Captive Portal

Captive portal enables an endpoint to be redirected to a specified URL when the user attempts to access a protected resource behind an Infranet Enforcer. The default redirection page is the authentication page of Ivanti Policy Secure.

The Captive Portal workflow is described below:

  1. The user attempts to access a protected resource.

  2. The generic source IP policy that matches the destination includes a redirect configuration.

  3. The enforcer sends a redirect message to the endpoint browser that includes the URL of Ivanti Policy Secure.

  4. The browser opens a session with Ivanti Policy Secure and the endpoint completes authentication.

  5. Ivanti Policy Secure sends an authentication table information to Enforcer.

  6. Ivanti Policy Secure redirects the browser back to the original resource.

  7. The user tries to access the resource and the enforcer allows the user to access the protected resource.

Configuring Captive Portal

You can configure a captive portal directly on the Infranet enforcer using the CLI. You must create a captive-portal application service and then set the traffic that would like to redirect:

  • unauthenticated-Select this option if your deployment uses source IP only or a combination of source IP and IPsec. The Infranet Enforcer redirects clear-text traffic from unauthenticated users to the currently connected Ivanti Policy Secure, or to an IP address or domain name that you specify in a redirect URL.

  • all-Select this option if your deployment uses IPsec only. The Infranet Enforcer redirects all clear-text traffic to the currently connected Ivanti Policy Secure, or to an IP address or domain name that you specify in a redirect URL.

The captive portal feature redirects HTTP traffic only. If the user attempts to access a protected resource using HTTPS or another protocol such as SMTP, the Infranet Enforcer does not redirect the user's traffic. When using HTTPS or another application, the user must manually sign into Ivanti Policy Secure first before attempting to access protected resources.
If there is an HTTP proxy between the endpoint and the Infranet Enforcer, the Infranet Enforcer might not redirect the HTTP traffic.

Example: Junos SRX CLI

To use captive portal with the Junos Enforcer, Release 10.2 is required.

To enable captive portal. associate an instance of a captive portal with a security zone use the following command format:

user@host# set security policies from-zone zone-name to-zone zone-name policy policy-name

To create the captive portal use the following command format:

user@host# permit application-services uac-policy captive-portal captive-portal-name

You can redirect all traffic, or only unauthenticated traffic on the Junos Enforcer using the following command format:

# edit services unified-access-control captive-portal policy redirect-traffic (all | unauthenticated)

Example: ScreenOS CLI

To configure a redirect infranet auth policy for deployments that use either source IP only or a combination of source IP and IPsec type the following command:

set policy from source-zone to dest-zone src_addr dst_addr any permit infranet-auth redirect-unauthenticated

To configure a redirect infranet auth policy for deployments that use IPsec only type the following command:

set policy from source-zone to dest-zone src_addr dst_addr any permit infranet-auth redirect-all

Creating a Redirect Policy on the Junos Enforcer

In a Junos Enforcer security policy, specify the redirect URL in the following format:

user@host# set services unified-access-control captive-portal policy redirect-url urlBy default, after you configure a captive portal policy, the Junos Enforcer redirects HTTP traffic to the currently connected Ivanti Policy Secure by using HTTPS. To perform the redirection, the Junos Enforcer uses the IP address or domain name that you specified when you configured Ivanti Policy Secure instance on the Junos Enforcer.

You specify the redirect URL in a Junos Enforcer security policy using the following hierarchy:

user@host# set services unified-access-control captive-portal cap-policy redirect-url "https://%pps-ip%/?target=%dest-url%&enforcer=%enforcer-id%&policy=%policy-id%"

These are the four available parameters for redirection.

  • target

  • enforcer

  • policy

  • dest-ip

Target, enforcer, and policy are required. Dest-ip is optional. For example:

redirect-url "https://sample.net/?target=%dest-url%&enforcer=%enforcer-id%&policy=%policy-id%"

If you do not specify the redirect URL, the Junos Enforcer uses the default configuration.

To set a redirect URL for the Junos Enforcer, use escape characters instead of dot (.).

For configuration instructions and examples, see the Junos OS Initial Configuration Guide for Security Devices.

Creating a Redirect Policy on the ScreenOS Enforcer

From the ScreenOS CLI

  1. To specify the redirect URL, enter: set infranet controller name controller1 url "http://10.64.12.1/?target=%dest-url%"

  2. To specify the redirect URL without the ?target=%dest-url% string, enter: set infranet controller name controller1 url http://abc.company.com