Create a Post
Showing results for 
Search instead for 
Did you mean: 

Configuring captive portal



We have a cluster of 2 security gateways.

I'd like to implement captive portal for following scenario:

During examinations, in group of students (AD group StudInternet) should have internet access and another group (AD group StudNoInternet) not.

All student have their own laptop and the laptops are not in Active Directory.

When a student surfs to the internet, he should see a captive portal.

At the moment the student surfs to the internet, identity is unknown, so the student is treated as a guest.

When surfing to internet, they should see a captive portal, login, and based ont he AD group membership, internet should be allowed or disallowed.

How should I configure the identity awareness?

These settings are already setup.

2019-08-28 12_40_58-Gateway Cluster Properties - checkpoint-cluster.jpg

I suppose the Captive portal Authentication should also be set up.

Do I do this on the cluster, on the gateways or both the cluster and de gateways?


Thx in advance.



0 Kudos
3 Replies

I believe what you are looking for is Browser Based Authentication and all configuration is done at the cluster object. 


  • Browser-Based Authentication - Sends users to a Web page to acquire identities from unidentified users. If Transparent Kerberos Authentication is configured, AD users may be identified transparently.


You would then setup a rule with an Access Role associated to the AD security group you desire. 


Here are a couple links that may get you headed in the right direction. 

Configuring Identity Awareness

Configuring Browser-Based Authentication in SmartConsole


Thx for the update Mike.

I indeed found out I have create a rule with an access role and action-Captive portal.

However what I don't understand is, In order to create an access role, I have to identify an AD-group, so the traffic can match to that rule and redirect to captive portal.

But in my case, the user is unknown so the traffic can never match a rule and redirect to CP?

And in a rule with CP redirection, you can't define a source network, it has to be a user-object.

Best scenario would be:

- if src-network is dst-network is, then redirect to CP

0 Kudos

Based upon your original message, the laptop us unknown, but it seemed like the user behind unknown laptop had an AD username/password, they just have not used the laptop to authenticate to AD, thats how I read the original post anyway. If so, this should work.

Here is my cluster configuration. As you can see there is no Identity Collector/AD Query or anything else enabled, just Browser Based Authentication. 


From there I created an Access Role called InternetUsers and used it in a rule. That Access Role maps to an AD group called InternetUsers also. 


When I tried to access I was presented the captive portal page. I logged in with a test AD username/password with an account in the AD group InternetUsers and then loaded. 

0 Kudos