Captive Portal uses the following methods to authenticate
users whose web requests match Authentication
The firewall uses Kerberos single
sign-on (SSO) to transparently obtain user credentials from the
browser. To use this method, your network requires a Kerberos infrastructure,
including a key distribution center (KDC) with an authentication
server and ticket granting service. The firewall must have a Kerberos
If Kerberos SSO authentication fails, the firewall
falls back to web form or client certificate authentication, depending
on your Authentication policy and Captive Portal configuration.
The firewall redirects web requests to a
web form for authentication. For this method, you can configure
Authentication policy to use Multi-Factor
Authentication (MFA), SAML, Kerberos, TACACS+, RADIUS,
or LDAP authentication.
Although users have to manually enter their login credentials, this
method works with all browsers and operating systems.
The firewall prompts the browser to present
a valid client certificate to authenticate the user. To use this
method, you must provision client certificates on each user system
and install the trusted certificate authority (CA) certificate used
to issue those certificates on the firewall.