Captive Portal in uOS 1.32

Zyxel_Claudia
Zyxel_Claudia Posts: 164  Zyxel Employee
Network Detective-New Adventure Badge Network Detective Badge First Comment Friend Collector
edited May 7 in Other Topics

Zyxel Networks continues to improve the user authentication experience with the Captive Portal feature in firmware uOS 1.32. These updates offer better control, improved flexibility, and stronger security for managing user access to the Internet.

What is Captive Portal?

The Captive Portal is a web-based authentication gateway that appears before users can access the internet. It intercepts all web traffic until the user has successfully logged in using a valid username and password.

Key features include:

  • Web-based login page enforcement before network access
  • Configurable authentication methods (local or external server)
  • Multiple interface types supported for policy triggers

How to Configure

To configure Captive Portal, navigate to: Captive Portal > Authentication Policy > Policy

Default Status

  • Disabled by default—must be manually enabled
  • Select incoming interface (Ethernet, VLAN, Bridge, or LAG) that triggers the Captive Portal

Authentication Server

  • Local server used by default
  • External servers (AD, RADIUS, etc.) become available after configuring the AAA server
  • Only one authentication server can be assigned per policy

Advanced Settings

  • Default Redirect IP: 6.6.6.6 If the session page fails to display, this IP can be manually entered in the browser to retrieve the portal.
  • Port Separation (New in uOS 1.32): HTTP and HTTPS redirect ports are now separate from system HTTP/HTTPS service ports to prevent conflict.
    • Default HTTP: 1080
    • Default HTTPS: 1443
    • If overlap occurs, the system will prompt a warning to update port settings in System Settings > HTTP/HTTPS Port

Redesigned Pages:

  • New look and behavior for both Login Page and Session Page
    • The session page now displays login IP address, lease remaining time and access timeout.

Timeout Settings:

  • Set individually per user in: User & Authentication > User/Group > Setting > Edit Default Authentication Timeout Settings
  • Includes:
    • Lease Time
    • Reauthentication Time

Auto-refresh or user activity will reset the timeout countdown. Without interaction, the session will expire based on the shorter of the two timers.

2FA Support in Captive Portal

Two-Factor Authentication (2FA) can now be enforced for Captive Portal local user logins:

  • Configure via User & Authentication > User/Group > User
  • Enable 2FA in the user profile

After completing 2FA setup, users will be required to enter both their username and password, as well as the 2FA code when accessing the internet.

User Access Control

User Types:

  • Only Admin and Viewer user types are allowed GUI access
  • “User” type accounts (from local database) can only log in through the Captive Portal—not the Web GUI

This change ensures tighter control over administrative access to the firewall interface.

Verification

  • Active login sessions can be verified under:Network Status > Login Users > Login Users
  • Captive Portal-specific entries are clearly marked, including:
    • Username
    • Source IP
    • Login type (Captive Portal)
    • User Information

All related events are also recorded in the System Log for audit and review.

Tagged: