How to configure a Captive Portal in cOS Core

Last modified on 25 May, 2022. Revision 16
Up to date for
cOS Core 14.00
Status OK
Niklas Wall


Modern, internet-enabled devices continuously check their internet connectivity by sending a HTTP request to a known server. They expect to receive a HTTP status code of 200 OK or 204 No Content if the connection have access to the internet. If the request instead results in any other status code (Like a 203 Redirect), it assumes that the network require authentication to reach the internet.

These checkes are used to force the device to show a Login notification or a Login dialogue to the user.

We accomplish this by setting up a IP Policy that catches all outbound HTTP traffic for non-authenticated hosts and by defining a Web Filter on that IP Policy that redirects all HTTP traffic, (except traffic to the authentication page), we signal to the device that this is a network requires authentication to work.

Note:  This how-to is based on the web user interface, but the same thing can be configured using InControl.

We will acomplish this by:

Creating a local user database

Go to System -> Users -> Local User Databases and create a new user database called guests.

Create a guest user for testing

Create a guest user that we can use for testing.

Configure an Authentication Rule for web-base authentication.

Go to Policies -> User Authentication -> RULES -> Authentication Rules and create a new Authentication Rule.

Select HTTP as Authentication Agent, Local as Authentication Source and the correct Interface and Interface network.

Under Authentication Options you need to select guests as Local User DB.

PLEASE NOTE: We are using unencrypted HTTP in this example for simplicity but you should use HTTPS in production with a trusted TLS certificate.

It’s also a good idea to adjust the Idle Timeout and Session Timeout under the Restrictions tab.

Redirect HTTP traffic for unauthorized hosts to the web-based authentication

Create a Web Profile

Go to Policies ->PROFILES →Web and create a new web profile called RedirectAll.

Edit the new RedirectProfile and configure the URL Filter to:

  1. Whitelist your gateway IP* .
  2. Redirect traffic that matches * to

Make sure that your whitelist filter is positioned first in the list.

Update network objects

Go to Objects -> GENERAL -> Address Book -> InterfaceAddresses and Rename the existing net address to *_Authorized and check the No Defined Credentials checkbox under User Authentication. This will make sure that you existing IP Rules that allow traffic from that interface now requires the host to be authenticated for them to match.

Also create a new network object that does not require authentication. This object is used for IP Policies that should match when the user is not authenticated.

Create a IP Policy that uses the Web Profile.

Go to Policies -> RULES -> Main IP Rules and create a new IP Policy that matches you Source Interface and Source Network and the HTTP Service.

PLEASE NOTE: Since the network connectivity checks from various Operating Systems uses unencrypted HTTP to perform the Captive Portal checks, you should only redirect unencrypted HTTP traffic to the Web Auth page. Trying to block HTTPS will result in SSL/TLS Certificate errors!

Enable Web Control and select the RedirectAll profile we created earlier.

This IP Policy MUST be placed after the IP Rule that allows the Authorized Src Net (# 5 in the Main IP Rules screenshot below).

Reject ALL other traffic for unauthorized hosts.

Go to Policies -> RULES -> Main IP Rules and create a new IP Policy that matches you Source Interface and Source Network and the all_services Service.

This IP Policy MUST be placed after the IP Rule that we just created (It’s #6 in the screenshot below).

Make sure the IP Policies are in the right order.

To make this work correctly the IP Policies that allow traffic from authorized sources MUST be placed before the once we created above so that these are evaluated before

Verify that it works

You should now be able to connect to the network and as soon as you connect, the OS should detect that it’s not able to reach the Internet and instead open the “Hotspot Login” dialogue, or show a notification that “Network Authentication” is required.

Ubuntu “Hotspot Login” dialogue:

Firefox “You must log in” banner:

Note: The above dialogue may not be visible directly when testing, a browser restart may be needed initially.

Android / Samsung “Sign in to network” dialogue:

Custom Web Pages for authentication

Note: Custom HTTP pages can be used for authentication by changing to custom HTTP Banners on the Authentication Rule.

Related articles

Unencrypted LDAP authentication problem towards Microsoft AD
31 Jan, 2023 ldap core authentication radius
Radius vs LDAP for authentication
21 Nov, 2022 radius ldap authentication core