Configuring Browser-Based Authentication in SmartConsole

In the Identity Sources section of the Identity Awareness page, select Browser-Based Authentication to send unidentified users to the Captive Portal.

If you configure Transparent Kerberos Authentication, the browser tries to identify AD users before sending them to the Captive Portal.

If you already configured the portal in the Identity Awareness Wizard or SmartConsole, its URL shows below Browser-Based Authentication.

To configure the Browser-Based Authentication settings:

1. Select Browser-Based Authentication and click Settings.
2. From the Portal Settings window, configure:
   • Portal Network Location

     Select if the portal runs on this Security Gateway or a different Identity Awareness enabled Security Gateway. The default is that the Captive Portal is on the Security Gateway. The Security Gateway redirects unidentified users to the Captive Portal on the same Security Gateway. This is the basic configuration.

     A more advanced deployment is possible where the portal runs on a different Security Gateway. See the Deployment section for more details.

   • Access Settings

     Click Edit to open the Portal Access Settings window. In this window, you can configure:

     • Main URL - The primary URL that users are redirected to for the Captive Portal. You might have already configured this in the Identity Awareness Configuration wizard.
     • Aliases - Click the Aliases button to Add URL aliases that are redirected to the main portal URL. For example, ID.yourcompany.com can send users to the Captive Portal. To make the alias work, it must be resolved to the main URL on your DNS server.
     • Certificate - Click Import to import a certificate for the portal website to use. If you do not import a certificate, the portal uses a Check Point auto-generated certificate. This can cause browser warnings if the browser does not recognize Check Point as a trusted Certificate Authority. See Server Certificates for more details.
     • Accessibility - Click Edit to select from where the portal can be accessed. You might have already configured this in the Identity Awareness Wizard. The options are based on the topology configured for the Security Gateway.

       Users are sent to the Captive Portal, if they use networks connected to these interfaces.

       • Through all interfaces
       • Through internal interfaces
         • Including undefined internal interfaces
         • Including DMZ internal interfaces
         • Including VPN encrypted interfaces
       • According to the Firewall policy - Select this if there is a rule that states who can access the portal.
   • Authentication Settings
     Click Settings to open the Authentication Settings window. In this window you can configure:

     • Browser transparent Single Sign-On - Select Automatically authenticate users from computers in the domain if Transparent Kerberos Authentication is used to identify users.
       • Main URL: The URL used to begin the SSO process. If transparent authentication fails, users are redirected to the configured Captive Portal. This URL contains the DNS name or IP address of Identity Awareness Gateway.

       Note - The Endpoint Identity Agent download link and the Automatic Logout option are ignored when Transparent Kerberos Authentication SSO is successful. This is so because users do not see the Captive Portal.

     • Authentication Method - Select one method that known users must use to authenticate.
       • Defined on user record (Legacy Authentication) - Takes the authentication method from Gateway Object Properties > Other > Legacy Authentication.
       • User name and password - This can be configured internally or on an LDAP server.
       • RADIUS - A configured RADIUS server. Select the server from the list.
     • User Directories - Select one or more places where the Security Gateway searches to find users when they try to authenticate.
       • Internal users - The directory of internal users.
       • LDAP users - The directory of LDAP users. Either:
         • Any - Users from all LDAP servers.
         • Specific - Users from an LDAP server that you select.
       • External user profiles - The directory of users who have external user profiles.

     The default is that all user directory options are selected. You might choose only one or two options if users are only from a specified directory or directories and you want to maximize Security Gateway performance when users authenticate. Users with identical user names must log in with domain\user.

   • Customize Appearance

     Click Edit to open the Portal Customization window and edit the images that users see in the Captive Portal. Configure the labeled elements of the image below.

     Label Number	Name	To do in GUI
     1	Portal Title	Enter the title of the portal. The default title is Network Login.
     2	Company Logo	Select Use my company logo and Browse to select a logo image for the portal.
     2	Company Logo for mobiles	Select Use my company logo for mobiles and Browse to select a smaller logo image for users who access the portal from mobile devices.

   • User Access

     Configure what users can do in the Captive Portal to become identified and access the network.

     • Name and password login- Users are prompted to enter an existing username and password. This will only let known users authenticate.
     • Unregistered guests login - Let guests who are not known by the Security Gateway access the network after they enter required data.
   • Endpoint Identity Agent Deployment from the Portal

     If Endpoint Identity Agents is selected as a method to acquire identities, you can require users to download the Endpoint Identity Agent from the Captive Portal. You can also let users install the Endpoint Identity Agent on a specified later date and not right away.

     • Require users to download - Select this to make users install the Endpoint Identity Agent. Select which Endpoint Identity Agent they must install. If this option is selected and the defer option is not selected, users are not able to access the network if they install the Endpoint Identity Agent.
     • Users may defer installation until - Select to give users flexibility to choose when to install the Endpoint Identity Agent. Select the date by which they must install it. Until that date a Skip Endpoint Identity Agent installation option shows in the Captive Portal.

Note - When you enable Browser-Based Authentication on an IPSO Security Gateway that is on an IP Series appliance, make sure to set the Voyager management application port to a port other than 443 or 80.

Portal Network Location

Select if the portal runs on this Security Gateway or a different Identity Awareness enabled Security Gateway. The default is that the Captive Portal is on the Security Gateway. The Security Gateway redirects unidentified users to the Captive Portal on the same Security Gateway. This is the basic configuration.

