This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bart_Vos
Participant
‎2019-08-28 03:43 AM

Configuring captive portal

Hi,

 

We have a cluster of 2 security gateways.

I'd like to implement captive portal for following scenario:

During examinations, in group of students (AD group StudInternet) should have internet access and another group (AD group StudNoInternet) not.

All student have their own laptop and the laptops are not in Active Directory.

When a student surfs to the internet, he should see a captive portal.

At the moment the student surfs to the internet, identity is unknown, so the student is treated as a guest.

When surfing to internet, they should see a captive portal, login, and based ont he AD group membership, internet should be allowed or disallowed.

How should I configure the identity awareness?

These settings are already setup.

2019-08-28 12_40_58-Gateway Cluster Properties - checkpoint-cluster.jpg

I suppose the Captive portal Authentication should also be set up.

Do I do this on the cluster, on the gateways or both the cluster and de gateways?

 

Thx in advance.

 

Turan ASCIOGLU

0 Kudos
3 Replies
Mike_A
Advisor
‎2019-08-28 04:41 AM

I believe what you are looking for is Browser Based Authentication and all configuration is done at the cluster object. 

 

  • Browser-Based Authentication - Sends users to a Web page to acquire identities from unidentified users. If Transparent Kerberos Authentication is configured, AD users may be identified transparently.

 

You would then setup a rule with an Access Role associated to the AD security group you desire. 

 

Here are a couple links that may get you headed in the right direction. 

Configuring Identity Awareness

Configuring Browser-Based Authentication in SmartConsole

Bart_Vos
Participant
‎2019-08-28 05:50 AM
In response to Mike_A

Thx for the update Mike.

I indeed found out I have create a rule with an access role and action-Captive portal.

However what I don't understand is, In order to create an access role, I have to identify an AD-group, so the traffic can match to that rule and redirect to captive portal.

But in my case, the user is unknown so the traffic can never match a rule and redirect to CP?

And in a rule with CP redirection, you can't define a source network, it has to be a user-object.

Best scenario would be:

- if src-network is 10.10.10.0/24 dst-network is 20.20.20.0/24, then redirect to CP

0 Kudos
Mike_A
Advisor
‎2019-08-28 08:37 AM
In response to Bart_Vos

Based upon your original message, the laptop us unknown, but it seemed like the user behind unknown laptop had an AD username/password, they just have not used the laptop to authenticate to AD, thats how I read the original post anyway. If so, this should work.

Here is my cluster configuration. As you can see there is no Identity Collector/AD Query or anything else enabled, just Browser Based Authentication. 

IA.JPG

From there I created an Access Role called InternetUsers and used it in a rule. That Access Role maps to an AD group called InternetUsers also. 

rule.JPG

When I tried to access google.com I was presented the captive portal page. I logged in with a test AD username/password with an account in the AD group InternetUsers and google.com then loaded. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top