Home » GFI User Forums » Kerio Control » Captive Portal not so captive (Captive Portal not working)
| Captive Portal not so captive [message #116369] |
Sat, 27 September 2014 02:44  |
exportgoldman
Messages: 14
Registered: February 2009
|
|
|
|
Hello Everyone,
We are running the latest Kerio Control (8.3.4) on a Kerio rackmount appliance, and cannot get the captive portal to work.
We have turned on the require all users to login for HTTP/HTTPS access which is what the documentation says is required for the captive portal to work.
We have also followed the Instructions for IE to
- Add the firewall URL to IE's trusted sites
- Turn on automatically logon in intranet zone using current username and password
- Under Advanced, Enable Authenticated Windows Access
We have found that users browsing to the portal manually have to still logon using SSL, but if we add NTLM=1 on the URL they are logged on automatically.
But if a user goes to a webpage, and isn't authenticated they will never be redirected to the captive portal. This is a major pain.
We would set the Control URL to be the users homepage but because it runs on a non-standard port when the user goes home they just get a error, because we cannot put a CNAME externally to redirect to something like google.
All PC's are Windows 7, with a Active Directory 2012 R2 servers and domain. Kerio Control is joined to the domain.
Has anyone got the captive portal working????
[Updated on: Sat, 27 September 2014 02:46] Report message to a moderator |
|
|
|
| Re: Captive Portal not so captive [message #116384 is a reply to message #116369] |
Mon, 29 September 2014 07:41  |
mlee (Kerio)
Messages: 211
Registered: October 2012
Location: Sydney
|
|
|
|
I am guessing that the documentation you are referring to is this knowledge base article: http://kb.kerio.com/735
The article covers everything you need for NTLM configuration, especially:
A SSL Certificate must be installed and configured correctly for the Kerio Control server
Kerio Control must be deployed on a computer (Windows or Linux ApE) which is a member of an Active Directory Domain
Check if Kerio Control's name (In "Advanced Options\Web Interface\Use specified hostname") resolves correctly on the local network. Using the IP address of the Kerio Control computer for this setting will not work.
Kerio Control must be joined to the domain, and should be pointing exclusively to the Domain Controller for name resolution
The web browser must be configured to trust the hostname of the Control firewall (see browser configuration below)
And FYI, captive portal will be officially available since version 8.4. It is currently on beta 1.
M.
PTSD. BP. OCD. ASPD. BPD. Certified.
|
|
|
|
| Re: Captive Portal not so captive [message #116385 is a reply to message #116369] |
Mon, 29 September 2014 09:00 |
sorat
Messages: 59
Registered: November 2013
Location: byr
|
|
|
|
The fact that users able to
@a user goes to a webpage, and isn't authenticated they will never be redirected to the captive portal.
is 100% your traffic rules problem.
do you use proxy or transparent access?
For example, I use logic like this:
FIRST THIS RULE
"real inet access" - (source:auth users, or domain groups(no ip here!!!)) -> (ports of interest(NAT)) - ALLOW
BELOW IS ANOTHER RULE
"for auth only" - (source: lan ip's) - 80 - NAT ALLOW (inspector ON)
This way no un-auth user can access inet pages.
But i have correct NTLM login, so noone enters credentials anyway, just opens browser, and its done.
Check kerio's ('security', if i rememebr correct) logs.
It tells you whats wrong with NTLM auto auth, if any.
PS Also, i think 443 port isnt captured correctly, so dont use it in "for auth only" rule.
[Updated on: Mon, 29 September 2014 09:15] Report message to a moderator |
|
|
|
| Re: Captive Portal not so captive [message #116395 is a reply to message #116384] |
Mon, 29 September 2014 12:26 |
exportgoldman
Messages: 14
Registered: February 2009
|
|
|
|
A SSL Certificate must be installed and configured correctly for the Kerio Control server
DONE
Kerio Control must be deployed on a computer (Windows or Linux ApE) which is a member of an Active Directory Domain
It's a appliance joined to the domain
Check if Kerio Control's name (In "Advanced Options\Web Interface\Use specified hostname") resolves correctly on the local network. Using the IP address of the Kerio Control computer for this setting will not work.
It does. Can ping and browse to URL
Kerio Control must be joined to the domain, and should be pointing exclusively to the Domain Controller for name resolution
Hmmmmmm. We have a PPPoE connection with a automatic DNS, how does this work with the domain join, the server can resolve Active Directory computer names, and if you use the URL with NTLM=1 on the end it works. Just not the captive portal
The web browser must be configured to trust the hostname of the Control firewall (see browser configuration below)
DONE. It's a certificate from Active Directory and all PC's are joined. No certificate errors in either Chrome or IE.
And FYI, captive portal will be officially available since version 8.4. It is currently on beta 1.
Now thats something I didn't realise, so this is a beta feature? We are only running non-beta releases.
Any other suggestions?
|
|
|
|
| Re: Captive Portal not so captive [message #116396 is a reply to message #116385] |
Mon, 29 September 2014 12:27 |
exportgoldman
Messages: 14
Registered: February 2009
|
|
|
|
sorat wrote on Mon, 29 September 2014 09:00The fact that users able to
@a user goes to a webpage, and isn't authenticated they will never be redirected to the captive portal.
is 100% your traffic rules problem.
do you use proxy or transparent access?
