The Captive Portal mode defines how the firewall captures
web requests for authentication:
The firewall intercepts the browser traffic
per the Authentication policy rule and impersonates the original destination
URL, issuing an HTTP 401 to invoke authentication. However, because
the firewall does not have the real certificate for the destination
URL, the browser displays a certificate error to users attempting
to access a secure site. Therefore, use this mode only when absolutely
necessary, such as in Layer 2 or virtual wire deployments.
The firewall intercepts unknown HTTP or
HTTPS sessions and redirects them to a Layer 3 interface
on the firewall using an HTTP 302 redirect to perform authentication.
This is the preferred mode because it provides a better end-user
experience (no certificate errors). However, it does require additional
Layer 3 configuration. Another benefit of the Redirect mode is that
it provides for the use of session cookies, which enable the user
to continue browsing to authenticated sites without requiring re-mapping
each time the timeouts expire. This is especially useful for users
who roam from one IP address to another (for example, from the corporate
LAN to the wireless network) because they won’t need to re-authenticate
when the IP address changes as long as the session stays open.
you use Kerberos SSO, you must use Redirect mode because the browser
will provide credentials only to trusted sites. Redirect mode is
also required if you use Multi-Factor Authentication to authenticate
Captive Portal users.