Use COOKIES. Once the user is successfully authorized via the Captive portal for the first time, UserGate will add a special cookies file to the user's web browser in order to identify them in future. This method allows you to identify users behind NAT device, but only via the HTTP/S protocol and the same web browser in which the user has authorized in the Captive portal. In addition, UserGate will be forcibly decrypting all HTTPS connections in order to authorize HTTPS sessions of a user. Such user will always be identified as Unknown by firewall rules as there is no IP address associated with the user authenticated by cookie.

Authentication profile

The previously created authentication profile that defines authentication methods

Redirect URL

URL to which a user will redirected after successful authentication on the Captive portal. When not set, the user will be redirected to the URL they have initially requested.

Allow browsers to keep auth

Enables saving of authentication sessions in browsers for the specified period in hours. The authentication data is stored in cookie files.

Show AD/LDAP domain selector on Captive portal page

If you use Active Directory as the authentication method, then a user will be able to select a domain name from the list on the authentication page when this parameter is enabled. When this parameter is disabled, a user must specify the target domain in the DOMAIN\username or username@domain format.

Show CAPTCHA

When this option is enabled, users will be asked to enter a code displayed on the login page of the Captive portal. This option is recommended for protection against bots trying to brute-force user passwords.

HTTPS for auth page

Use HTTPS encryption for Captive portal authentication pages. It is required to have configured Captive portal SSL certificate. For more information about certificates please refer to Managing certificates chapter.

To allow users register on their own with subsequent confirmation via SMS or email, configure the parameters on the Guest users registration tab. Please keep in mind that you should use a template of the corresponding type (Captive portal: SMS auth/ Captive portal: Email auth).

Name

Description

Notification profile

Notification profile that will be used for sending information about the created user and password. You can choose between two notification types - SMS and email. For more details on how to create a notification profile, please refer to Notifications.

Notification from

Specify on whose behalf the message will be sent

Notification subject

Subject of the notification (for email notifications only)

Notification body

Body of the message. You can use special variables {login} and {password} in the text which will be automatically replaced with the actual username and password.

Guest users expiration date

Date and time when the guest user's account will be disabled

Guest user TTL

Time period since the first authentication of the guest user after which the corresponding account will be disabled

Password length

Password length for created users

Password complexity

Password complexity for created users. Can be

  • Numeric - only digits

  • Alphanumeric - digits and letters

  • Alphanumeric+special - digits, letters and special symbols, like a @#%^&*

Groups

Group for guest users in which they are stored. For more details on groups for guest users, please refer to Groups.

To create a new rule for the captive portal, click Add in the rules section of the Captive portal and then specify the following parameters:

Name

Description

Name

Name of the rule for the Captive portal

Description

Description of the rule for the Captive portal

Captive profile

Select the Captive profile you have previously created You can also enable the Skip captive portal page option if you don't want to use any authentication method.

Enable logging

Logs information about rule triggered.

Source

Addresses of the source. You can specify a certain zone, such as a Trusted or an IP range, as the source. You can also use IP addresses of countries (Geo-IP).

Destination

You can specify a certain zone, such as a Trusted or an IP range, as the destination. You can also use IP addresses of countries (Geo-IP).

Categories

Categories of URL filtering for which the rule will be applied. Note that URL filtering requires the corresponding license.

URLs

Lists of URLs for which the rule will be applied.

Time

Time period when the rule will be active

Thus, by creating several rules for the Captive portal, you can set up multiple user identification policies for various zones, addresses and time periods.

Important! Conditions specified on the rule's tab are applied according to the AND logic, i.e. the rule will be triggered only when all these conditions are met. If you want to use the OR logic, then you should create multiple rules.

Important! Rules are applied in the same order as they are displayed in the console. You can change the order using the corresponding buttons.

Important! When processing rules, the system applies only the first triggered rule.

If you want to log in to the system with another account or log out of the system, type http://logout.captive or http://UserGate_IP_address:8002/cps in your web browser and then click Log out.