12.2. Authentication Management

There are 3 user management choices that can be used to authenticate users to the Captive Portal.

Optionally web authentication can be secured with HTTPS.

12.2.1. Secure Authentication

Below are some of the Secure Authentication options that can be configured for use with th Captive Portal to .

Table 12.2. Secure Authentication Parameters

Parameter Description
HTTPS login If enabled, the username and password will be transmitted over an HTTPS connection to protect against eavesdroppers. A server name, certificate and matching private key must also be specified below.
HTTPS server name This name will be used in the form action for the HTTPS POST and should match the Common Name (CN) in your certificate (otherwise, the client browser will most likely display a security warning). Make sure captive portal clients can resolve this name in DNS.
HTTPS certificate Paste a signed certificate in X.509 PEM format here.
HTTPS private key Paste an RSA private key in PEM format here.

12.2.2. Local User Management

When using the Local User Manager option for Authentication it is possible to store and access a list of users on the m0n0wall device itself. This list is manually entered from the web interface and includes the following parameters.

Table 12.3. User Parameters

Parameter Description
Username The name a user will use to authenticate with
Password The password a user will use to authenticate with
Fullname User's full name, for your own information only
Expiration Date Leave blank if the account shouldn't expire, otherwise enter the expiration date in the following format: mm/dd/yyyy

12.2.3. Radius User Management

When using the Radius Authentication option for Authentication it is possible to authenticate with an existing Radius server on a connected network. The Radius server will manage the user authentication requests. This list is manually entered from the web interface and includes the following parameters.

Table 12.4. Radius Server Parameters

Parameter Description
Primary RADIUS server Enter the IP address of the RADIUS server which users of the captive portal have to authenticate against. You can change the default port (1812) and shared secret. Optionally leave the shared secret blank to not use a RADIUS shared secret (not recommended).
Secondary RADIUS server If you have a second RADIUS server, you can activate it by entering its IP address, port and shared secret as done for the primary server.
send RADIUS accounting packets If this is enabled, RADIUS accounting packets will be sent to the primary RADIUS server. Optionally change the default port (1813).
Reauthentication If reauthentication is enabled, Access-Requests will be sent to the RADIUS server for each user that is logged in every minute. If an Access-Reject is received for a user, that user is disconnected from the captive portal immediately.
Accounting updates These reauthentication updates can be configured to support no accounting updates, stop/start accounting, or interim updates.
RADIUS MAC authentication If this option is enabled, the captive portal will try to authenticate users by sending their MAC address as the username and a static password/secret to the RADIUS server.
RADIUS Session-Timeout attributes When this is enabled, clients will be disconnected after the amount of time retrieved from the RADIUS Session-Timeout attribute.
Radius Type If RADIUS type is set to Cisco, in RADIUS requests (Authentication/Accounting) the value of Calling-Station-Id will be set to the client's IP address and the Called-Station-Id to the client's MAC address. Default behaviour is Calling-Station-Id = client's MAC address and Called-Station-Id = m0n0wall's WAN MAC address.
MAC address format This option changes the MAC address format used in the whole RADIUS system. Change this if you also need to change the username format for RADIUS MAC authentication. default: 00:11:22:33:44:55 singledash: 001122-334455 ietf: 00-11-22-33-44-55 cisco: 0011.2233.4455 unformatted: 001122334455