Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Captive Portal not so captive (Captive Portal not working)
  •  
exportgoldman

Messages: 39
Karma: 1
Send a private message to this user
Hello Everyone,

We are running the latest Kerio Control (8.3.4) on a Kerio rackmount appliance, and cannot get the captive portal to work.

We have turned on the require all users to login for HTTP/HTTPS access which is what the documentation says is required for the captive portal to work.

We have also followed the Instructions for IE to

- Add the firewall URL to IE's trusted sites
- Turn on automatically logon in intranet zone using current username and password
- Under Advanced, Enable Authenticated Windows Access

We have found that users browsing to the portal manually have to still logon using SSL, but if we add NTLM=1 on the URL they are logged on automatically.

But if a user goes to a webpage, and isn't authenticated they will never be redirected to the captive portal. This is a major pain.

We would set the Control URL to be the users homepage but because it runs on a non-standard port when the user goes home they just get a error, because we cannot put a CNAME externally to redirect to something like google.

All PC's are Windows 7, with a Active Directory 2012 R2 servers and domain. Kerio Control is joined to the domain.

Has anyone got the captive portal working????

[Updated on: Sat, 27 September 2014 02:46]

  •  
mlee (Kerio)

Messages: 246
Karma: 16
Send a private message to this user
I am guessing that the documentation you are referring to is this knowledge base article: http://kb.kerio.com/735

The article covers everything you need for NTLM configuration, especially:

A SSL Certificate must be installed and configured correctly for the Kerio Control server
Kerio Control must be deployed on a computer (Windows or Linux ApE) which is a member of an Active Directory Domain
Check if Kerio Control's name (In "Advanced Options\Web Interface\Use specified hostname") resolves correctly on the local network. Using the IP address of the Kerio Control computer for this setting will not work.
Kerio Control must be joined to the domain, and should be pointing exclusively to the Domain Controller for name resolution
The web browser must be configured to trust the hostname of the Control firewall (see browser configuration below)

And FYI, captive portal will be officially available since version 8.4. It is currently on beta 1.

M.

PTSD. BP. OCD. ASPD. BPD. Certified.
  •  
sorat

Messages: 59
Karma: 2
Send a private message to this user
The fact that users able to

@a user goes to a webpage, and isn't authenticated they will never be redirected to the captive portal.

is 100% your traffic rules problem.

do you use proxy or transparent access?

For example, I use logic like this:

FIRST THIS RULE

"real inet access" - (source:auth users, or domain groups(no ip here!!!)) -> (ports of interest(NAT)) - ALLOW

BELOW IS ANOTHER RULE

"for auth only" - (source: lan ip's) - 80 - NAT ALLOW (inspector ON)

This way no un-auth user can access inet pages.

But i have correct NTLM login, so noone enters credentials anyway, just opens browser, and its done.
Check kerio's ('security', if i rememebr correct) logs.
It tells you whats wrong with NTLM auto auth, if any.

PS Also, i think 443 port isnt captured correctly, so dont use it in "for auth only" rule.

[Updated on: Mon, 29 September 2014 09:15]

  •  
exportgoldman

Messages: 39
Karma: 1
Send a private message to this user
A SSL Certificate must be installed and configured correctly for the Kerio Control server

DONE

Kerio Control must be deployed on a computer (Windows or Linux ApE) which is a member of an Active Directory Domain

It's a appliance joined to the domain

Check if Kerio Control's name (In "Advanced Options\Web Interface\Use specified hostname") resolves correctly on the local network. Using the IP address of the Kerio Control computer for this setting will not work.

It does. Can ping and browse to URL

Kerio Control must be joined to the domain, and should be pointing exclusively to the Domain Controller for name resolution

Hmmmmmm. We have a PPPoE connection with a automatic DNS, how does this work with the domain join, the server can resolve Active Directory computer names, and if you use the URL with NTLM=1 on the end it works. Just not the captive portal

The web browser must be configured to trust the hostname of the Control firewall (see browser configuration below)

DONE. It's a certificate from Active Directory and all PC's are joined. No certificate errors in either Chrome or IE.


And FYI, captive portal will be officially available since version 8.4. It is currently on beta 1.

Now thats something I didn't realise, so this is a beta feature? We are only running non-beta releases.

Any other suggestions?

  •  
exportgoldman

Messages: 39
Karma: 1
Send a private message to this user
sorat wrote on Mon, 29 September 2014 09:00
The fact that users able to

@a user goes to a webpage, and isn't authenticated they will never be redirected to the captive portal.

is 100% your traffic rules problem.

do you use proxy or transparent access?

