Configure the Captive Portal Part 2: Create an Identity Policy and Active Authentication Rule
Before you begin
This multi-part procedure shows how to set up the captive portal using the default TCP port 885 and using a management center server certificate for both the captive portal and for TLS/SSL decryption. Each part of this example explains one task required to enable the captive portal to perform active authentication.
If you follow all the steps in this procedure, you can configure captive portal to work for users in your domains. You can optionally perform additional tasks, which are discussed in each part of the procedure.
For an overview of the entire procedure, see How to Configure the Captive Portal for User Control.
Procedure
Step 1 | Log in to the management center if you have not already done so. | ||
Step 2 | Click and create or edit an identity policy. | ||
Step 3 | (Optional.) Click Add Category to add a category for the captive portal identity rules and enter a Name for the category. | ||
Step 4 | Click the Active Authentication tab. | ||
Step 5 | Choose the appropriate Server Certificate from the list or click Add () to add a certificate.
| ||
Step 6 | From the Redirect to Host Name field, click the network object you previously created or click Add (). | ||
Step 7 | Enter 885 in the Port field and specify the Maximum login attempts. | ||
Step 8 | Uncheck Share active authentication across firewalls to enable the management center to require users to reauthenticate every time they access your network using a different managed device than the last time. For more information about this option, see Captive Portal Fields. | ||
Step 9 | (Optional.) Choose an Active Authentication Response Page as described in Captive Portal Fields. | ||
Step 10 | (If you upgraded to version 7.4.1 from an earlier version only and you authenticate users with a realm sequence.) Click Edit () and see Update a Custom Authentication Form. | ||
Step 11 | Click Save. | ||
Step 12 | Click Rules. | ||
Step 13 | Click Add Rule to add a new captive portal identity policy rule, or click Edit () to edit an existing rule. | ||
Step 14 | Enter a Name for the rule. | ||
Step 15 | From the Action list, choose Active Authentication. | ||
Step 16 | Click Realm & Settings. | ||
Step 17 | From the Realms list, choose a realm or realm sequence to use for user authentication. | ||
Step 18 | (Optional.) Check Identify as Guest if authentication cannot identify user. For more information, see Captive Portal Fields. | ||
Step 19 | Choose an Authentication Protocol from the list. You cannot authenticate users with a realm sequence if you choose NTLM, Kerberos, or HTTP Negotiate authentication protocols. Choose HTTP Basic or HTTP Response Page instead. | ||
Step 20 | (Optional.) To exempt specific application traffic from captive portal, see Exclude Applications from Captive Portal. | ||
Step 21 | Add conditions to the rule (port, network, and so on) as discussed in Identity Rule Conditions. | ||
Step 22 | Click Add. | ||
Step 23 | At the top of the page, click Save. |
What to do next
Continue with Configure the Captive Portal Part 3: Create a TCP Port Access Control Rule.