Configuring a Captive Portal

This article is for IT Support. 

School Manager allows you to enable a Captive Portal that users must interact with before accessing your school's network. Using a Captive Portal will prevent users from connecting to your school’s network unless they can prove they’re staff, students, or other authorized users. You would want to set up a Captive Portal for two main reasons.

  1. Responsible use of the school network: You can use Captive Portal to ensure that only authorized users and guests can connect to the school network and that they agree to the service's terms and conditions.
  2. Device association with the user: Captive Portal associates a device with a user. By associating a device with a user, Captive Portal further ensures network security, responsible use, and convenience on the part of the user. Users whose devices are permanently associated with their accounts must only sign in once unless they choose to sign out of Captive Portal. See Permanent Associations below

Important

If you want users to sign in with Microsoft Entra ID (formally Azure AD), complete the steps outlined in Integrating Microsoft Entra ID sign-in with a Captive Portal before configuring a Captive Portal.

Configuring a Captive Portal

  1. In School Manager, navigate to Configuration > Authentication > Captive Portal.
  2. Select Enabled.
  3. Enter a Descriptive Name for the Captive Portal. This will identify your custom Captive Portal from the list and who it is for. This is helpful for schools that have created multiple Captive Portals.
  4. On the Networks field, select Edit. The Edit Included Networks dialog will appear. Included Networks determine which networks within the school require signing in to a Captive Portal.
    1. If you select Any, then Captive Portal will require users across the campus to sign in.
    2. If you select Network Range, all users connecting within the set range of IP addresses will be asked to sign in; those connecting outside the network range will not be asked to sign in.
  5. Select a Criteria from the dropdown. Select only one criterion and do not leave blank fields. 

Warning

Leaving the network criteria field blank can prevent your Captive Portal from working correctly.

Criteria Description Example
IP Address
  • Applies to a single IP Address. 
192.168.0.1
IP Address Object
  • Used for multiple IP addresses that people will sign in to that are not within a range.
  • Not recommended for network devices like printers, projectors, or cameras.
  • Add a list of IP Addresses in School Manager > Filtering > Object Pools

See Objects and Object Pools for more information.

192.168.0.1

192.168.1.2

192.168.7.13

Any
  • Applies to all of the school network.
  • All users will be asked to sign in.
-
Network Range
  • Applies to an IP Range only.
  • Do not use wildcards.
192.168.0.10 - 192.168.0.25
Network
  • Applies to an IP Subnet only.
  • Do not use wildcards.
192.168.0.0/255.255.255.0
  1. Enter a Message for the user. This is a plain text field with no character limit. We recommend using less than 100 characters. For example, "Welcome to Your School, please sign in to continue".
  2. Select Choose to upload a logo. Use a JPEG or PNG file that is less than 5MB. The image will be proportionally scaled to 480px width.
  3. Select your school’s Authentication Method. You can select any or all methods.
Authentication Method Result
Guest Users can sign in as a Guest using a temporary token.
Google Users can sign in with their approved Google accounts.
Azure Users can sign in with Microsoft Entra ID (formally Azure AD).
Standard Users can sign in with their username and password.
  1. Select Save.

 

What do users see?

When all authentication methods are enabled, the users will see the links on the Captive Portal page. Authenticated users can enter their school-provided username and password to sign in or select Google or Azure AD. Guests need to select Login as a Guest to continue.

Image 1: Captive Portal Sign-in page.

 

Optional Settings

Permanent Associations

Permanent Associations

A Permanent Association links a device with a user's authenticated identity or account, allowing the user to connect to your school's network on that device without signing in to the Captive Portal again. 

If the user attempts to connect to the school network with a new device, that device will also need to be permanently associated with the user if they want to skip signing in the next time they connect to the network using that device. 

A user can be permanently associated across multiple devices with the same account.

Warning

If your school uses shared devices, you should add them to the Associations Exceptions list so they can’t be Permanently Associated. Failing to do so means any user who uses that device will not be required to sign in to the Captive Portal, and you won’t be able to identify who is using the device.

Enabling Permanent Associations

To enable Permanent Associations:

  1. Select:
    • All Users to permanently associate devices for all users. This will hide the Groups option.
    • Groups to permanently associate devices for certain groups only. For example, you can only allow teachers, non-teaching staff, or certain students.
  2. Select Save.

Image 2: The Permanent Associations section.

 

Upon successful sign-in, users can permanently associate their current device with their account by selecting Continue and Save My Device. They don’t have to sign in when reconnecting to the network using the same device.

Image 3: Option to Permanently Associate your device.

 

When Permanent Association is not enabled

The user is asked to visit their Dashboard or redirected to a URL. They must sign in to Captive Portal whenever they connect to the school network.

Image 4: Successful Sign In to the Captive Portal.

 

Purging Associations

You can purge associations to stop associating a device with a user. This is especially useful when a school-managed device is given to a new student at the start of the new term or to a new staff member.

To purge associations:

  1. Go to Configuration> Users and Groups > Associations.
  2. Select Purge Associations.
  3. The Purge Associations window will appear. Select Purge Stale Associations to delete associations for no longer active users, such as those who have left the school, no longer use their associated devices, or have been deleted from School Manager.
  4. Select Purge All Associations to delete all associations between users and devices.
  5.  

Redirect to Website

Redirect to Website

To redirect the user to a specific page once they have signed in:

  1. Select Auto Redirect.
  2. Type https:// and a web address.

If this feature is not enabled, the user will see the default welcome page instead of redirecting to another site.

Image 5: Difference between a Google Redirect and a No Redirect.

Adding Exceptions

Adding Exceptions

Exceptions allow you to configure networks or device types to bypass the Captive Portal if they meet certain criteria.

Image 6: Adding Exceptions to devices.

You should set up exceptions to avoid disruptions when using non-user devices and office equipment (printers, scanners, wireless routers, extenders, projectors, and smart monitors). This way, users do not have to sign in each time they use, restart, or reconnect this equipment.

 

Configuring Exceptions

  1. Select Add Exception.
  2. In the Add Exception dialog, enter a Name and select a Criteria from the Select Criteria dropdown.
     
    Criteria Description Example
    IP Address Object Applies to a list of predefined IP Addresses using Object  Pools
    See Objects and Object Pools for more information.

    192.168.0.1

    192.168.0.2

    MAC Address Object Applies to a list of predefined MAC Addresses using Object  Pools
    See Objects and Object Pools for more information.

    00:1b:44:91:3a:b7

    00:1c:41:11:2a:b7

    Network Applies to an IP Subnet 192.168.0.0/255.255.255.0
    Network Range Applies to an IP Range 192.168.0.10 - 192.168.0.25
    Website Applies to a single website facebook.com
    Website Object Applies to a list of predefined websites using Object  Pools
    See Objects and Object Pools for more information.

    Streaming sites object pool

    Safe sites object pool

    Application Applies to an application using Signatures Adobe, AOL, BBC etc
    Device Type Applies to a specific device type. Apple MAC, Apple iPad, Windows etc
    IP Address Applies to a single IP Address 192.168.0.1
  3.  Enter the required value(s) for the criteria. If you’re using multiple entries, separate each entry with a comma.
  4. Select Save.

 

 

Was this article helpful?
0 out of 0 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.