How to Configure the Captive Portal for User Control
Before you begin
To use the captive portal for active authentication, you must set up an LDAP realm; or a Microsoft AD realm or realm sequence; Microsoft Azure AD (SAML) realm; access control policy; an identity policy; a decryption policy; and associate the identity and decryption policies with the same access control policy. Finally, you must deploy the policies to managed devices. This topic provides a high-level summary of those tasks.
Note | To use a Microsoft Azure AD (SAML) realm as a captive portal, see How to Create a Microsoft Azure AD (SAML) Realm for Active Authentication (Captive Portal). |
Perform the following tasks first:
-
Confirm that your Security Cloud Control manages one or more devices with a routed interface configured.
-
To use encrypted authentication with the captive portal, either create a PKI object for the authenticating managed device or have your certificate data and key available on the machine from which you're accessing the Security Cloud Control. To create a PKI object, see PKI.
Procedure
Step 1 | Create and enable an LDAP realm; or a Microsoft AD realm and optionally realm sequence as discussed in the following topics:
A realm sequence is not supported for the captive portal. To make sure the system downloads all users in a realm or realm sequence, make sure the groups are in the Available Groups list in the realm's configuration. For more information, see Synchronize Users and Groups. |
Step 2 | Get required certificates and certificate authorities. You must have all of the following:
|
Step 3 | Create a network object with an associated trusted certificate authority. |
Step 4 | Create identity policy with an active authentication rule. The identity policy enables selected users in your realm access resources after authenticating with the captive portal. For more information, see Configure the Captive Portal Part 2: Create an Identity Policy and Active Authentication Rule. |
Step 5 | Configure an access control rule for the captive portal that allows traffic on the captive portal port (by default, TCP 885). You can choose any available TCP port for the captive portal to use. Whatever your choice, you must create a rule that allows traffic on that port. For more information, see Configure the Captive Portal Part 3: Create a TCP Port Access Control Rule. |
Step 6 | Add another access control rule to allow users in the selected realm or realm sequence to access resources using the captive portal. For more information, see Configure the Captive Portal Part 4: Create a User Access Control Rule. |
Step 7 | Configure a decryption policy with a Decrypt - Resign rule for the Unknown user so captive portal users can access web pages using the HTTPS protocol. The captive portal can authenticate users only if the HTTPS traffic is decrypted before the traffic is sent to the captive portal. The captive portal itself is seen by the system as the Unknown user. Captive Portal Example: Create a Decryption Policy with an Outbound Rule |
Step 8 | Associate the identity and decryption policies with the access control policy from step 3. This final step enables the system to authenticate users with the captive portal. For more information, see Configure Captive Portal Part 6: Associate Identity and Decryption Policies with the Access Control Policy. |
What to do next
See Configure the Captive Portal Part 1: Create a Network Object.