Captive portal tab

For the sake of strengthening security, the connection to the authentication portal and to the Web administration interface is possible only by forcing certain options in the SSL protocol. Version SSLv3 is disabled and the TLS versions enabled, according to the recommendations given by the French National Cybersecurity Agency (ANSSI).

As these options are not supported in Internet Explorer versions 6, 7 and 8, you are advised to use a higher version of this browser. Nonetheless, this mode may be disabled via command line in the CLI (CONFIG AUTH HTTPS sslparanoiac=0 / CONFIG AUTH ACTIVATE).

The address of the captive or authentication portal is hosted on the firewall and accessible at:

The captive portal has to be enabled for all authentication methods, except for the SSO agent.

Captive portal

Authentication profile and interface match

In this grid, a profile from the captive portal can be mapped to an interface on the firewall. It is possible to Add or Delete a match rule by clicking on the corresponding buttons or by right-clicking in the grid.

Interface Select the network interface to which a profile from the captive portal will be mapped. This can be an Ethernet interface (in, out ...), a modem or an IPsec interface.
Profile Select the profile to be mapped to the interface. If a warning appears, indicating that the captive portal has been disabled, enable it in the Captive portal profiles tab.
Default method or directory The authentication method or the directory associated with the selected profile will automatically appear.

SSL Server

Certificate (private key)

To access the portal via SSL, the firewall’s authentication module uses its own certification authority by default; the associated name of the CA is the firewall's serial number. So when users contact the firewall other than by its serial number, they will receive a warning message indicating an inconsistency between what the users are trying to contact and the certificate that the firewall receives.


You can choose to use another certificate from another CA imported earlier by choosing it in the selection zone.

Users are authenticated via the captive portal by default, through an SSL/TLS access that uses a certificate signed by two authorities that the browsers do not recognize. These certification authorities used in a GPO must therefore be deployed on users’ browsers. These authorities are the NETASQ CA and Stormshield CA, available at the following links:

For further detail, refer to the chapter User awareness, under Initial connection to the appliance.

Conditions of use for Internet access

Conditions of use can be shown whenever users access the Internet. These conditions can be defined by importing them in HTML or PDF format. Users must then accept them by selecting the checkbox before accessing the Internet.

Select the conditions of use for Internet access in HTML format Imports your version in HTML.
Select the conditions of use for Internet access in PDF format Imports your version in PDF.
Reinitialize customization of Conditions of use for Internet access This button allows you to reinitialize the customized Conditions of use for Internet access

Remember to enable, in the Captive portal profiles tab, the display of the Conditions of use for Internet access in the relevant profile.

Advanced properties

Interrupt connections once the authentication period expires

As soon as the authentication duration expires, connections will be interrupted, even if the user is in the middle of a download.

Proxy configuration file (.pac) This field allows sending to the firewall the .pac file, which represents the proxy’s automatic configuration file (Proxy Auto-Config), to be distributed. Users can retrieve .pac files or check their contents by clicking on the button to the right of the field.
Users can indicate in their web browsers the automatic configuration script located at https://if_firewall>/config/wpad.dat.

Captive portal

Port on the captive portal This option allows you to specify a listening port other than TCP/443 (HTTPS) defined by default for the captive portal.
Hide the header (logo)

With this option, the header that appears on the captive portal can be hidden. The Stormshield logo appears by default.

Select a logo to display (800x50 px) You can customize the image that appears in the captive portal’s header. The format of the image has to be 800 x 50 px by default.
Select a stylesheet to apply (CSS file) Import a new style sheet in css, which will override the captive portal’s graphics.
Reset This button resets the custom settings on the captive portal.