Captive Portal – Advanced Settings

Zyxel_Claudia

In the latest firmware update for USG FLEX H Series, Captive Portal receives significant enhancements to its Advanced Settings.

This article will walk you through the new advanced features, including improved redirect behavior, landing page options, HTTPS handling, and idle timeout configurations.

1. Customizable Landing Pages

A new setting allows admins to control what users see after successful authentication via Captive Portal. You now have three options:

Stay on Captive Portal Page

After logging in, users remain on the Captive Portal page, which displays a simple success message.

Redirect to Session Information Page

Users are taken to a page that shows their session details including:

• Assigned IP address
• Session start time
• Authentication duration

Redirect to a Promotional URL

A great feature for hotels, retail, or guest Wi-Fi scenarios—redirect users to a custom URL such as:

• A company website
• A welcome page
• A promotional campaign

This gives organizations an opportunity to deliver branded or informational content immediately after login.

2. Enhanced HTTPS Redirection Behavior

Zyxel has improved the HTTPS redirection behavior to reduce confusion and increase control:

Renamed Setting for Clarity

Previously labeled ambiguously as "Redirect HTTPS," the setting is now renamed to:

Redirect TCP port 443 Traffic to Login Page

This helps clarify its function: when enabled, users trying to access HTTPS websites will be redirected to the Captive Portal login page.

Why This Matters

By default, this setting is disabled. Here’s why:

• Modern browsers enforce HSTS certificate validation
• Redirecting HTTPS without a trusted certificate leads to browser warnings

When to Enable It

Enable this option only if:

• The Captive Portal is used for internal access, such as an intranet or internal server
• Your users have the portal certificate pre-installedThis ensures a smoother experience without browser warnings.

3. Further Clarification with Redirection HTTPS

The firmware now clearly distinguishes between:

• Redirect HTTPS is different from Redirect TCP Port 443 Traffic to Login Page (formerly Redirect HTTPS).
• Redirect HTTPS forces access to the captive portal landing page to switch over to HTTPS

When enabled, this ensures that login page redirection uses HTTPS, providing secure credential transmission. Example:https://6.6.6.6:1443/default_page/user_login.html

4. Idle Timeout: Auto-Logout for Inactive Sessions

A newly introduced Idle Timeout feature improves security and session management.

How It Works:

When enabled, the firewall checks whether a logged-in client is still active. If no traffic is detected from a client for a defined period (e.g., 2 minutes), the session is terminated automatically.

• Default setting: Disabled
• Configurable range: 1 – 60 minutes

Use Case:

Ideal for public or shared network environments where:

• Users may walk away without logging out
• Admins want to free up IP addresses
• Enhanced session security is required

Monitoring with CLI:

Use Zyxel CLI to track and verify idle timeout behavior:

usgflex200hp> cmd captive-portal _debug switch

This command allows administrators to view current authenticated users, including idle timers and session status. And Enter cmd captive-portal _debug switch again to stop printing logs