https://community.checkpoint.com/t5/Firewall-and-Security-Management/Some-doubts-about-Captive-Portal-authentication/m-p/145812#M23056 <P>I believe thats actually correct...think about it this way. When you have captive portal enabled, if any given user can NOT be even passively authenticated, they would be redirected to captive portal page to log in.</P> <P>So, based on rule you had given as an example, anyone in the source access role would get authentication prompt when trying to access any of those applications. As far as guest access, I cant recall now, but I believe thats enabled by default. Maybe&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;can confirm for you 100% the behaviour based on screenshot and the questions.</P> <P>What&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/21294">@G_W_Albrecht</a>&nbsp;gave you is helpful, but you can also refer to below, it gives solid explanation:</P> <P><A href="https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_IdentityAwareness_AdminGuide/html_frameset.htm?topic=documents/R80.30/WebAdminGuides/EN/CP_R80.30_IdentityAwareness_AdminGuide/148468" target="_blank" rel="noopener">https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_IdentityAwareness_AdminGuide/html_frameset.htm?topic=documents/R80.30/WebAdminGuides/EN/CP_R80.30_IdentityAwareness_AdminGuide/148468</A></P> <P>&nbsp;</P> <P>Andy</P> Fri, 08 Apr 2022 12:23:28 GMT the_rock 2022-04-08T12:23:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Some-doubts-about-Captive-Portal-authentication/m-p/145804#M23050 <P>Hi experts,</P><P>&nbsp;</P><P>Suppose that I select AD Query and Browser-Based Authentication as my methods acquiring identity on my network. And I create a rule like this:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rule.PNG" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/15964i1DDFFFF907B9F116/image-size/large?v=v2&amp;px=999" role="button" title="rule.PNG" alt="rule.PNG" /></span></P><P>To my knowledge, this is what happens in the following situations:</P><P>1 - When I user which belongs to the Marketing group (supposing the Marketing Access Role is mapped to the Marketing AD group) logs in and open <A href="https://youtube.com" target="_blank" rel="noopener">https://youtube.com</A>, this user can access with no problem.</P><P>2 - If a guest user try to access&nbsp;<A href="https://youtube.com" target="_blank" rel="noopener">https://youtube.com</A>, it will be redirected to the captive portal to authenticate.</P><P>3 -&nbsp;When I user which belongs to the Operations group logs in and open <A href="https://youtube.com" target="_blank" rel="noopener">https://youtube.com</A>, this user will be redirected to the captive portal to authenticate.</P><P>&nbsp;</P><P>Am I correct?</P><P>&nbsp;</P><P>Regards,</P><P>Julián</P><DIV class="">&nbsp;</DIV><DIV class="">&nbsp;</DIV><DIV class="">&nbsp;</DIV><P>&nbsp;</P> Fri, 08 Apr 2022 10:09:23 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Some-doubts-about-Captive-Portal-authentication/m-p/145804#M23050 fjulianom 2022-04-08T10:09:23Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Some-doubts-about-Captive-Portal-authentication/m-p/145806#M23052 <P>See&nbsp;<A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk121074&amp;partition=Advanced&amp;product=Identity" target="_blank">sk121074: Identity Awareness Redirect to <STRONG>Captive</STRONG> <STRONG>Portal</STRONG> in R80.10 and above</A></P> Fri, 08 Apr 2022 10:38:21 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Some-doubts-about-Captive-Portal-authentication/m-p/145806#M23052 G_W_Albrecht 2022-04-08T10:38:21Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Some-doubts-about-Captive-Portal-authentication/m-p/145812#M23056 <P>I believe thats actually correct...think about it this way. When you have captive portal enabled, if any given user can NOT be even passively authenticated, they would be redirected to captive portal page to log in.</P> <P>So, based on rule you had given as an example, anyone in the source access role would get authentication prompt when trying to access any of those applications. As far as guest access, I cant recall now, but I believe thats enabled by default. Maybe&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;can confirm for you 100% the behaviour based on screenshot and the questions.</P> <P>What&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/21294">@G_W_Albrecht</a>&nbsp;gave you is helpful, but you can also refer to below, it gives solid explanation:</P> <P><A href="https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_IdentityAwareness_AdminGuide/html_frameset.htm?topic=documents/R80.30/WebAdminGuides/EN/CP_R80.30_IdentityAwareness_AdminGuide/148468" target="_blank" rel="noopener">https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_IdentityAwareness_AdminGuide/html_frameset.htm?topic=documents/R80.30/WebAdminGuides/EN/CP_R80.30_IdentityAwareness_AdminGuide/148468</A></P> <P>&nbsp;</P> <P>Andy</P> Fri, 08 Apr 2022 12:23:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Some-doubts-about-Captive-Portal-authentication/m-p/145812#M23056 the_rock 2022-04-08T12:23:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Some-doubts-about-Captive-Portal-authentication/m-p/145842#M23071 <P>Hi Andy,</P><P>&nbsp;</P><P>When you say “<SPAN>anyone in the source access role would get authentication prompt when trying to access any of those applications”, do you mean users in the Marketing AD group as well? Because as long as the gateways are integrated with the AD server, these users should be authenticated passively without authentication prompt, am I right?</SPAN></P><P><SPAN>By the other hand, the users who get the captive portal page and type the username and password, against which database are authenticated? Where are these usernames and passwords stored?</SPAN></P><P>&nbsp;</P><P><SPAN>Regards,</SPAN></P><P><SPAN>Julian</SPAN></P> Fri, 08 Apr 2022 17:20:46 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Some-doubts-about-Captive-Portal-authentication/m-p/145842#M23071 fjulianom 2022-04-08T17:20:46Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Some-doubts-about-Captive-Portal-authentication/m-p/145843#M23072 <P>Thats my understanding, I was referring to source marketing access role. Technically, since access roles are tied with IA and thats tied to AD, credentials would be "coming" from AD side.</P> <P>Andy</P> Fri, 08 Apr 2022 17:21:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Some-doubts-about-Captive-Portal-authentication/m-p/145843#M23072 the_rock 2022-04-08T17:21:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Some-doubts-about-Captive-Portal-authentication/m-p/145847#M23075 <P>And for this part?</P><P><EM>By the other hand, the users who get the captive portal page and type the username and password, against which database are authenticated? Where are these usernames and passwords stored?</EM></P><P><SPAN>For example, for users outside the company which are not in AD, where are their credentials stored?</SPAN></P><P>&nbsp;</P><P><SPAN>Regards,</SPAN></P><P><SPAN>Julian</SPAN></P> Fri, 08 Apr 2022 17:29:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Some-doubts-about-Captive-Portal-authentication/m-p/145847#M23075 fjulianom 2022-04-08T17:29:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Some-doubts-about-Captive-Portal-authentication/m-p/145849#M23077 <P>Thats a good point...not sure about guests, I will let someone else confirm that. I see there is an option for unregistered guests login under portal settings, so I assume they would need to fill out registration before being granted access. You know, sort of like what you have to do at certain restaurants, hotels, etc...I believe thats how it works, but its more my educated guess, have not tested it yet.</P> <P>Andy</P> Fri, 08 Apr 2022 17:35:00 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Some-doubts-about-Captive-Portal-authentication/m-p/145849#M23077 the_rock 2022-04-08T17:35:00Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Some-doubts-about-Captive-Portal-authentication/m-p/145865#M23081 <P>Yeah, it works like that. In the following link there are two cases very well explained:</P><P>1 - AD user with BYOD.</P><P>2 - Guest user.</P><P><A href="https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/Topics-IDAG/Acquiring-Identities-with-Browser-Based-Authentication.htm" target="_blank">https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/Topics-IDAG/Acquiring-Identities-with-Browser-Based-Authentication.htm</A></P><P>Take a look!</P> Fri, 08 Apr 2022 22:08:47 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Some-doubts-about-Captive-Portal-authentication/m-p/145865#M23081 fjulianom 2022-04-08T22:08:47Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Some-doubts-about-Captive-Portal-authentication/m-p/145866#M23082 <P>Thats super helpful, ty!!</P> Fri, 08 Apr 2022 22:19:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Some-doubts-about-Captive-Portal-authentication/m-p/145866#M23082 the_rock 2022-04-08T22:19:06Z