Configuring the captive portal

This section explains how to configure the captive portal in order to deploy SSL VPN tunnels. You can click on Apply at any time to save your changes.

Configuring authentication profile and interface match

  1. Go to Configuration > Users > Authentication, Captive portal tab.

  2. In the Authentication profile and interface match grid, click on Add.

  3. In the Interface column, select the source interface of SSL VPN connections (e.g., out). If you are using a PPPoE or VLAN interface, select it instead of the physical parent interface.

  4. In the Default method or directory column, if the directory entered matches the directory of the users who are setting up SSL VPN tunnels with the SNS firewall, the value of the Profile column does not need to be changed. This configuration allows users to simply enter their user name in their SSL VPN client to set up the SSL VPN tunnel.

    Screen showing the window to configure authentication profile and interface match an SNS firewall in version 5

    Otherwise, users will need to enter their user name with the directory authentication domain (username@domain.tld) in their SSL VPN client to set up the SSL VPN tunnel. If you want users to simply enter their user name, adapt the configuration:

    1. In the Profile column, select another profile (e.g., default05).
    2. In the Captive portal profiles tab, select this other profile and choose the right directory in the Default method or directory field.

    Screen showing the window to configure captive portal profiles on an SNS firewall in version 5

Checking whether the captive portal is enabled

  1. Go to Configuration > Users > Authentication, Captive portal profiles tab.

  2. Select the profile used for the SSL VPN connections.

  3. In the Advanced properties section, ensure that the Enable the captive portal checkbox has been selected.

Customizing the captive portal's certificate

You can customize the certificate presented by the SNS firewall when accessing the captive portal. If this certificate is not customized, the SNS firewall will present a default certificate:

  • On SNS in version 4, this will be a certificate corresponding to the SNS firewall serial number,
  • On SNS in version 5, this will be a self-generated certificate for this access.

To customize the captive portal's certificate:

  1. Go to Configuration > Users > Authentication, Captive portal tab.

  2. In the Certificate (private key) field, select the new certificate. If necessary, you can add a new certificate (server identity) in Configuration > Objects > Certificates and PKI.

    On SNS in version 4.8 LTSB and 5, the icon indicates certificates with TPM-protected private key. For more information on this protection, refer to the technical note Configuring the TPM and protecting private keys in SNS firewall certificates.

    Screen showing the configuration of the captive portal's SSL server on an SNS firewall in version

If any of the following criteria applies to the selected certificate:

  • The certificate was not signed by a trusted certification authority,
  • The certification authority has not been deployed on users' workstations,
  • The certificate's CN does not match the SNS firewall address that is used for connections to the SSL VPN. This is the case, for example, with the default certificate presented by the SNS firewall.

The certificate cannot be automatically validated by the Stormshield SSL VPN client or web browser, and a window indicating a probable security risk will appear. Each user must then ensure that the connection is secure by checking the certificate information, and then indicate that they trust the certificate presented by the SNS firewall to set up the SSL VPN tunnel. Although this message does not prevent users from proceeding, we recommend explaining to your users when they should expect to see it.