For example, I use logic like this:
FIRST THIS RULE
"real inet access" - (source:auth users, or domain groups(no ip here!!!)) -> (ports of interest(NAT)) - ALLOW
BELOW IS ANOTHER RULE
"for auth only" - (source: lan ip's) - 80 - NAT ALLOW (inspector ON)
This way no un-auth user can access inet pages.
But i have correct NTLM login, so noone enters credentials anyway, just opens browser, and its done.
Check kerio's ('security', if i rememebr correct) logs.
It tells you whats wrong with NTLM auto auth, if any.
PS Also, i think 443 port isnt captured correctly, so dont use it in "for auth only" rule.
Can you post your two firewall rules, it isn't exactly clear whats different between your two rules.
We use transparent option. Configuring a proxy causes too many problems when users go home, or too problematic with wpad etc.
[Updated on: Mon, 29 September 2014 12:29] Report message to a moderator |
|
|
|
| Re: Captive Portal not so captive [message #116405 is a reply to message #116396] |
Mon, 29 September 2014 15:59 |
sorat
Messages: 59
Registered: November 2013
Location: byr
|
|
|
|
Quote:it isn't exactly clear whats different between your two rules
Exactly what im talking about, thats why I think your config not correct.
The difference is - key words "(no ip here!!!)" see prev. post.
You DO understand that rules are scanned sequentally in desc order, right?
Quote:Can you post your two firewall rules?
Actually, quite opposite, pls post your rules (i think you have only one rule that corresponds to inet access).
Because mine config is kinda intricate, and info I provided is just as example of correct implementation.
Quote:We use transparent option Ye, thats good, simpler to start with.
PS also dont forget to check the Configuration -> Domains and User Logins -> Always require user to be auth when accessing web pages option.
[Updated on: Mon, 29 September 2014 16:55] Report message to a moderator |
|
|
|
| Re: Captive Portal not so captive [message #116415 is a reply to message #116405] |
Tue, 30 September 2014 04:15 |
exportgoldman
Messages: 14
Registered: February 2009
|
|
|
|
sorat wrote on Mon, 29 September 2014 15:59Quote:it isn't exactly clear whats different between your two rules
Exactly what im talking about, thats why I think your config not correct.
The difference is - key words "(no ip here!!!)" see prev. post.
You DO understand that rules are scanned sequentally in desc order, right?
Quote:Can you post your two firewall rules?
Actually, quite opposite, pls post your rules (i think you have only one rule that corresponds to inet access).
Because mine config is kinda intricate, and info I provided is just as example of correct implementation.
Quote:We use transparent option Ye, thats good, simpler to start with.
PS also dont forget to check the Configuration -> Domains and User Logins -> Always require user to be auth when accessing web pages option.
Yes I do understand the firewall rules are applied from the top down. I still don't understand why Kerio requires two rules for internet access, but I applied your rules (as per attached) and all I get is now non-authenticated users able to access the internet because of the second rule.
|
|
|
|
| Re: Captive Portal not so captive [message #116419 is a reply to message #116415] |
Tue, 30 September 2014 07:58 |
sorat
Messages: 59
Registered: November 2013
Location: byr
|
|
|
|
Quote:now non-authenticated users able to access the internet because of the second rule
I bet its https allows them.
See attached pic, this combo should work.
Also, can you check in Active hosts, when someone access without auth, by what rule (and port, i.e. 80, or 443)they are getting thru, shows in Activity tab?
-
Attachment: captive.png
(Size: 113.71KB, Downloaded 1113 times)
[Updated on: Tue, 30 September 2014 07:59] Report message to a moderator |
|
|
|
| Re: Captive Portal not so captive [message #116422 is a reply to message #116419] |
Tue, 30 September 2014 08:20 |
exportgoldman
Messages: 14
Registered: February 2009
|
|
|
|
sorat wrote on Tue, 30 September 2014 07:58Quote:now non-authenticated users able to access the internet because of the second rule
I bet its https allows them.
See attached pic, this combo should work.
Also, can you check in Active hosts, when someone access without auth, by what rule (and port, i.e. 80, or 443)they are getting thru, shows in Activity tab?
That seems to all be working great. How did you figure this out?
More importantly why is this second rule needed? Do you think it's a bug or it's just how it's meant to work. I didn't see this in any of the documentation
I would give you karma once I figure out how.
|
|
|
|
| Re: Captive Portal not so captive [message #116427 is a reply to message #116422] |
Tue, 30 September 2014 09:38 |
sorat
Messages: 59
Registered: November 2013
Location: byr
|
|
|
|
So it worked for you too in the end? 
Well, honestly, second rule not 'mandatory must have'.
Because of auth goes thru kinda 2 stages, its just isolation of HTTP protocol in separate rule, for simpler readability and management.
I also assing a qos speed limit for it, so that to reduce 'unrecognized users' traffic in statictics.
|
|
|
|
Goto Forum:
Current Time: Mon Jun 05 07:50:10 CEST 2023
Total time taken to generate the page: 0.02161 seconds
|
Members
Search
Help
Register
Login
Home
