There are 3 user management choices that can be used to authenticate users to the Captive Portal.
No authentication
Local user manager
Radius authentication
Optionally web authentication can be secured with HTTPS.
Below are some of the Secure Authentication options that can be configured for use with the Captive Portal to .
Table 12.2. Secure Authentication Parameters
Parameter | Description |
---|---|
HTTPS login | If enabled, the username and password will be transmitted over an HTTPS connection to protect against eavesdroppers. A server name, certificate and matching private key must also be specified below. |
HTTPS server name | This name will be used in the form action for the HTTPS POST and should match the Common Name (CN) in your certificate (otherwise, the client browser will most likely display a security warning). Make sure captive portal clients can resolve this name in DNS. |
HTTPS certificate | Paste a signed certificate in X.509 PEM format here. |
HTTPS private key | Paste an RSA private key in PEM format here. |
When using the Local User Manager option for Authentication it is possible to store and access a list of users on the SmallWall device itself. This list is manually entered from the web interface and includes the following parameters.
Table 12.3. User Parameters
Parameter | Description |
---|---|
Username | The name a user will use to authenticate with |
Password | The password a user will use to authenticate with |
Fullname | User's full name, for your own information only |
Expiration Date | Leave blank if the account shouldn't expire, otherwise enter the expiration date in the following format: mm/dd/yyyy |
When using the Radius Authentication option for Authentication it is possible to authenticate with an existing Radius server on a connected network. The Radius server will manage the user authentication requests. This list is manually entered from the web interface and includes the following parameters.
Table 12.4. Radius Server Parameters
Parameter | Description |
---|---|
Primary RADIUS server | Enter the IP address of the RADIUS server which users of the captive portal have to authenticate against. You can change the default port (1812) and shared secret. Optionally leave the shared secret blank to not use a RADIUS shared secret (not recommended). |
Secondary RADIUS server | If you have a second RADIUS server, you can activate it by entering its IP address, port and shared secret as done for the primary server. |
send RADIUS accounting packets | If this is enabled, RADIUS accounting packets will be sent to the primary RADIUS server. Optionally change the default port (1813). |
Reauthentication | If reauthentication is enabled, Access-Requests will be sent to the RADIUS server for each user that is logged in every minute. If an Access-Reject is received for a user, that user is disconnected from the captive portal immediately. |
Accounting updates | These reauthentication updates can be configured to support no accounting updates, stop/start accounting, or interim updates. |
RADIUS MAC authentication | If this option is enabled, the captive portal will try to authenticate users by sending their MAC address as the username and a static password/secret to the RADIUS server. |
RADIUS Session-Timeout attributes | When this is enabled, clients will be disconnected after the amount of time retrieved from the RADIUS Session-Timeout attribute. |
Radius Type | If RADIUS type is set to Cisco, in RADIUS requests (Authentication/Accounting) the value of Calling-Station-Id will be set to the client's IP address and the Called-Station-Id to the client's MAC address. Default behaviour is Calling-Station-Id = client's MAC address and Called-Station-Id = SmallWall's WAN MAC address. |
MAC address format | This option changes the MAC address format used in the whole RADIUS system. Change this if you also need to change the username format for RADIUS MAC authentication. default: 00:11:22:33:44:55 singledash: 001122-334455 ietf: 00-11-22-33-44-55 cisco: 0011.2233.4455 unformatted: 001122334455 |