Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Security > Content Gateway user authentication > Rule-Based Authentication > Authentication using Captive Portal
Authentication using Captive Portal
Beginning with 7.8.3, Content Gateway provides a Captive Portal option when adding an authentication rule. Captive Portal may be especially helpful in handling mobile and other personal devices brought in to your Web Security Gateway networks.
This feature:
*
Redirects users to a web portal page for authentication.
*
Supports captive, interactive (prompted) user authentication of IP addresses (users) that match the Captive Portal rule.
*
Can be used with LDAP and Legacy NTLM; IWA and RADIUS are not supported.
*
Handles credential caching and expiration per the global configuration; cookie authentication and caching are not supported for 7.8.3 but are supported beginning with 7.8.4.
Note that most applications on mobile devices do not share cookies. For those applications, IP-based identification will be required. See the Credential Cashing section of Global authentication options for more information.
Also, for web applications that use Ajax, where Ajax is configured to prevent cookies, cookie-mode cannot support sites that include cross-origin requests (CORS) that rely on Ajax.
*
Allows the authentication form (web portal page) to be customized to suit your needs.
*
Supports only basic authentication.
*
Beginning with 7.8.4, provides the option to display the authentication page using either HTTP or HTTPS.
When adding an authentication rule (see Creating an authentication rule), a new option is provided. Navigate to Configure > Security > Access Control > Authentication Rules and click Enable (for 7.8.3) or Enabled for HTTPS/HTTP Authentication page (beginning with 7.8.4) next to Captive Portal to select the feature. Users who match the rule are redirected to the new web portal authentication page.
*
This option is disabled if an IWA domain is included in the Auth Sequence list.
*
When this option is enabled, an error message will display if an IWA domain is selected for inclusion in the Auth Sequence list.
Note that when Content Gateway receives an unauthenticated POST request from a user who matches a Captive Portal rule, it redirects the user to the web portal authentication page and does not record the POST data. After successful authentication, the original POST data must be input again.
 
 
Note 
If the requested URL is configured for tunneling or bypass, no user authentication is performed.
When a rule is added with the Captive Portal option enabled, users are reminded that they can customize the pre-defined web portal page. Go to the new Captive Portal Page Customization tab of Configure > Security > Access Control. Edit the text and HTML to suit your needs. For example, you may want to include your company logo in place of the Websense logo.
Customizing the web portal page
The web portal page is an HTML form that is presented to the user for interactive authentication.
Default contents are provided on the Captive Portal Page Customization tab of Configure > Security > Access Control. It is recommended that you customize the form to convey to users who see it that this logon portal is part of your network and organization. For example, you might:
*
Replace the Websense logo with your organization's logo. To do that:
*
Edit the src tag and replace the png file name with your company logo file.
*
Copy your png file to /opt/WCG/config/ui_files/images.
*
Include text to explain why the user is seeing this page
The form must be a valid HTML document, defined with valid HTML syntax.
The following variables are used in the document to ensure that it is delivered to the users properly. It is recommended that you do not change their placement or usage.
*
%P is replaced with the protocol of the current transaction
*
%h is replaced with "redirect_host:8080"
*
%u is replaced with the URL request for the portal page
*
$$DOMAIN is replaced with the basic authentication domain defined in the configuration variable proxy.config.proxy.authenticate.basic.realm. (See Authentication basic realm for more information.)
When you have entered all of the syntax, click Preview to preview the page you have created. When you are happy with the way the portal page looks, click Apply to save the content to a file. If you want to return to the default, pre-defined portal page syntax, click Restore to Default Page.
The customized Captive Portal page is saved to auth_form.html, which is stored in /opt/WCG/config. In addition, css and image files can be used to define the portal page. CSS files must be stored in /opt/WCG/config/ui_files and image files must be store in /opt/WCG/config/ui_files/images, by default.
 
* 
Note 
The css and image files also reside in /opt/WCG/ui/configure/auth_form and /opt/WCG/ui/configure/auth_form/images, respectively, for use by the Preview feature. Copy any new files to those directories to use Preview.
Add a variable to records.config to use a different name for the saved Captive Portal page or store the css and image files in a different directory.
 
Configuration Variable
Data
Type
Default Value
Description
proxy.config.auth.
form_filename
STRING
auth_form.html
Specifies the file that defines the Captive Portal authentication page.
Changing this filename is not recommended.
proxy.config.internal.
file.path
STRING
/config/ui_files
Specifies the location of any css and image files used to define the Captive Portal authentication page. The full default path is /opt/WCG/config/ui_files. Image files are located in an /images sub-directory.
 

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Security > Content Gateway user authentication > Rule-Based Authentication > Authentication using Captive Portal
Copyright 2016 Forcepoint LLC. All rights reserved.