public:captive_portal
Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
| public:captive_portal [2024/12/05 18:57] – created sprabhu | public:captive_portal [2024/12/11 18:11] (current) – rhudak | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Captive Portal ====== | ====== Captive Portal ====== | ||
| + | |||
| + | <color # | ||
| ==== Basic Setup ==== | ==== Basic Setup ==== | ||
| Line 49: | Line 51: | ||
| ==== Firewall Policies & Portal Bypass Rules ==== | ==== Firewall Policies & Portal Bypass Rules ==== | ||
| + | |||
| + | Firewall Rules can include address objects (or groups) and user accounts (or groups). Authentication is usually tied to the source IP address. | ||
| + | * Within Address Objects/ | ||
| + | * Within User Accounts/ | ||
| + | * Between Address and User Conditions: Conditions are AND'd (both address and user requirements must be met). | ||
| + | |||
| + | If the source is not authenticated at all, then it won't be able to match any rules which require authentication. As such, it is possible to trigger captive portal authentication just off of a firewall rule. However, there are fewer options available when triggering authentication this way, so best practice would be to enable it on the source interfaces. | ||
| + | |||
| + | **Generally, | ||
| + | - Underway Mode: | ||
| + | * Internet access requires captive portal authentication. | ||
| + | * Ensures that only authenticated users can access the network while at sea. | ||
| + | - Shore Mode: | ||
| + | * Captive portal authentication is not required. | ||
| + | * Simplifies access for crew and systems when docked and connected to a trusted network. | ||
| + | |||
| + | **Note:** Firewall rules in FortiGate are evaluated top-to-bottom. | ||
| + | |||
| + | **Rule Definitions: | ||
| + | - **CaptivePortalBypass Rule:** | ||
| + | * source = CaptivePortalBypass address group (trusted IPs/subnets exempt from the portal). | ||
| + | * destination = any (allow unrestricted access to any destination). | ||
| + | * Trusted devices (e.g., ship systems or critical infrastructure) that do not require captive portal authentication. | ||
| + | - **CaptivePortalRequirement Rule:** | ||
| + | * source = SourceIPGroup AND SourceUserGroup (both a specific source IP and authenticated user group must match). | ||
| + | * destination = any (allow access to any destination for authenticated users). | ||
| + | * Enforces captive portal authentication for users connecting to the Internet. | ||
| + | |||
| + | The assumption here is that normally CaptivePortalBypass is empty. When the portal needs to be bypassed in port, then the group is populated with address objects for the wifi network. | ||
| + | |||
| + | - Underway: | ||
| + | * CaptivePortalBypass group is empty. The bypass rule is skipped because there are no addresses in the group to match. | ||
| + | * So all traffic falls through to the CaptivePortalRequirement rule. Denies traffic from unauthenticated sources. Ensures all Internet access requires captive portal authentication. | ||
| + | - Shore: | ||
| + | * CaptivePortalBypass group is populated. The bypass rule matches traffic from the specified source addresses (e.g., Wi-Fi network). | ||
| + | * Since the traffic matches the first rule, it is allowed without needing captive portal authentication. No further rules (e.g., CaptivePortalRequirement) are processed for this traffic. | ||
public/captive_portal.1733425024.txt.gz · Last modified: 2024/12/05 18:57 by sprabhu