Configuring a Captive Portal

Have more questions? Submit a request
This article is for IT support. 

School Manager allows you to enable a Captive Portal that users must interact with before they can access your school's network. Enabling a Captive Portal will stop users from connecting to your school’s network unless they can prove that they’re actually staff, students, or other authorized users.

Why should I use a Captive Portal?

Responsible use of the school network: You can use Captive Portal to ensure that only authorized users and guests can connect to the school network and that they agree to the service's terms and conditions.

Device association with the user: Captive Portal associates a device with a user. By associating a device to a user, Captive Portal further ensures network security and responsible use, but also convenience on the part of the user. Users whose devices are permanently associated with their accounts need only to log in once unless they choose to log out of Captive Portal. See Permanent Associations below

Setting up a Captive Portal

  1. In School Manager, navigate to Configuration > Authentication > Captive Portal.
  2. Select Enabled. Selecting this item enables the Captive Portal.
  3. Enter a descriptive name for the Captive Portal. This will identify your custom Captive Portal from the list and who it is for. This is helpful for schools that have created multiple Captive Portals.
  4. On the Networks field, select Edit. The Edit Included Networks dialog will appear. Included Networks determine which networks within the school require logging into Captive Portal. For example, if you select Any, then Captive Portal will require users across the campus to log in. If you select Network Range, all users connecting within a range of IP addresses will be asked to log in; those who are connecting outside the network range will not be asked to log in.
  5. Select a Criteria from the dropdown. Select only one criterion and do not leave blank fields. A blank network criteria field can prevent your Captive Portal from working correctly.  
Criteria Description Example
IP Address
  • Applies to a single IP Address. 
192.168.0.1
IP Address Object
  • Used for multiple IP addresses that people will log in to that are not within a range.
  • Not recommended for network connected devices like printers, projectors, or cameras.
  • Add a list of IP Addresses in School Manager > Filtering > Object Pools

See Objects and Object Pools for more information.

192.168.0.1

192.168.1.2

192.168.7.13

Any
  • Applies to all of the school network.
  • All users will be asked to log in.
-
Network Range
  • Applies to an IP Range only.
  • Do not use wildcards.
192.168.0.10 - 192.168.0.25
Network
  • Applies to an IP Subnet only.
  • Do not use wildcards.
192.168.0.0/255.255.255.0
  1. Enter a Message for the user. This is a plain text field with no character limit. We recommend using less than 100 characters. For example, "Welcome to Your School, please log in to continue".
  2. Select Choose to upload a logo. Use a JPEG or PNG file that is less than 5MB. The image will be proportionally scaled to 480px width.
  3. Select your school’s Authentication Method. You can select any or all methods.
Authentication Method Result
Guest Users will log in as a Guest using a temporary token.
Google Users can log in with their approved Google accounts.
Azure Users can log in with Azure AD.
Standard Users log in with their username and password.
  1. Select Save.

What do users see?

When all authentication methods are enabled, the users will see the links on the Captive Portal page. Authenticated users can enter their school-provided username and password to log in or select Google or Azure AD. Guests need to select Login as a Guest using temporary tokens to continue.

1652672396755.png

You can give your teachers and their students the following files to print and use the first time they log in.

Optional Settings

You can configure the Captive Portal’s optional settings to help you:

  1. Permanent Associations
  2. Redirect to Website
  3. SSL Onboarding
  4. Adding Exceptions

Permanent Associations

A Permanent Association links a device with a user's authenticated identity or account, letting that user connect to your school's network on that device without logging into the Captive Portal again. 

If the user attempts to connect to the school network with a new device, that device will also need to be permanently associated with the user if they want to skip logging in the next time they connect to the network using that device. 

A user can be permanently associated across multiple devices with the same account.

Enabling Permanent Associations

To enable Permanent Associations:

  1. Select:
    • All Users to permanently associate devices for all users. Selecting All Users will hide the Groups option.
    • Groups to permanently associate devices for certain groups only. For example, you can only allow teachers, non-teaching staff, or certain students.
  2. Select Save.

1652672638998.png

Upon successful login, the user has the option to permanently associate their current device to their account by selecting Continue and Save My Device. They don’t have to log in when they reconnect on the network using the same device.

1652673734329 copy.jpg

When Permanent Association is not enabled

The user is asked to visit their Dashboard or is redirected to a URL. They have to log in to Captive Portal each time they connect to the school network.

1652673750799 copy.jpg

Purging Associations

You can purge associations to stop associating a device with a user. This is especially useful when a school-managed device is given to a new student at the start of the new term or to a new staff member.

To purge associations:

  1. Go to Configuration> Users and Groups > Associations.
  2. Select Purge Associations.
  3. On the Purge Associations dialog: Select Purge Stale Associations to delete associations for no longer active users, such as those who have left the school or no longer use their associated devices, or who have been deleted from School Manager.
  4. Select Purge All Associations to delete all associations between users and devices.

Redirect to Website

To redirect the user to a specific page once they have logged in:

  1. Select Auto Redirect.
  2. Type https:// and a web address.

If this feature is not enabled, the user will see the default Welcome page instead of redirecting to another site.

redirect-noredirect copy.jpg

Adding Exceptions

Exceptions allow you to configure networks or device types to bypass the Captive Portal if they meet certain criteria.

1652675213637.png

To avoid disruptions when using non-user devices and office equipment (for example, printers, scanners, wireless routers and extenders, projectors and smart monitors), we recommend setting up exceptions. This way, users do not have to log in each time they use, restart, or reconnect this equipment.

Configuring Exceptions

  1. Select Add Exception.
  2. On the Add Exception dialog that appears, enter a Name and select a Criteria from the Select Criteria dropdown
    Criteria Description Example
    IP Address Object Applies to a list of predefined IP Addresses using Object  Pools
    See Objects and Object Pools for more information.

    192.168.0.1

    192.168.0.2

    MAC Address Object Applies to a list of predefined MAC Addresses using Object  Pools
    See Objects and Object Pools for more information.

    00:1b:44:91:3a:b7

    00:1c:41:11:2a:b7

    Network Applies to an IP Subnet 192.168.0.0/255.255.255.0
    Network Range Applies to an IP Range 192.168.0.10 - 192.168.0.25
    Website Applies to a single website facebook.com
    Website Object Applies to a list of predefined websites using Object  Pools
    See Objects and Object Pools for more information.

    Streaming sites object pool

    Safe sites object pool

    Application Applies to an application using Signatures Adobe, AOL, BBC etc
    Device Type Applies to a specific device type. Apple MAC, Apple iPad, Windows etc
    IP Address Applies to a single IP Address 192.168.0.1
  3. Enter the required value(s) for the criteria. If you’re using multiple entries, separate each entry with a comma.
  4. Select Save.

Troubleshooting

Can I limit Captive Portal logins to certain users, groups, or classrooms?

You can enable Captive Portal for specific networks, but not for specific users or groups. You can set certain networks (see Steps 4-5 of the Setting Up a Captive Portal, above), such as those in classrooms, offices, or public spaces, that will require users to log in to the Captive Portal.

I can't connect my server to the Internet or perform updates

You may need to set up exceptions for your services and networking infrastructure. When enabling Captive Portal, you must ensure that you have created exceptions for your school's networking devices.

What happens if all devices are already Permanently Associated?

Permanent Association works by remembering the MAC address of the user’s device. If your school VLANs terminate on the core switch, each user device will share the same MAC address as the core switch. If one user has already permanently associated a device in this environment, all devices will also be permanently associated. 

To fix this, you must ensure your VLANs don’t terminate on the core switch. Once you’ve done this, we recommend resetting all Permanent Associations by navigating to Configuration  Users and Groups  Associations  Purge Associations.

Why are some sites and traffic excluded from Captive Portal?

Some sites and traffic will not be gated behind your Captive Portal, and unauthenticated users may be able to access them. These sites and traffic can bypass the Captive Portal exclusively to ensure that you don’t experience network or service disruption, including disruption of your Linewize services, Google Workspace, or Azure Active Directory user authentication.

Google services such as Google Drive or Google Search may be accessible to unauthenticated users, but once an unauthenticated user attempts to access a website or filtering signature that is not on the Captive Portal Exception list, they will be directed to a Captive Portal sign-in page.  

Can I remove permanent associations from shared computers?  

If you find there are too many usernames saved on shared computers using Captive Portal, you can use School Manager to remove old usernames or all user names associated with the devices.

Was this article helpful?
0 out of 0 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.