The captive portal makes it possible to authorize Unknown users with the help of authorization methods that use Active Directory, RADIUS, TACACS+, SAML IDP, Kerberos or NTLM directories or a local user database. Moreover, using the captive portal, you can configure user self-registration with email or SMS verification.
Remember that:
-
Identified users, such as those with an explicitly set IP address in the user profile or those identified using authorization agents for terminal servers or Windows systems, are not authorized at the captive portal. These users are already classified as Known and do not require further identification.
-
Captive portal authorization is only possible for HTTP and HTTPS protocols. For example, if you have created a firewall rule that allows Internet access using the FTP protocol only for Known users, users will not get Internet access using this protocol until they are identified; that is, they launch a browser on their device and pass authorization at the captive portal.
-
To authorize users that use HTTPS, you need to configure SSL inspection, or authorization will not work.
-
If the captive portal uses the Active Directory authorization method, the user must specify their login name as DOMAIN\username or username@domain.
To configure the captive portal, follow these steps:
|
Name |
Description |
|---|---|
|
Step 1. Create an authorization method, e.g., Active Directory domain-based authorization. |
In the NGFW console, go to the Users and devices ➜ Auth servers section, click Add, and create an authorization server. |
|
Step 2. Create an authentication profile with the desired authorization methods. |
In the NGFW console, go to the Users and devices ➜ Auth profiles section, click Add, and create an authorization profile using the authorization method added earlier. |
|
Step 3. Create a captive profile with the desired authentication profile. |
In the NGFW console, go to the Users and devices ➜ Captive profiles section, click Add, and create a captive profile using the authorization profile added earlier. |
|
Step 4. Create a captive portal rule. |
A captive portal rule determines the type of traffic to which the user authentication methods specified in the captive profile should be applied. In the NGFW console, go to the Users and devices ➜ Captive portal section, click Add, and create a captive portal rule. |
|
Step 5. Configure DNS for the auth.captive and logout.captive domains. |
The internal auth.captive and logout.captive domain names are used by NGFW for user authorization. If the clients use NGFW as the DNS server, you do not need to do anything. Otherwise, you need to specify the IP address of the NGFW interface connected to the client network as the IP address for these domains. An alternative solution is to configure the Captive portal auth domain and Captive portal logout domain settings. For more details on these settings, see the section General Settings. |
You can find an in-depth discussion of how to add authorization methods in the previous chapters. Let us now consider the creation of a captive profile and captive portal rules in more detail.
To create a captive profile, go to the Captive profiles section, click Add, and provide the desired settings:
|
Name |
Description |
|---|---|
|
Name |
Captive profile name. |
|
Description |
Captive profile description. |
|
Auth page template |
Select a template for the auth page. You can create auth page templates in the Libraries ➜ Response pages section. If you need to configure user self-registration with SMS or email verification, select the corresponding template type (Captive portal: SMS auth/ Captive portal: Email auth). |
|
Authentication mode |
The method that NGFW will use to remember this user. There are two options:
|
|
Auth profile |
The authorization profile created earlier that defines the authentication methods to use. |
|
Authentication mode |
It is possible to authenticate using login and password via RADIUS server (AAA) or certificates (PKI). |
|
User certificate profile |
When PKI-based authentication is used, specify a pre-configured user certificate profile here. |
|
Redirect URL |
URL to redirect the user to after successful authentication using the Captive portal. If not specified, the user is redirected to the URL they requested. |
|
Allow browsers to keep auth |
Enables storing of the authorization in the browser for the specified time in hours. To store the authorization information, cookies are used. |
|
Show AD/LDAP domain selector on Captive portal auth page |
If enabled, this parameter allows the user to select the domain name from a list on the auth page if the Active Directory authentication method is used. If this parameter is not enabled, the user must explicitly specify the domain as DOMAIN\username or username@domain. |
|
Protect with CAPTCHA |
If this option is enabled, the user will be prompted to enter a code shown to them on the captive portal's auth page. This is recommended to protect against bots that guess user passwords. |
|
HTTPS for auth page |
Use HTTPS for displaying the captive portal's auth page to users. A properly configured captive portal SSL certificate is required. For more details on certificates, see the Certificate Management section. |
To set up user self-registration with password verification using SMS or email, you need to configure settings on the Guest users registration tab. Remember to use the appropriate template type in this case (Captive portal: SMS auth/ Captive portal: Email auth).
|
Name |
Description |
|---|---|
|
Notification profile |
The notification profile that will be used for sending information on the newly created user and their password. Two types of notification are possible, SMS and email. For more details on creating a notification profile, see the Notification Profiles chapter. |
|
From |
The person or entity in whose name notifications will be sent. |
|
Notification subject |
The subject of notifications (only for email notifications). |
|
Notification body |
The body of the notification message. In the message body, you can use special variables named {login} and {password} that will be replaced with the username and password, respectively. |
|
Expiration date and time |
The date and time when the guest account will be disabled. |
|
Guest user TTL |
The length of time from the guest user's first login after which their user account will be disabled. |
|
Password length |
Sets the password length for a guest user. |
|
Password complexity |
Sets the password complexity for a guest user. The available options are:
|
|
Groups |
The groups to which the created guest users will be added. For more details on guest user groups, see the Guest Portal chapter. |
To create a captive portal rule, go to the Captive portal section, click Add, and provide the desired settings:
|
Name |
Description |
|---|---|
|
Name |
The name of the captive portal rule. |
|
Description |
A description of the captive portal rule. |
|
Captive profile |
Select a captive profile created earlier. An option is available called Skip captive portal page which, if enabled, waives the authentication requirement. |
|
Enable logging |
If this is enabled, instances of the rule being triggered will be recorded in the corresponding statistics log. |
|
Source |
The source addresses. You can use a specific zone, such as the LAN zone, or an IP address range as the source. Country IP addresses (GeoIP) can also be used. Important! The maximum number of GeoIPs that can be specified is limited to 15. Important! The traffic processing logic is as follows:
|
|
Destination |
The destination addresses. You can use a specific zone, such as the WAN zone, or an IP address range as the destination. Country IP addresses (GeoIP) can also be used. Important! The maximum number of GeoIPs that can be specified is limited to 15. Important! The traffic processing logic is as follows:
|
|
Categories |
The URL filtering categories to which the rule will be applied. You need to have the appropriate license for URL filtering. |
|
URL |
The URL lists to which the rule will be applied. |
|
Time |
The time when this rule will be active. |
|
Usage |
The trigger statistics for the rule: the total trigger count and the time of the first and last trigger. To reset the trigger count, select the rules in the list and click Reset hit counts. |
|
History |
The time the rule was created and last changed as well as the related event log entries, such as rule added, rule updated, rule list position changed etc. |
By creating several captive portal rules, you can configure different user identification policies for different zones, URL categories, and time.
To change the user after logging in to the system or to log out, go to URL http://logout.captive and click Logout.