For example, I use logic like this:

FIRST THIS RULE

"real inet access" - (source:auth users, or domain groups(no ip here!!!)) -> (ports of interest(NAT)) - ALLOW

BELOW IS ANOTHER RULE

"for auth only" - (source: lan ip's) - 80 - NAT ALLOW (inspector ON)

This way no un-auth user can access inet pages.

But i have correct NTLM login, so noone enters credentials anyway, just opens browser, and its done.
Check kerio's ('security', if i rememebr correct) logs.
It tells you whats wrong with NTLM auto auth, if any.

PS Also, i think 443 port isnt captured correctly, so dont use it in "for auth only" rule.


Can you post your two firewall rules, it isn't exactly clear whats different between your two rules.

We use transparent option. Configuring a proxy causes too many problems when users go home, or too problematic with wpad etc.

[Updated on: Mon, 29 September 2014 12:29]

  •  
sorat

Messages: 59
Karma: 2
Send a private message to this user
Quote:
it isn't exactly clear whats different between your two rules

Exactly what im talking about, thats why I think your config not correct.
The difference is - key words "(no ip here!!!)" see prev. post.

You DO understand that rules are scanned sequentally in desc order, right?

Quote:
Can you post your two firewall rules?

Actually, quite opposite, pls post your rules (i think you have only one rule that corresponds to inet access).
Because mine config is kinda intricate, and info I provided is just as example of correct implementation.

Quote:
We use transparent option
Ye, thats good, simpler to start with.

PS also dont forget to check the Configuration -> Domains and User Logins -> Always require user to be auth when accessing web pages option.

[Updated on: Mon, 29 September 2014 16:55]

  •  
exportgoldman

Messages: 39
Karma: 1
Send a private message to this user
sorat wrote on Mon, 29 September 2014 15:59
Quote:
it isn't exactly clear whats different between your two rules

Exactly what im talking about, thats why I think your config not correct.
The difference is - key words "(no ip here!!!)" see prev. post.

You DO understand that rules are scanned sequentally in desc order, right?

Quote:
Can you post your two firewall rules?

Actually, quite opposite, pls post your rules (i think you have only one rule that corresponds to inet access).
Because mine config is kinda intricate, and info I provided is just as example of correct implementation.

Quote:
We use transparent option
Ye, thats good, simpler to start with.

PS also dont forget to check the Configuration -> Domains and User Logins -> Always require user to be auth when accessing web pages option.


Yes I do understand the firewall rules are applied from the top down. I still don't understand why Kerio requires two rules for internet access, but I applied your rules (as per attached) and all I get is now non-authenticated users able to access the internet because of the second rule.


  •  
sorat

Messages: 59
Karma: 2
Send a private message to this user
Quote:
now non-authenticated users able to access the internet because of the second rule

I bet its https allows them.
See attached pic, this combo should work.

Also, can you check in Active hosts, when someone access without auth, by what rule (and port, i.e. 80, or 443)they are getting thru, shows in Activity tab?

  • Attachment: captive.png
    (Size: 113.71KB, Downloaded 801 times)

[Updated on: Tue, 30 September 2014 07:59]

  •  
exportgoldman

Messages: 39
Karma: 1
Send a private message to this user
sorat wrote on Tue, 30 September 2014 07:58
Quote:
now non-authenticated users able to access the internet because of the second rule

I bet its https allows them.
See attached pic, this combo should work.

Also, can you check in Active hosts, when someone access without auth, by what rule (and port, i.e. 80, or 443)they are getting thru, shows in Activity tab?


That seems to all be working great. How did you figure this out?

More importantly why is this second rule needed? Do you think it's a bug or it's just how it's meant to work. I didn't see this in any of the documentation

I would give you karma once I figure out how.
  •  
sorat

Messages: 59
Karma: 2
Send a private message to this user
So it worked for you too in the end? Smile

Well, honestly, second rule not 'mandatory must have'.
Because of auth goes thru kinda 2 stages, its just isolation of HTTP protocol in separate rule, for simpler readability and management.

I also assing a qos speed limit for it, so that to reduce 'unrecognized users' traffic in statictics.
Previous Topic: Users get UDP traffic is probably blocked message lots of times
Next Topic: Get UPTIME matching dashboard value
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Oct 24 13:08:35 CEST 2017

Total time taken to generate the page: 0.00476 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.