Captive portal tab

For the sake of strengthening security, the connection to the authentication portal and to the Web administration interface is possible only by forcing certain options in the SSL protocol. Version SSLv3 is disabled and the TLS versions enabled, according to the recommendations given by the French Network and Information Security Agency (ANSSI).

As these options are not supported in Internet Explorer versions 6, 7 and 8, you are advised to use a higher version of this browser. Nonetheless, this mode may be disabled via command line in the CLI (CONFIG AUTH HTTPS sslparanoiac=0 / CONFIG AUTH ACTIVATE).

The address of the captive or authentication portal is hosted on the firewall and accessible at:

The captive portal has to be enabled for all authentication methods, except for the SSO agent.

Captive portal

Authentication profile and interface match

This table allows associating an authentication profile (profile of the captive portal) defined earlier with an interface on the firewall. It is possible to Add or Delete a match rule by clicking on the corresponding buttons.

Interactive features

Some operations listed in the taskbar can be performed by right-clicking on the table of matches:

  • Add,
  • Remove.
Interface Select the network interface with which a profile of the captive portal must be associated. This can be an Ethernet interface (in, out ...), a modem or an IPSec interface.
Profile Select the profile to be associated with the network interface.

If the Enable captive portal checkbox was not selected in the chosen profile, the name of the profile will follow the icon
Default method or directory The authentication method or the directory associated with the selected profile will automatically appear.

SSL server

Certificate (private key) By default, the CA that the firewall’s authentication module uses is the firewall’s own CA, and the name associated with this CA is the product’s serial number.
Thus, when a user attempts to contact the firewall other than by its serial number, it will receive a warning message indicating incoherence between what the user is trying to contact and the certificate it is receiving.

By clicking on the icon , the CA configuration screen will appear (server certificate) and you can select a CA that was imported earlier.
Users are authenticated via the captive portal by default, through an SSL/TLS access that uses a certificate signed by two authorities not recognized by the browsers. It is therefore necessary to deploy these certificate authorities used by a GPO on users’ browsers. These authorities are by default the NETASQ CA and Stormshield CA, available from the following links:
For further detail, please refer to the section Welcome > User awareness, under Initial connection to the appliance.

Conditions of use for Internet access

Conditions of use for internet access can be displayed for the user. He will need to select the checkbox indicating his agreement to the terms before being able to authenticate.

This option can be enabled in the "Available methods" tab (Guest method) or "Captive portal profiles" tab (other methods). You can customize these conditions by entering, for example, the name of your company.

Select the conditions of use for internet access in HTML format Imports your version in HTML.
Select the conditions of use for internet access in PDF format Imports your version in PDF.

Advanced properties

Interrupt connections once the authentication period expires As soon as the authentication duration expires, connections will be interrupted, even if the user is in the middle of a download.
Proxy configuration file (.pac) This field allows sending to the firewall the .pac file, which represents the proxy’s automatic configuration file (Proxy Auto-Config), to be distributed. Users can retrieve .pac files or check their contents by clicking on the button to the right of the field.
Users can indicate in their web browsers the automatic configuration script located at https://if_firewall>/config/wpad.dat.

Captive portal

Port on the captive portal This option allows you to specify a listening port other than TCP/443 (HTTPS) defined by default for the captive portal.
Hide the header (logo) This option makes it possible to hide the Stormshield Network banner (this is the Stormshield logo by default) when the user authenticates on the captive portal, for confidentiality reasons.
Select a logo to display (800x50 px) You can select the image that will appear in the captive portal’s header. The format of the image has to be 800 x 50 px by default.
Select a stylesheet to apply (CSS file)Import a new style sheet in css, which will override the portal’s graphics.

The “Reset” button allows you to go back to the original versions of the visual identity (logo and style sheet) and the default Conditions of use for internet access.