A Captive portal allows you to authorize Unknown users by means of Active Directory, Radius, TACACS+, SAML IDP, Kerberos or a local user database. In addition, you can allow users to register on their own in your Captive portal and confirm their registrations via SMS or by email.
Please keep in mind the following:
-
Identified users, e.g. those with assigned IP addresses in the properties as well as those identified via authentication agents of the Windows terminal servers, do not need to authorize on the Captive portal. Such users are treated as Known users and therefore do not need any additional identification.
-
Authentication via the Captive portal is possible only via HTTP and HTTPS. For example, if you have created a firewall rule to allow the Internet access via FTP only to the Known users, then users will gain the Internet access only after identification, i.e. after they launch their web browser and authorize on the Captive portal.
-
If the Captive portal uses authentication via Active Directory, then a user must enter their domain name in the DOMAIN\username or username@domain format as their username.
To configure the Captive portal, perform the following steps:
|
Name |
Description |
|---|---|
|
Step 1. Create a new authentication method, e.g. authentication via the Active Directory domain |
In the UserGate console, go to the Users and devices-->Authentication servers section, click Add and then create a new authentication server. |
|
Step 2. Create an authentication profile and add all authentication methods that you need. |
In the UserGate console, go to Users and devices-->Auth profiles, click Add and create an authentication profile using the previously created authentication method. |
|
Step 3. Create a new Captive profile and specify the auth profiles you want to use |
In the UserGate console, go to the Users and devices-->Captive profiles section, click Add and then create a new captive profile based on the previously created authentication profile. |
|
Step 4. Create a new rule for the Captive portal |
A Captive portal rule defines a traffic to which the user identification methods specified in the Captive profile should be applied. In the UserGate console, go to the Users and devices-->Captive portal section, click Add and then create a new rule for the Captive portal. |
|
Step 5. Configure DNS records for domains auth.captive and logout.captive |
Special domain names auth.captive and logout.captive are used internally by UserGate for users' authentication. Nothing should be done if users use UserGate as DNS server. If another server is used, then these two domains should be resolved to the IP address of UserGate which is connected to users' network. Alternatively, it is possible to configure Captive portal auth domain and Captive portal logout domain. For more details refer to General settings section of this manual. |
For more information on how to create authentication methods, please refer to the previous chapters. Let's consider creation of a new Captive profile and rules for the Captive portal in more detail.
To create a new Captive profile, click Add in the Captive profiles section and specify the following parameters:
|
Name |
Description |
|---|---|
|
Name |
Name of the Captive profile |
|
Description |
Description of the Captive profile |
|
Auth page template |
Select an authentication page template. You can create authentication pages in the Libraries/Response pages' section. If you want to allow users register on their own with subsequent SMS/email confirmation, then choose a template of the corresponding type (Captive portal: SMS auth/ Captive portal: Email auth). |
|
Authentication mode |
Defines how UserGate should remember a user. The two options are possible:
|
|
Authentication profile |
The previously created authentication profile that defines authentication methods |
|
Redirect URL |
URL to which a user will redirected after successful authentication on the Captive portal. When not set, the user will be redirected to the URL they have initially requested. |
|
Allow browsers to keep auth |
Enables saving of authentication sessions in browsers for the specified period in hours. The authentication data is stored in cookie files. |
|
Show AD/LDAP domain selector on Captive portal page |
If you use Active Directory as the authentication method, then a user will be able to select a domain name from the list on the authentication page when this parameter is enabled. When this parameter is disabled, a user must specify the target domain in the DOMAIN\username or username@domain format. |
|
Show CAPTCHA |
When this option is enabled, users will be asked to enter a code displayed on the login page of the Captive portal. This option is recommended for protection against bots trying to brute-force user passwords. |
|
HTTPS for auth page |
Use HTTPS encryption for Captive portal authentication pages. It is required to have configured Captive portal SSL certificate. For more information about certificates please refer to Managing certificates chapter. |
To allow users register on their own with subsequent confirmation via SMS or email, configure the parameters on the Guest users registration tab. Please keep in mind that you should use a template of the corresponding type (Captive portal: SMS auth/ Captive portal: Email auth).
|
Name |
Description |
|---|---|
|
Notification profile |
Notification profile that will be used for sending information about the created user and password. You can choose between two notification types - SMS and email. For more details on how to create a notification profile, please refer to Notifications. |
|
Notification from |
Specify on whose behalf the message will be sent |
|
Notification subject |
Subject of the notification (for email notifications only) |
|
Notification body |
Body of the message. You can use special variables {login} and {password} in the text which will be automatically replaced with the actual username and password. |
|
Guest users expiration date |
Date and time when the guest user's account will be disabled |
|
Guest user TTL |
Time period since the first authentication of the guest user after which the corresponding account will be disabled |
|
Password length |
Password length for created users |
|
Password complexity |
Password complexity for created users. Can be
|
|
Groups |
Group for guest users in which they are stored. For more details on groups for guest users, please refer to Groups. |
To create a new rule for the captive portal, click Add in the rules section of the Captive portal and then specify the following parameters:
|
Name |
Description |
|---|---|
|
Name |
Name of the rule for the Captive portal |
|
Description |
Description of the rule for the Captive portal |
|
Captive profile |
Select the Captive profile you have previously created You can also enable the Skip captive portal page option if you don't want to use any authentication method. |
|
Enable logging |
Logs information about rule triggered. |
|
Source |
Addresses of the source. You can specify a certain zone, such as a Trusted or an IP range, as the source. You can also use IP addresses of countries (Geo-IP). |
|
Destination |
You can specify a certain zone, such as a Trusted or an IP range, as the destination. You can also use IP addresses of countries (Geo-IP). |
|
Categories |
Categories of URL filtering for which the rule will be applied. Note that URL filtering requires the corresponding license. |
|
URLs |
Lists of URLs for which the rule will be applied. |
|
Time |
Time period when the rule will be active |
Thus, by creating several rules for the Captive portal, you can set up multiple user identification policies for various zones, addresses and time periods.
Important! Conditions specified on the rule's tab are applied according to the AND logic, i.e. the rule will be triggered only when all these conditions are met. If you want to use the OR logic, then you should create multiple rules.
Important! Rules are applied in the same order as they are displayed in the console. You can change the order using the corresponding buttons.
Important! When processing rules, the system applies only the first triggered rule.
If you want to log in to the system with another account or log out of the system, type http://logout.captive or http://UserGate_IP_address:8002/cps in your web browser and then click Log out.