A more advanced deployment is possible where the portal runs on a different Security Gateway. See the Deployment section for more details.

Access Settings

Click Edit to open the Portal Access Settings window. In this window, you can configure:

• Main URL - The primary URL that users are redirected to for the Captive Portal. You might have already configured this in the Identity Awareness Configuration wizard.
• Aliases - Click the Aliases button to Add URL aliases that are redirected to the main portal URL. For example, ID.yourcompany.com can send users to the Captive Portal. To make the alias work, it must be resolved to the main URL on your DNS server.
• Certificate - Click Import to import a certificate for the portal website to use. If you do not import a certificate, the portal uses a Check Point auto-generated certificate. This can cause browser warnings if the browser does not recognize Check Point as a trusted Certificate Authority. See Server Certificates for more details.
• Accessibility - Click Edit to select from where the portal can be accessed. You might have already configured this in the Identity Awareness Wizard. The options are based on the topology configured for the Security Gateway.

  Users are sent to the Captive Portal, if they use networks connected to these interfaces.

  • Through all interfaces
  • Through internal interfaces
    • Including undefined internal interfaces
    • Including DMZ internal interfaces
    • Including VPN encrypted interfaces
  • According to the Firewall policy - Select this if there is a rule that states who can access the portal.

Authentication Settings

Click Settings to open the Authentication Settings window. In this window you can configure:

• Browser transparent Single Sign-On - Select Automatically authenticate users from computers in the domain if Transparent Kerberos Authentication is used to identify users.
  • Main URL: The URL used to begin the SSO process. If transparent authentication fails, users are redirected to the configured Captive Portal. This URL contains the DNS name or IP address of Identity Awareness Gateway.

  Note - The Endpoint Identity Agent download link and the Automatic Logout option are ignored when Transparent Kerberos Authentication SSO is successful. This is so because users do not see the Captive Portal.

• Authentication Method - Select one method that known users must use to authenticate.
  • Defined on user record (Legacy Authentication) - Takes the authentication method from Gateway Object Properties > Other > Legacy Authentication.
  • User name and password - This can be configured internally or on an LDAP server.
  • RADIUS - A configured RADIUS server. Select the server from the list.
• User Directories - Select one or more places where the Security Gateway searches to find users when they try to authenticate.
  • Internal users - The directory of internal users.
  • LDAP users - The directory of LDAP users. Either:
    • Any - Users from all LDAP servers.
    • Specific - Users from an LDAP server that you select.
  • External user profiles - The directory of users who have external user profiles.

The default is that all user directory options are selected. You might choose only one or two options if users are only from a specified directory or directories and you want to maximize Security Gateway performance when users authenticate. Users with identical user names must log in with domain\user.

Customize Appearance

Click Edit to open the Portal Customization window and edit the images that users see in the Captive Portal. Configure the labeled elements of the image below.

User Access

Configure what users can do in the Captive Portal to become identified and access the network.

• Name and password login- Users are prompted to enter an existing username and password. This will only let known users authenticate.
• Unregistered guests login - Let guests who are not known by the Security Gateway access the network after they enter required data.

Name and Password Login Settings

Click Settings to configure settings for known users after they enter their usernames and passwords successfully.

• Access will be granted for xxx minutes - For how long can they access network resources before they have to authenticate again.
• Ask for user agreement - You can require that users sign a user agreement. Click Edit to upload an agreement. This option is not selected by default because a user agreement is not usually necessary for known users.
• Adjust portal settings for specific user groups - You can add user groups and give them settings that are different from other users. Settings specified for a user group here override settings configured elsewhere in the Portal Settings. The options that you configure for each user group are:
  • If they must accept a user agreement.
  • If they must download an Endpoint Identity Agent and which one.
  • If they can defer the Endpoint Identity Agent installation and until when.

  You can only configure settings for Endpoint Identity Agent deployment if Endpoint Identity Agents is selected on the Identity Awareness page.

Unregistered Guest Login Settings

Click Settings to configure settings for guests.

• Access will be granted for xxx minutes - For how long can they access network resources before they have to authenticate again.
• Ask for user agreement - Makes users sign a user agreement. Click Edit to choose an agreement and the End-user Agreement Settings page opens. Select an agreement to use:
  • Default agreement with this company name - Select this to use the standard agreement. See the text in the Agreement preview. Replace Company Name with the name of your company. This name is used in the agreement.
  • Customized agreement - Paste the text of a customized agreement into the text box. You can use HTML code.
• Login Fields - Edit the table shown until it contains the fields that users complete in that sequence. Select Is Mandatory for each field that guests must complete before they can get access to the network. To add a new field, enter it in the empty field and then click Add. Use the green arrows to change the sequence of the fields. The first field will show the user name in Logs & Monitor > Logs.

Endpoint Identity Agent Deployment from the Portal

If Endpoint Identity Agents is selected as a method to acquire identities, you can require users to download the Endpoint Identity Agent from the Captive Portal. You can also let users install the Endpoint Identity Agent on a specified later date and not right away.

• Require users to download - Select this to make users install the Endpoint Identity Agent. Select which Endpoint Identity Agent they must install. If this option is selected and the defer option is not selected, users are not able to access the network if they install the Endpoint Identity Agent.
• Users may defer installation until - Select to give users flexibility to choose when to install the Endpoint Identity Agent. Select the date by which they must install it. Until that date a Skip Endpoint Identity Agent installation option shows in the Captive Portal.