Wireless Access

Contributor II

[Captive Portal]: Allow Access to resource without authentication

Hi all,


Im looking to allow my BYOD users to access a single IIS instance without authentication against the Captive Portal.

The reason for this would be to allow BYOD users to log into our VDI infrastructure without having to authenticate twice.


The way I have the Welcome GUI on the captive portal - it basically splits our BYOD users into two possible routes...

Route 1 - Internet access only -> Captive Portal Login  -> "authenticate against CP" -> Internet delivered.

Route 2 - Virtual Desktop -> Captive Portal Login -> authenticate against CP -> authenticate against VDI -> VDI delivered.


Id like to simplify route 2, buy allowing access to an internal IIS server without CP authentication.

I've been playing around with the statefull firewall but I just cant seem to crack it.


There must be a way for me to specify a port / hst rule to allow this through - I just cant seem to find it :(


Any guidence would be greatly received.


Re: [Captive Portal]: Allow Access to resource without authentication

If I understand you correctly, you want to allow access to the VDI infrastructure while someone is the "logon" role.  This should be possible.    The question becomes do you want to allow this through a link on the captive portal page (just no auth)?   In order for the user to get there you'll need to allow access as you suggest through the firewall rules.


In the logon role; add a new poloicy that is going to allow all the appropriate ports and destinations as permit.  You'll need to determine what the hosts are and all the appropriate ports.   These will need to go above the captiveportal ACL so it does not intercept any http/https requests.


For example:

netdestination "vdi-hosts"

host x.x.x.x

host x.x.x.x


ip access-list session "allow-vdi-access"

user alias vdi-hosts svc-http permit

user alias vdi-hosts svc-https permit

user alias vdi-hosts <other services> permit


user-role <your logon role>

access-list "logon-control"

access-list "allow-vdi-access"

access-list "captiveportal"


Systems Engineer, Northeast USA

Contributor II

Re: [Captive Portal]: Allow Access to resource without authentication

Hi Clembo,


Thanks for your speedy reply, (if only mine were so quick)

Would it be possibe to give me a step by step of what you posted please?


Many thanks,


Contributor II

Re: [Captive Portal]: Allow Access to resource without authentication

Scratch that, Ive figured it out.


Many thanks for your help, really appreciated.

Search Airheads
Showing results for 
Search instead for 
Did you mean: