Captive portal profiles tab

This window allows you to select a predefined or customizable profile from the captive portal and modify its configuration.

Possible actions

Profile selection field	Select from the drop-down menu the captive portal profile that you wish to configure.
Rename	This button makes it possible to rename the selected profile.
Last modification	Scroll over the icon to display the date and time of the last modification made to the profile from the selected captive portal.

Authentication

Default method or directory

Select the authentication method or LDAP directory (for firewalls that have defined several directories) assigned by default to the authentication profile currently being modified. The methods offered are those defined in the Available methods tab.

IMPORTANT
Depending on the authentication method or the default directory selected, some fields in this module cannot be modified.

Enable sponsorship

This option enables the sponsorship method in addition to the authentication method selected by default. This checkbox is automatically selected and grayed out whenever the Sponsorship method is selected in the field above.

Conditions of use for Internet access

Enable the display of the conditions of use for Internet access

This option shows the conditions of use when a user accesses the Internet. They must then accept them by selecting the checkbox in order to authenticate. Customize these conditions in the Captive portal tab.

NOTE
This option does not apply to the transparent SSO agent authentication method, as it does not require the activation of the authentication portal.

Display frequency of the Conditions

Set the display frequency of the conditions of use for Internet access. This frequency applies to all authentication methods except Guest method, which is configured in the Available methods tab.

Customized fields on the captive portal (Guest method only)

When Guest mode is selected, three numbered fields become available. Up to three input zones can be added to the captive portal when the conditions of use for Internet access are displayed.

The possible values for these fields are: Empty (disables the display of the field on the captive portal), First name, Last name, Telephone number, Email address, Information and Company.

Authentication periods allowed

Minimum duration	Minimum duration for which the user can be authenticated.
Maximum duration	Maximum duration for which the user can be authenticated.
For transparent authentication	For SPNEGO and SSL certificates, set the period during which no transparent reauthentication requests (Kerberos tickets or certificates) will be sent between the captive portal and the client's browser.

Advanced properties

Enable the captive portal	This option allows authentication via a web form from the network interfaces associated with the captive portal profile. The map of the interfaces with the profiles can be consulted in the Captive portal tab.
Enable logoff page	This option enables a separate logoff page from the captive portal's authentication page. When users who have not yet authenticated wish to access a website, the authentication page will appear. Once they have authenticated, the requested web page will then open in a new tab while the logoff page appears in the current tab. To log off, simply click on the Logout button which appears in the logoff page, or close the tab of this page.
Allow access to the proxy's configuration file (.pac) for this profile	This option allows the publication of the .pac file for users logging in from network interfaces associated with the authentication profile.
Prohibit simultaneous authentication of a user on multiple hosts	This option makes it possible to prevent a user from authenticating on several computers at the same time. Multiple requests are automatically denied.
Expiry of the HTTP cookie	This option makes it possible to configure when the HTTP cookie expires: At the end of the authentication period: the cookie is negotiated only once throughout the whole duration of the authentication. At the end of the session: the cookie will be negotiated every time a request is sent to your web browser. Do not use (not recommended - except sponsorship): the cookie never expires. This option is not recommended as it compromises authentication security. Configuring an expiry date makes it possible to protect the user from replay attacks, for example. HTTP cookies are negotiated by the web browser, so authentication set up on one browser will not work on another browser. To allow several users to be authenticated from the same IP address, cookies must be used. The IP addresses in question must be entered in the list of Multi-user objects in the Authentication policy tab, except for the SSO Agent method, which does not support multi-user authentication.

Authentication page

Select a customized message (HTML file)	This option makes it possible to add a customized message containing text and images under the title of the authentication page. This message must be an HTML file so that the firewall can load it.
Reset customization of authentication page	By clicking on this button, the customized message added earlier will be deleted from the authentication page.

User passwords

Users cannot change their passwords	This option does not allow users to change their passwords from the authentication portal.
Users can change their passwords	This option allows users to change their passwords from the authentication portal, at any time with no restrictions on validity.
Users must change their passwords	This option requires users to change their passwords the first time they log in to the authentication portal, and every time the password expires. The validity of a password is specified in days without a specific time.
Lifetime (in days)	This field can be modified if the Users must change their passwords option is selected. Indicate the number of days the password stays valid. When the password has reached the end of its lifetime, it expires at midnight. EXAMPLE A user changes his password for the first time at 2:00 PM on Monday with a lifetime of 1 day. The password must be changed by 12:00 AM the next day instead of 24 hours later.

User enrollment

The firewall offers web-based user enrollment. If users attempting to log in do not exist in the user database, they may request the creation of their accounts via web enrollment on the captive portal.

Do not allow user enrollment	When this option is selected, users that are not in the user database cannot send account creation requests.
Allow Web enrollment for users	When this option is selected, users that are not in the user database can request the creation of an account by filling in a web form. An administrator must approve or deny the request in the Configuration module > Users > Enrollment.
Allow web enrolment for users and create their certificates	When this checkbox is selected: Users that are not in the user database can request the creation of an account and a certificate by filling in a web form. Two requests will then be sent - one for the account, one for the certificate. Users who are in the user database but who do not have a certificate can request the creation of their certificate. By submitting a request, users set the password for their certificate. An administrator must approve or deny requests in the Configuration module > Users > Enrollment. The certificate will be signed by the certification authority (CA) chosen by default in the Configuration module > Objects > Certificates and PKI and created based on the settings in the user certificate profile.
Notification of a new enrollment	This option makes it possible to define a user group that will be notified when a new enrollment request is received. By default, the drop-down list will show that no e-mails will be sent. To select a user group, it must first be created in Configuration > Notifications > E-mail alerts > Recipients tab. Once it is created, it can be selected from the drop-down list.