I'm having hard times figuring the relation beween HTTPS Inspection and Identity Awareness, and also how is Captive Portal supposed to function. I'm running R80.20, let me describe you the behaviours I notice:
1) Unless I enable HTTPS Inspection my AppC & URLF policy rule that matches as a source an Access Role and as a service either http/https or a ceratain website collection (e.g. Facebook, YouTube) does not function properly. I'm not sure whether it's a feature or a bug but actions like Ask/Inform/Drop with message simply do not work unless HTTPS Inspection is enabled. This proves to be the case for non-SSL sites as well, e.g. http://neverssl.com. I understand the dependency of matching URL collections like Facebok and YouTube on HTTPS Inspection (which SHOULD be documented in admin guides not shovelled down some sk) but I don't understand why plain HTTP does not function as expected with modern browsers (latest Edge and Firefox). Perhaps because Captive Portal must redirect a non-https website to an https-website? Some crappy code in R80.20? Go figure.
2) With HTTPS Inspection turned on everything works as expected for both HTTP and HTTPS but then comes the case of having an accept rule with "Enable Identity Captive Portal". Now this beautiful checkbox puts a requirement on the rule to use an access role either as a source or destination (destination doesn't make much sense to me but anyway). Now, if you create an access role object if you do not place any restrictions on it it will match pretty much every user (logged in to a domain, non-domain user, anybody) so in theory all traffic should go to Captive Portal, right? No, it doesn't. If I put a restriction on e.g. IP and user group from AD I see in the logs the identity of the user is known but still no redirection to Captive Portal. It wouldn't make much sense anyway, right? You already know who the user is, why redirect it to enter user and pass again? So I'm kinda missing the idea behind this scenario completely (a scenario quoted in many admin guides, study materials, etc.). Again, I'm not sure why redirection doesn't take place, could be a bug. Don't have an R80.40 to test at the moment.