How to Configure the Captive Portal for User Control
High-level overview of how to control user activity with captive portal:
Before you begin
To use the captive portal for active authentication, you must set up an AD or LDAP realm (but not a realm sequence), access control policy, an identity policy, an SSL policy, and associate the identity and SSL policies with the access control policy. Finally, you must deploy the policies to managed devices. This topic provides a high-level summary of those tasks.
An example of the entire procedure begins in Configure the Captive Portal Part 1: Create an Identity Policy.
Perform the following tasks first:
-
Confirm that your Cisco Defense Orchestrator manages one or more devices with a routed interface configured.
-
To use encrypted authentication with the captive portal, either create a PKI object or have your certificate data and key available on the machine from which you're accessing the Cisco Defense Orchestrator. To create a PKI object, see PKI Objects.
Procedure
| Step 1 | Create and enable a realm as discussed in the following topics: A realm sequence is not supported for the captive portal. When captive portal authenticates users that match an identity rule, any user in an Active Directory or LDAP group that has not been downloaded is identified as Unknown. To avoid users being identified as Unknown, configure the realm to download users in all groups you expect to authenticate with captive portal. Unknown users are handled according to the associated access policy; if the access policy is configured to block Unknown users, these users are blocked. To make sure the system downloads all users in a realm, make sure the groups are in the Available Groups list in the realm's configuration. For more information, see Synchronize Users and Groups. |
| Step 2 | Create an active authentication identity policy for captive portal. The identity policy enables selected users in your realm access resources after authenticating with the captive portal. For more information, see Configure the Captive Portal Part 1: Create an Identity Policy. |
| Step 3 | Configure an access control rule for the captive portal that allows traffic on the captive portal port (by default, TCP 885). You can choose any available TCP port for the captive portal to use. Whatever your choice, you must create a rule that allows traffic on that port. For more information, see Configure the Captive Portal Part 2: Create a TCP Port Access Control Rule. |
| Step 4 | Add another access control rule to allow users in the selected realms to access resources using the captive portal. This enables users to authenticate with captive portal. For more information, see Configure the Captive Portal Part 3: Create a User Access Control Rule. |
| Step 5 | Configure an SSL policy with a Decrypt - Resign policy for the Unknown user so captive portal users can access web pages using the HTTPS protocol. The captive portal can authenticate users only if the HTTPS traffic is decrypted before the traffic is sent to the captive portal. Captive portal is seen by the system as the Unknown user. For more information, see Configure Captive Portal Part 4: Create an SSL Decrypt-Resign Policy. |
| Step 6 | Asscociate the identity and SSL policies with the access control policy from step 2. This final step enables the system to authenticate users with the captive portal. For more information, see Configure Captive Portal Part 5: Associate Identity and SSL Policies with the Access Control Policy. |
What to do next
See Configure the Captive Portal Part 1: Create an Identity Policy.