Action required: Apply the fix for SNS firewall disks.
Please follow the procedure described in the How to update my SSD Firmware - Stormshield Knowledge Base article (authentication required).
Captive portal tab
For the sake of strengthening security, the connection to the authentication portal and to the Web administration interface is possible only by forcing certain options in the SSL protocol. Version SSLv3 is disabled and the TLS versions enabled, according to the recommendations given by the French National Cybersecurity Agency (ANSSI).
As these options are not supported in Internet Explorer versions 6, 7 and 8, you are advised to use a higher version of this browser. Nonetheless, this mode may be disabled via command line in the CLI (CONFIG AUTH HTTPS sslparanoiac=0 / CONFIG AUTH ACTIVATE).
The address of the captive or authentication portal is hosted on the firewall and accessible at:
The captive portal has to be enabled for all authentication methods, except for the SSO agent.
Authentication profile and interface match
In this grid, a profile from the captive portal can be mapped to an interface on the firewall. It is possible to Add or Delete a match rule by clicking on the corresponding buttons or by right-clicking in the grid.
|Interface||Select the network interface to which a profile from the captive portal will be mapped. This can be an Ethernet interface (in, out ...), a modem or an IPsec interface.|
|Profile||Select the profile to be mapped to the interface. If a warning appears, indicating that the captive portal has been disabled, enable it in the Captive portal profiles tab.|
|Default method or directory||The authentication method or the directory associated with the selected profile will automatically appear.|
|Certificate (private key)||
To access the portal via SSL, the firewall’s authentication module uses its own certification authority by default; the associated name of the CA is the firewall's serial number. So when users contact the firewall other than by its serial number, they will receive a warning message indicating an inconsistency between what the users are trying to contact and the certificate that the firewall receives.
You can choose to use another certificate from another CA imported earlier by choosing it in the selection zone.
For further detail, refer to the chapter User awareness, under Initial connection to the appliance.
Conditions of use for Internet access
Conditions of use can be shown whenever users access the Internet. These conditions can be defined by importing them in HTML or PDF format. Users must then accept them by selecting the checkbox before accessing the Internet.
|Select the conditions of use for Internet access in HTML format||Imports your version in HTML.|
|Select the conditions of use for Internet access in PDF format||Imports your version in PDF.|
|Reinitialize customization of Conditions of use for Internet access||This button allows you to reinitialize the customized Conditions of use for Internet access|
Remember to enable, in the Captive portal profiles tab, the display of the Conditions of use for Internet access in the relevant profile.
|Interrupt connections once the authentication period expires||
As soon as the authentication duration expires, connections will be interrupted, even if the user is in the middle of a download.
|Proxy configuration file (.pac)||This field allows sending to the firewall the .pac file, which represents the proxy’s automatic configuration file (Proxy Auto-Config), to be distributed. Users can retrieve .pac files or check their contents by clicking on the button to the right of the field.
Users can indicate in their web browsers the automatic configuration script located at https://if_firewall>/config/wpad.dat.
|Port on the captive portal||This option allows you to specify a listening port other than TCP/443 (HTTPS) defined by default for the captive portal.|
|Hide the header (logo)||
With this option, the header that appears on the captive portal can be hidden. The Stormshield logo appears by default.
|Select a logo to display (800x50 px)||You can customize the image that appears in the captive portal’s header. The format of the image has to be 800 x 50 px by default.|
|Select a stylesheet to apply (CSS file)||Import a new style sheet in css, which will override the captive portal’s graphics.|
|Reset||This button resets the custom settings on the captive portal.|