"Captive portal profiles" tab

This window allows you to select a predefined or customizable authentication profile and to modify its configuration.

Possible actions

Rename

This button makes it possible to rename the selected profile.

Enable sponsorship

If this option is selected, you can enable the sponsorship method in addition to the authentication method selected by default.

This checkbox is automatically selected and grayed out whenever the Sponsorship method is selected by default.

Scroll over the icon to display the date and time of the last modification made to the profile of the selected captive portal.

Authentication

Default method or directory

This field allows selecting the authentication method or LDAP directory (in the case of a firewall that has defined several directories) assigned by default to the authentication profile currently being modified.

The methods offered are those defined in the Available methods tab.

Enable sponsorship

If this option is selected, you can enable the sponsorship method in addition to the authentication method selected by default.

This checkbox is automatically selected and grayed out whenever the Sponsorship method is selected by default.

Conditions of use for Internet access

Enable the display of the conditions of use for Internet access

Through this option, Conditions of use for Internet access, also known as a Disclaimer, can be shown to the user. The user must indicate his agreement to the terms by selecting the relevant checkbox before being able to authenticate.

These conditions can be customized in the “Captive portal” tab.

 NOTE

This option to display the Conditions of use for internet access does not apply to the transparent SSO agent authentication method, as it does not require the activation of the authentication portal.

Display frequency of the Conditions

This display frequency concerns all authentication methods expect Guest method (see the Available methods tab).

Customized fields on the captive portal

When Guest mode is selected, three numbered fields become available. They allow adding up to three input zones to the captive portal when the conditions of use for Internet access are displayed.

The possible values for these fields are: Empty (disables the display of the field on the captive portal), First name, Last name, Telephone number, Email address, Information and Company.

Authentication periods allowed

Minimum duration

Minimum duration for which the user can be authenticated, in minutes or in hours (up to 24 hours).

Maximum duration

Maximum duration for which the user can be authenticated, in minutes or in hours (up to 24 hours).

For transparent authentication

For SPNEGO and SSL certificates, this means the period during which no transparent reauthentication requests (Kerberos tickets or certificates) will be sent between the captive portal and the client's browser.

Advanced properties

Enable the captive portal

By selecting this option, you will enable the Authentication module and allow authentication via a web form from the network interfaces associated with the authentication profile.

Enable logoff page

By selecting this option, you will be enabling a separate logoff page from the captive portal's authentication page. When users who have not yet authenticated wish to access a website, the authentication page will appear. Once they have authenticated, the requested web page will then open in a new tab while the logoff page appears in the current tab.

To log off, simply click on the Logout button which appears in the logoff page, or close the tab of this page.

Allow access to the proxy's configuration file (.pac) for this profile

By selecting this option, you will allow the publication of the .pac file for users logging on from network interfaces associated with the authentication profile.

Prohibit simultaneous authentication of a user on multiple hosts

This option makes it possible to prevent a user from authenticating on several computers at the same time.

By enabling this option, his multiple requests will automatically be denied.

Expiry of the HTTP cookie

Managing cookies for user authentication on the firewalls allows securing authentication by preventing replay attacks for example, given that the connection cookie is necessary in order to be considered authenticated.

Cookies are indispensable for allowing several users to authenticate from the same IP address. These IP addresses have to be entered in the list of Multi-user objects (Authentication policy tab).

NOTE

This option affects all methods except the SSO agent, which does not support multi-user authentication.

The web browser negotiates cookies, therefore if authentication is carried out with Internet Explorer, it will not be effective with Firefox or other web browsers.

At the end of the authentication period

The HTTP cookie expires by default At the end of the authentication period, meaning that it is negotiated only once throughout the whole duration of the authentication.

When a session is shut down

The cookie will be negotiated every time a request is sent to your web browser.

Do not use (not recommended)

It is possible to function without using the HTTP cookie, but this option is not recommended as it compromises the security of the authentication.

Authentication page

Select a customized message (HTML file)

This option makes it possible to add a customized message containing text and images under the title of the authentication page. This message must be in the form of an HTML file so that the firewall can load it.

Reset customization of authentication page By clicking on this button, the customized message added earlier will be deleted from the authentication page.

 

User passwords

Users cannot change their passwords

By selecting this option, users will not be able to change their authentication passwords on the Stormshield Network Firewall.

Users can change their passwords

By selecting this option, users will be able to change their authentication passwords from the authentication portal, at any time with no restrictions on validity.

Users must change their passwords

By selecting this option, users will need to change their authentication passwords on the Stormshield Network Firewall on their first connection to the Firewall’s authentication portal, and then for each time the password expires. This duration is specified in days without a specific time.

 

The field Lifetime (days) appears below, allowing you to indicate the number of days the password will remain valid.

NOTE

If the user password is valid for 1 day and that the password was initialized for the first time at 2.00 p.m. on 25 November 2010, the password has to be changed from 12.00 midnight on 26 November 2010 and not 24 hours later.

User enrolment

Stormshield Network offers web-based user enrolment. If the user attempting to connect does not exist in the user database, he may request the creation of his account via web enrolment.

For certificate requests (CSR) by the user, they will be signed by the certificate authority (CA) chosen by default in the menu Certificates and PKI.

Do not allow user enrolment

If this option is selected, no “unknown” users will be able to register or create accounts with the LDAP directory.

Allow web enrolment for users

A user account has to be created in order for this option to be functional.

If this option is selected, any user who attempts to connect and who does not exist in the user database will be able to request the creation of his account by filling in a web form. The administrator will then be able to confirm or deny his request.

 

Allow web enrolment for users and create their certificates

If this option is selected, users will not only be able to request the creation of their accounts if they do not exist in the user database, but they will also be able to request the creation of a certificate.

Notification of a new enrolment

This option allows new enrolled users to be informed of the creation of their accounts in the user database.

Do not send any e-mail

By default, the drop-down list will show that no e-mails will be sent to the administrator to inform him of enrolment requests.

You can also define a group of users to whom enrolment requests will be sent in the menu Notifications\E-mail alerts\ Recipients tab.

Once this group has been created, it will automatically be included in the drop-down list and will be able to receive requests if you select it.