How to Configure the Captive Portal for User Control

Before you begin

To use the captive portal for active authentication, you must set up an LDAP realm; or a Microsoft AD realm or realm sequence; Microsoft Azure AD (SAML) realm; access control policy; an identity policy; a decryption policy; and associate the identity and decryption policies with the same access control policy. Finally, you must deploy the policies to managed devices. This topic provides a high-level summary of those tasks.

Note	Microsoft Azure Active Directory is not supported for captive portal.

Perform the following tasks first:

Confirm that your management center manages one or more devices with a routed interface configured.
To use encrypted authentication with the captive portal, either create a PKI object for the authenticating managed device or have your certificate data and key available on the machine from which you're accessing the management center. To create a PKI object, see PKI.

Procedure

Step 1	Create and enable an LDAP realm; or a Microsoft AD realm and optionally realm sequence as discussed in the following topics: Create an LDAP Realm or an Active Directory Realm and Realm Directory (Optional.) Create a Realm Sequence Synchronize Users and Groups To make sure the system downloads all users in a realm or realm sequence, make sure the groups are in the Available Groups list in the realm's configuration. For more information, see Synchronize Users and Groups.
Step 2	Get required certificates and certificate authorities. You must have all of the following: To authenticate with Microsoft AD, export the server's root certificate and import it into the Secure Firewall Management Center as a trusted CA certificate. An internal certificate object for authenticating with the managed device to which the identity policy is deployed. An internal certificate authority for the required decryption rule.
Step 3	Create a network object with an associated trusted certificate authority. See Configure the Captive Portal Part 1: Create a Network Object.
Step 4	Create identity policy with an active authentication rule. The identity policy enables selected users in your realm access resources after authenticating with the captive portal. For more information, see Configure the Captive Portal Part 2: Create an Identity Policy and Active Authentication Rule.
Step 5	Configure an access control rule for the captive portal that allows traffic on the captive portal port (by default, TCP 885). You can choose any available TCP port for the captive portal to use. Whatever your choice, you must create a rule that allows traffic on that port. For more information, see Configure the Captive Portal Part 3: Create a TCP Port Access Control Rule.
Step 6	Add another access control rule to allow users in the selected realm or realm sequence to access resources using the captive portal. For more information, see Configure the Captive Portal Part 4: Create a User Access Control Rule.
Step 7	Configure a decryption policy with a Decrypt - Resign rule for the Unknown user so captive portal users can access web pages using the HTTPS protocol. The captive portal can authenticate users only if the HTTPS traffic is decrypted before the traffic is sent to the captive portal. The captive portal itself is seen by the system as the Unknown user. Captive Portal Example: Create a Decryption Policy with an Outbound Rule
Step 8	Associate the identity and decryption policies with the access control policy from step 3. This final step enables the system to authenticate users with the captive portal. For more information, see Configure Captive Portal Part 6: Associate Identity and Decryption Policies with the Access Control Policy.

What to do next

See Configure the Captive Portal Part 1: Create a Network Object.