Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Pedro_Espindola
Advisor

Create a Captive Portal exception rule on SMB

Hey guys! A costumer wanted to configure a way to bypass captive portal authentication for a specific network on a locally managed 1400 appliance. I found sk117593, which suggests using hotspot.

So I disabled User Awareness and enabled hotspot for the networks that require authentication. I then set configure radius to use the Active Directory users. But this way all User Awareness features are lost!

Is there any other way to create an exception?

This feature is crucial, and we can actually lose customers because of this. I hope that development is working on this.

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

The SK was pretty clear this was the "workaround" to do it.

What specific "User Awareness" features did you lose here?

0 Kudos
Pedro_Espindola
Advisor

When disabling User Awareness it is not possible to enforce access to internal servers or to specific applications by user groups.

Also, logs will show the user only when you open them, which compromises visibility. But that's a minor issue.

I found a better workaround. Here is what I did instead:

  1. Enabled User Awareness and disabled hotspot.
  2. Enabled the option "Allow unregistered guests", on "Browser-based authentication" configuration window
  3. Configured a a rule from:guest_network to:internet action:accept
  4. Used AD user groups on every other rule.

Now, guest users on the guest network can click on "I don't have a username and password" and register to use the internet. It can be a fake name.

Users in the internal network will have to authenticate with a valid AD user to do anything.

It is not ideal, but it works.

PhoneBoy
Admin
Admin

That definitely sounds like a better option.

0 Kudos
John_Fleming
Advisor

Just ran into this myself. Browser Based User Awareness is indeed pretty lame. Its a shame that this is %100 doable if the smb is controlled by a mgmt server.

0 Kudos
Max_Baumgarten
Contributor

I agree.  You should be able to control the User Awareness rules with more granular controls, like identity awareness/legacy client authentication.  Your subnets shouldn't be held hostage and require authentication just because you need specific users to authenticate.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events