Captive Portal in uOS 1.32
Zyxel Employee
Zyxel Networks continues to improve the user authentication experience with the Captive Portal feature in firmware uOS 1.32. These updates offer better control, improved flexibility, and stronger security for managing user access to the Internet.
What is Captive Portal?
The Captive Portal is a web-based authentication gateway that appears before users can access the internet. It intercepts all web traffic until the user has successfully logged in using a valid username and password.
Key features include:
- Web-based login page enforcement before network access
- Configurable authentication methods (local or external server)
- Multiple interface types supported for policy triggers
How to Configure
To configure Captive Portal, navigate to: Captive Portal > Authentication Policy > Policy
Default Status
- Disabled by default—must be manually enabled
- Select incoming interface (Ethernet, VLAN, Bridge, or LAG) that triggers the Captive Portal
Authentication Server
- Local server used by default
- External servers (AD, RADIUS, etc.) become available after configuring the AAA server
- Only one authentication server can be assigned per policy
Advanced Settings
- Default Redirect IP: 6.6.6.6 If the session page fails to display, this IP can be manually entered in the browser to retrieve the portal.
- Port Separation (New in uOS 1.32): HTTP and HTTPS redirect ports are now separate from system HTTP/HTTPS service ports to prevent conflict.
- Default HTTP: 1080
- Default HTTPS: 1443
- If overlap occurs, the system will prompt a warning to update port settings in System Settings > HTTP/HTTPS Port
Redesigned Pages:
- New look and behavior for both Login Page and Session Page
- The session page now displays login IP address, lease remaining time and access timeout.
Timeout Settings:
- Set individually per user in: User & Authentication > User/Group > Setting > Edit Default Authentication Timeout Settings
- Includes:
- Lease Time
- Reauthentication Time
Auto-refresh or user activity will reset the timeout countdown. Without interaction, the session will expire based on the shorter of the two timers.
2FA Support in Captive Portal
Two-Factor Authentication (2FA) can now be enforced for Captive Portal local user logins:
- Configure via User & Authentication > User/Group > User
- Enable 2FA in the user profile
After completing 2FA setup, users will be required to enter both their username and password, as well as the 2FA code when accessing the internet.
User Access Control
User Types:
- Only Admin and Viewer user types are allowed GUI access
- “User” type accounts (from local database) can only log in through the Captive Portal—not the Web GUI
This change ensures tighter control over administrative access to the firewall interface.
Verification
- Active login sessions can be verified under:Network Status > Login Users > Login Users
- Captive Portal-specific entries are clearly marked, including:
- Username
- Source IP
- Login type (Captive Portal)
- User Information
All related events are also recorded in the System Log for audit and review.
Categories
- All Categories
- 431 Beta Program
- 2.6K Nebula
- 166 Nebula Ideas
- 112 Nebula Status and Incidents
- 6K Security
- 366 USG FLEX H Series
- 293 Security Ideas
- 1.5K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 42 Wireless Ideas
- 6.7K Consumer Product
- 264 Service & License
- 408 News and Release
- 87 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.9K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 83 Security Highlight