Captive Portal Authentication Methods
Captive Portal uses the following methods to obtain user information from the client when a web request matches a Captive Portal rule:
The firewall uses Kerberos single sign-on (SSO) to transparently obtain user credentials. To use this method, your network requires a Kerberos infrastructure, including a key distribution center (KDC) with an authentication server and ticket granting service. The firewall must have a Kerberos account, including a principal name and password.
As a best practice, choose Kerberos transparent authentication over NTLM authentication. Kerberos is a stronger, more robust authentication method than NTLM and it does not require the firewall to have an administrative account to join the domain.
NT LAN Manager (NTLM)
The firewall uses an encrypted challenge-response mechanism to obtain the user credentials from the browser. When configured properly, the browser will transparently provide the credentials to the firewall without prompting the user, but will prompt for credentials if necessary.
If you use the Windows-based User-ID agent, NTLM responses go directly to the domain controller where you installed the agent.
If you configure Kerberos SSO authentication, the firewall tries that method first before falling back to NTLM authentication. If the browser can’t perform NTLM or if NTLM authentication fails, the firewall falls back to web form or client certificate authentication, depending on your Captive Portal configuration.
Microsoft Internet Explorer supports NTLM by default. You can configure Mozilla Firefox and Google Chrome to also use NTLM but you can’t use NTLM to authenticate non-Windows clients.
The firewall redirects web requests to a web form for authentication. You can configure Captive Portal to use a local user database, RADIUS server, TACACS+ server, LDAP server, or Kerberos server to authenticate users (or an authentication sequence). Although the firewall always prompts users for credentials, this method works with all browsers and operating systems.
Client Certificate Authentication
The firewall prompts the browser to present a valid client certificate to authenticate the user. To use this method, you must provision client certificates on each user system and install the trusted certificate authority (CA) certificate used to issue those certificates on the firewall.
Recommended For You
Recommended videos not found.