Create an identity policy and active authentication rule

This procedure enables captive portal to perform active authentication for users in your domains using the Secure Firewall Management Center.

This multi-part procedure shows how to set up the captive portal using the default TCP port 885 and using a Cloud-Delivered Firewall Management Center server certificate for both the captive portal and for TLS/SSL decryption. Each part of this example explains one task required to enable the captive portal to perform active authentication.

If you follow all the steps in this procedure, you can configure captive portal to work for users in your domains. You can optionally perform additional tasks, which are discussed in each part of the procedure.

For an overview of the entire procedure, see Configure the captive portal for user control.

Procedure

Step 1

In the Firewall Management Center, click Policies > Security policies > Identity and create or edit an identity policy.

Step 2

(Optional.) Click Add Category to add a category for the captive portal identity rules and enter a Name for the category.

Step 3

Click the Active Authentication tab.

  1. Choose the appropriate root Server Certificate from the list or click Add (add icon) to add a certificate.

    For more information, see Connect securely to active directory or LDAP.

    Note

    Captive portal does not support the use of Digital Signature Algorithm (DSA) or Elliptic Curve Digital Signature Algorithm (ECDSA) certificates.

  2. From the Redirect to Host Name field, click the network object you previously created or click Add (add icon).

  3. Enter 885 in the Port field and specify the Maximum login attempts.

  4. (Optional.) Choose an Active Authentication Response Page as described in Captive portal fields.

    This figure shows an example.

    You can redirect captive portal users to a network object you previously configured.

Step 4

Click Save.

Step 5

Click the Rules tab.

Step 6

Click Add Rule to add a new captive portal identity policy rule, or click Edit (edit icon) to edit an existing rule.

In the Add Rule page,

  1. Enter a Name for the rule.

  2. From the Action list, choose Active Authentication.

  3. Click Realm & Settings.

  4. From the Realms list, choose a realm to use for user authentication

    A realm sequence is not supported.

  5. (Optional.) Check Identify as Guest if authentication cannot identify user. For more information, see Captive portal fields.

  6. Choose an Authentication Protocol from the list.

  7. (Optional.) To exempt specific application traffic from captive portal, see Exclude applications from captive portal.

  8. Add conditions to the rule (port, network, and so on) as discussed in Identity rule conditions.

  9. Click Add.

Step 7

At the top of the page, click Save.

What to do next

Continue with Create a TCP port access control rule.