Configure captive portal authentication

You can configure the captive portal to sign in users and create a firewall rule for signed-in users.

Allow access to captive portal

To allow access to the captive portal from the users' zones, do as follows:

1. Go to Administration > Device access.
2. Under Captive portal, select the users' zones, such as LAN and Wi-Fi.
3. Click Apply.

Create firewall rules

Allow DNS requests

If you use a DNS server other than the firewall, configure a firewall rule to allow DNS requests as follows:

1. Go to Rules and policies > Firewall rules.
2. Click Add firewall rule and click New firewall rule.

3. Specify the following settings:

   • Action: Accept.
   • Source zones: The zones users connect from, such as LAN and Wi-Fi.
   • Source networks: The networks from which users connect or select Any.
   • Destination zones: The DNS server's zone, such as DMZ or WAN.
   • Destination networks: The DNS server's IP address or FQDN host.
   • Services: Select DNS. It contains the port and protocol used in DNS traffic.

4. Click Save.

Apply the policies

Create a user-based firewall rule. It only allows the users and groups you select.

1. Go to Rules and policies > Firewall rules.
2. Click Add firewall rule and click New firewall rule.

3. Specify the following settings:

   1. Action: Accept.
   2. Source zones: The zones users connect from, such as LAN and Wi-Fi.
   3. Source networks: The networks from which users connect or select Any.
   4. Destination zones: The zones that users send traffic to, such as WAN.
   5. Destination networks: The networks you want user traffic to flow to or select Any.

4. Specify the following user identity settings:

   1. Select Match known users.

      The firewall allows traffic from authenticated users.

   2. Select Use web authentication for unknown users.

      The firewall automatically shows the captive portal to unauthenticated users when they start browsing.

   3. Select the users and groups.

      The firewall rule applies to these users after they're signed in. Policies, such as the web policy, you select in this rule apply to these users.

5. Click Save.

Captive portal settings

You can update the default captive portal settings. The following steps are optional:

1. Go to Authentication > Web authentication.

2. Select the following settings:

   1. Show user portal link.
   2. Show web page after sign-in.
   3. Under Open web page, select In new browser window.

3. Select one of the sign-out options:

   • When captive portal page is closed or redirected
   • When user is inactive

4. Click Apply.

Install CA certificate in users' endpoint computers

If you use a locally-signed certificate for the firewall, upload the corresponding CA certificate to users' endpoints to prevent untrusted certificate errors.

1. Sign in to your firewall.
2. Go to Certificates > Certificate authorities.

3. Click Download for the certificate authority you want to download.

   The firewall signs Locally-signed certificates using the CA Default.

4. Extract the .pem file from the downloaded .tar.gz file to the location of your choice.

5. Add it to Trusted Root Certification Authorities in the endpoint computers. See Trusted Root Certification Authorities Certificate Store.

More resources

• Captive portal behavior
• Captive portal appearance does not change
• Incorrect page shows after iOS users sign in to captive portal