We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Configure the Captive Portal

  • Last updated on

The captive portal is used to allow HTTP/HTTPS access to authenticated users. This type of authentication intercepts unauthorized users' HTTP or HTTPS connections and redirects them to a login page. After successful authentication, the user is forwarded to the original destination. Access rules using inline authentication do not block non-HTTP or non-HTTPS traffic, not even from unauthorized users. To avoid browser certificate errors, use a signed SSL certificate or install the root certificate of the self-signed certificate on all client computers using inline authentication.

Before You Begin

  • Verify that the confirmation message and ticketing features are disabled. Go to the NETWORK > IP Configuration page and edit the relevant Wi-Fi interface to specify that there is no landing.
  • Before configuring the captive portal for use with Wi-Fi, see How to Configure a Wi-Fi Network to verify that you have correctly configured Wi-Fi. Also, ensure that users are connected to the Wi-Fi network of the firewall.

Step 1. Configure the Captive Portal

  1. Go to FIREWALL > Captive Portal.
  2. In the Basic Configuration section, enable the captive portal, specify the networks from which unauthenticated users are redirected to the captive portal, select the method of authenticating users, and edit the user access policies.
  3. If you are using local authentication, go to the USERS > Local Authentication page to create your list of allowed users and groups.

Step 2. Create an Access Rule

Create an access rule (plus one for Wi-Fi, if applicable) to allow traffic for authenticated users. For example, you can create a rule with the following settings to allow successfully authenticated users from a Wi-Fi network at 192.168.201.0/24 to access the Internet. When using the default access rules of a firewall, no additional rule is necessary because the LAN-2-Internet rule allows Internet access from the trusted LAN. 

To create an access rule to allow traffic for authenticated users:

  1. Go to FIREWALL > Access Rules.
  2. Click Add Access Rule. The Add Access Rule window opens.
  3. Enter a Name for the rule. E.g., CaptivePortal
  4. Specify the following settings:
    • Action – Select Pass.
    • Connection – Select Dynamic NAT.
    • Source – Enter the IP address of the Wi-Fi network. E.g., 192.168.201.0/24
    • Network Services – Select HTTP+S
    • Destination – Select Internet.
  5. Click Save.
  6. Move the access rule above the BLOCKALL rule.

Add a BLOCK access rule to block unauthenticated users with a source IP address in the captive portal network.

  1. Go to FIREWALL > Access Rules.
  2. Click Add Access Rule. The Add Access Rule window opens.
  3. Enter a Name for the rule. E.g., BlockUnauthenticatedUsers
  4. Specify the following settings:
    • Action – Select Block.
    • Source – Enter 192.168.201.0/24
    • Network Services – Select Any.
    • Destination – Select Any.
  5. Click Save.
  6. Place the access rule below your custom rule or below the LAN-2-Internet rule.
Barracuda Networks recommends that you select Unclassified for the Classification of the network interface that serves the captive portal.

SSL Certificate and Encryption Settings

To avoid browser warnings caused by using a self-signed certificate, you can upload a signed certificate or your own trusted server certificate to the firewall Certificate Manager.

  1. Go to ADVANCED > Certificate Manger.
  2. Upload or create an SSL certificate for the captive portal. For more information, see How to Use and Manage Certificates with the Certificate Manager.

    The Common Name of the certificate must contain an IP address or hostname resolving to the IP address the captive portal is listening on.
  3. Go to FIREWALL > Captive Portal.
  4. In the HTTPS Configuration section, select the Encryption:

    • TLS Strong Encryption – (Recommended) TLS with strong ciphers. Currently the following cipher string is used for strong encryption: HIGH:!aECDH:!ADH:!3DES:!MD5:!DSS:!RC4:!EXP:!eNULL:!NULL:!aNULL.

    • TLS All Ciphers – TLS with no restriction on which ciphers can be used.
    • TLS/SSLv3 – TLS and SSLv3 with no restriction on which ciphers can be used.

    • TLS/SSLv3/SSLv2 – TLS, SSLv3, and SSLv2 with no restriction on which ciphers can be used.

  5. Select the SSL certificate you created or uploaded to the Certificate Manager from the Signed Certificate list.
  6. Click Save.

Monitoring and Managing Authentication Users

On the BASIC > User Activity page, you can view currently authenticated users. You can also disconnect specific users.

Last updated on