Captive portal profiles tab
This window allows you to select a predefined or customizable profile from the captive portal and modify its configuration.
|Profile selection field||
Select from the drop-down menu the captive portal profile that you wish to configure.
|This button makes it possible to rename the selected profile.|
|Last modification||Scroll over the icon to display the date and time of the last modification made to the profile from the selected captive portal.|
Default method or directory
Select the authentication method or LDAP directory (for firewalls that have defined several directories) assigned by default to the authentication profile currently being modified. The methods offered are those defined in the Available methods tab.
|Enable sponsorship||This option enables the sponsorship method in addition to the authentication method selected by default. This checkbox is automatically selected and grayed out whenever the Sponsorship method is selected in the field above.|
Conditions of use for Internet access
Enable the display of the conditions of use for Internet access
This option shows the conditions of use when a user accesses the Internet. They must then accept them by selecting the checkbox in order to authenticate. Customize these conditions in the Captive portal tab.
|Display frequency of the Conditions||Set the display frequency of the conditions of use for Internet access. This frequency applies to all authentication methods except Guest method, which is configured in the Available methods tab.|
Customized fields on the captive portal (Guest method only)
When Guest mode is selected, three numbered fields become available. Up to three input zones can be added to the captive portal when the conditions of use for Internet access are displayed.
The possible values for these fields are: Empty (disables the display of the field on the captive portal), First name, Last name, Telephone number, Email address, Information and Company.
Authentication periods allowed
|Minimum duration||Minimum duration for which the user can be authenticated.|
|Maximum duration||Maximum duration for which the user can be authenticated.|
|For transparent authentication||For SPNEGO and SSL certificates, set the period during which no transparent reauthentication requests (Kerberos tickets or certificates) will be sent between the captive portal and the client's browser.|
|Enable the captive portal||This option allows authentication via a web form from the network interfaces associated with the captive portal profile. The map of the interfaces with the profiles can be consulted in the Captive portal tab.|
|Enable logoff page||This option enables a separate logoff page from the captive portal's authentication page. When users who have not yet authenticated wish to access a website, the authentication page will appear. Once they have authenticated, the requested web page will then open in a new tab while the logoff page appears in the current tab.
To log off, simply click on the Logout button which appears in the logoff page, or close the tab of this page.
|Allow access to the proxy's configuration file (.pac) for this profile||This option allows the publication of the .pac file for users logging in from network interfaces associated with the authentication profile.|
|Prohibit simultaneous authentication of a user on multiple hosts||This option makes it possible to prevent a user from authenticating on several computers at the same time. Multiple requests are automatically denied.|
|Expiry of the HTTP cookie||
This option makes it possible to configure when the HTTP cookie expires:
HTTP cookies are negotiated by the web browser, so authentication set up on one browser will not work on another browser.
To allow several users to be authenticated from the same IP address, cookies must be used. The IP addresses in question must be entered in the list of Multi-user objects in the Authentication policy tab, except for the SSO Agent method, which does not support multi-user authentication.
|Select a customized message (HTML file)||This option makes it possible to add a customized message containing text and images under the title of the authentication page. This message must be an HTML file so that the firewall can load it.|
|Reset customization of authentication page||By clicking on this button, the customized message added earlier will be deleted from the authentication page.|
|Users cannot change their passwords||
This option does not allow users to change their passwords from the authentication portal.
|Users can change their passwords||This option allows users to change their passwords from the authentication portal, at any time with no restrictions on validity.|
|Users must change their passwords||
This option requires users to change their passwords the first time they log in to the authentication portal, and every time the password expires. The validity of a password is specified in days without a specific time.
|Lifetime (in days)||
This field can be modified if the Users must change their passwords option is selected. Indicate the number of days the password stays valid.
When the password has reached the end of its lifetime, it expires at midnight.
The firewall offers web-based user enrollment. If users attempting to log in do not exist in the user database, they may request the creation of their accounts via web enrollment on the captive portal.
|Do not allow user enrollment||
When this option is selected, users that are not in the user database cannot send account creation requests.
|Allow Web enrollment for users||
When this option is selected, users that are not in the user database can request the creation of an account by filling in a web form. An administrator must approve or deny the request in the Configuration module > Users > Enrollment.
|Allow web enrolment for users and create their certificates||
When this checkbox is selected:
By submitting a request, users set the password for their certificate. An administrator must approve or deny requests in the Configuration module > Users > Enrollment.
The certificate will be signed by the certification authority (CA) chosen by default in the Configuration module > Objects > Certificates and PKI and created based on the settings in the user certificate profile.
|Notification of a new enrollment||This option makes it possible to define a user group that will be notified when a new enrollment request is received. By default, the drop-down list will show that no e-mails will be sent. To select a user group, it must first be created in Configuration > Notifications > E-mail alerts > Recipients tab. Once it is created, it can be selected from the drop-down list.|