Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
fjulianom
Contributor

Some doubts about Captive Portal authentication

Hi experts,

 

Suppose that I select AD Query and Browser-Based Authentication as my methods acquiring identity on my network. And I create a rule like this:

rule.PNG

To my knowledge, this is what happens in the following situations:

1 - When I user which belongs to the Marketing group (supposing the Marketing Access Role is mapped to the Marketing AD group) logs in and open https://youtube.com, this user can access with no problem.

2 - If a guest user try to access https://youtube.com, it will be redirected to the captive portal to authenticate.

3 - When I user which belongs to the Operations group logs in and open https://youtube.com, this user will be redirected to the captive portal to authenticate.

 

Am I correct?

 

Regards,

Julián

 
 
 

 

0 Kudos
8 Replies
G_W_Albrecht
Legend
Legend

0 Kudos
the_rock
Champion
Champion

I believe thats actually correct...think about it this way. When you have captive portal enabled, if any given user can NOT be even passively authenticated, they would be redirected to captive portal page to log in.

So, based on rule you had given as an example, anyone in the source access role would get authentication prompt when trying to access any of those applications. As far as guest access, I cant recall now, but I believe thats enabled by default. Maybe @PhoneBoy can confirm for you 100% the behaviour based on screenshot and the questions.

What @G_W_Albrecht gave you is helpful, but you can also refer to below, it gives solid explanation:

https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_IdentityAwareness_AdminGuide...

 

Andy

fjulianom
Contributor

Hi Andy,

 

When you say “anyone in the source access role would get authentication prompt when trying to access any of those applications”, do you mean users in the Marketing AD group as well? Because as long as the gateways are integrated with the AD server, these users should be authenticated passively without authentication prompt, am I right?

By the other hand, the users who get the captive portal page and type the username and password, against which database are authenticated? Where are these usernames and passwords stored?

 

Regards,

Julian

0 Kudos
the_rock
Champion
Champion

Thats my understanding, I was referring to source marketing access role. Technically, since access roles are tied with IA and thats tied to AD, credentials would be "coming" from AD side.

Andy

fjulianom
Contributor

And for this part?

By the other hand, the users who get the captive portal page and type the username and password, against which database are authenticated? Where are these usernames and passwords stored?

For example, for users outside the company which are not in AD, where are their credentials stored?

 

Regards,

Julian

0 Kudos
the_rock
Champion
Champion

Thats a good point...not sure about guests, I will let someone else confirm that. I see there is an option for unregistered guests login under portal settings, so I assume they would need to fill out registration before being granted access. You know, sort of like what you have to do at certain restaurants, hotels, etc...I believe thats how it works, but its more my educated guess, have not tested it yet.

Andy

fjulianom
Contributor

Yeah, it works like that. In the following link there are two cases very well explained:

1 - AD user with BYOD.

2 - Guest user.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/Topic...

Take a look!

the_rock
Champion
Champion

Thats super helpful, ty!!

0 Kudos