topic Re: Create a Captive Portal exception rule on SMB in Spark Firewall (SMB)

Create a Captive Portal exception rule on SMB

Pedro_Espindola — Wed, 04 Oct 2017 15:39:37 GMT

Hey guys! A costumer wanted to configure a way to bypass captive portal authentication for a specific network on a locally managed 1400 appliance. I found sk117593, which suggests using hotspot.

So I disabled User Awareness and enabled hotspot for the networks that require authentication. I then set configure radius to use the Active Directory users. But this way all User Awareness features are lost!

Is there any other way to create an exception?

This feature is crucial, and we can actually lose customers because of this. I hope that development is working on this.

Re: Create a Captive Portal exception rule on SMB

PhoneBoy — Thu, 05 Oct 2017 21:32:39 GMT

The SK was pretty clear this was the "workaround" to do it.

What specific "User Awareness" features did you lose here?

Re: Create a Captive Portal exception rule on SMB

Pedro_Espindola — Fri, 06 Oct 2017 13:51:45 GMT

When disabling User Awareness it is not possible to enforce access to internal servers or to specific applications by user groups.

Also, logs will show the user only when you open them, which compromises visibility. But that's a minor issue.

I found a better workaround. Here is what I did instead:

Enabled User Awareness and disabled hotspot.
Enabled the option "Allow unregistered guests", on "Browser-based authentication" configuration window
Configured a a rule from:guest_network to:internet action:accept
Used AD user groups on every other rule.

Now, guest users on the guest network can click on "I don't have a username and password" and register to use the internet. It can be a fake name.

Users in the internal network will have to authenticate with a valid AD user to do anything.

It is not ideal, but it works.

Re: Create a Captive Portal exception rule on SMB

PhoneBoy — Fri, 06 Oct 2017 16:36:27 GMT

That definitely sounds like a better option.

Re: Create a Captive Portal exception rule on SMB

John_Fleming — Wed, 20 Nov 2019 02:45:10 GMT

Just ran into this myself. Browser Based User Awareness is indeed pretty lame. Its a shame that this is %100 doable if the smb is controlled by a mgmt server.

Re: Create a Captive Portal exception rule on SMB

Max_Baumgarten — Wed, 20 Nov 2019 03:38:22 GMT

I agree. You should be able to control the User Awareness rules with more granular controls, like identity awareness/legacy client authentication. Your subnets shouldn't be held hostage and require authentication just because you need specific users to authenticate.