You are here: Webhelp 5.5R7 > Authentication > Web Authentication

Web Authentication

After the Web authentication (WebAuth) is configured, when you open a browser to access the Internet, the page will redirect to the WebAuth login page. According to different authentication modes, you need to provide corresponded authentication information. With the successful Web authentication, system will allocate the role for IP address according to the policy configuration, which provides a role-based access control method.

Web authentication means you will be prompted to check the identity on the authentication page. It includes the following four modes:

  • Password Authentication: Using username and password during the Web authentication.
  • SMS Authentication: Using SMS during the Web authentication. In the login page, you need to enter the mobile number and the received SMS verification code. If the SMS verification code is correct, you can pass the authentication.

  • NTLM Authentication: System obtains the login user information of the local PC terminal automatically, and then verifies the identity of the user. For more configurations, see NTLM Authentication.

  • WeChat Authentication: The WeChat authentication is triggered by automatically opening WeChat client through Portal page, and then the WeChat server sends user information to the device for authentication. For more configurations, see WeChat Authentication.

Enabling the WebAuth

To enable the Web authentication, take the following steps:

  1. Click Network > WebAuth > WebAuth.
  2. Select the Enable check box of WebAuth to enable the WebAuth function.

Configuring Basic Parameters for WebAuth

The basic parameters are applicable to all WebAuth polices.

To configure WebAuth basic parameters, take the following steps:

  1. Click Network > WebAuth > WebAuth.

  2. Click Apply.

  • If the WebAuth success page is closed, you can log out not only by timeout, but also by visiting the WebAuth status page (displaying online users, online times and logout button). You can visit it through "http(https):// IP-Address: Port-Number". In the URL, IP-Address refers to the IP address of the WebAuth interface, and Port-Number refers to HTTP/HTTPS port. By default, the HTTP port is 8181, the HTTPS port is 44433. The WebAuth status page will be invalid if there are no online users on the client or the WebAuth is disabled.

  • After basic configurations, you should create two policy rules in Security Policy to make WebAuth effective, and then adjust the priority of the two policies to the highest. The WebAuth policies need to be configured according to the following policy template:
  • After WebAuth is configured, the users who matched the WebAuth policy are recommended to input the correct username and password, and then the users can access the network. System takes actions to avoid illegal users from getting usernames and passwords by brute-force. If one fails to log in through the same host three times in two minutes, that host will be blocked for 2 minutes.

Customizing WebAuth Page

The WebAuth page is the redirected page when an authenticated user opens the browser. By default, you need to enter the username and password in the WebAuth page. You can also select the SMS authentication mode or the WeChat authentication mode.

  1. Click Network > WebAuth > WebAuth.
  2. Click Login Page Customization tab, and click Download Template to download the zip file “webauth" of the default WebAuth login page, and then unzip the file.
  3. Open the source file and modify the content( including style, picture, etc.)according to the requirements. For more detailed information, see the file of readme_cn.md or readme_en.md.
     
  4. Compress the modified file and click Upload to upload the zip file to system.

  • After upgrading the previous version to the 5.5R6 version, the WebAuth login page you already specified will be invalid and restored to the default page. You should re-download the template after the version upgrade and customize the login page.
  • After upgrading the system version, you should re-download the template, modify the source file, and then upload the custom page compression package. If the uploaded package version is not consistent with the current system version, the function of the custom login page will not be used normally.

  • The zip file should comply with the following requirements: the file format should be zip; the maximum number of the file in the zip file is 50; the upper limit of the zip file is 1M; the zip file should contain “index.html”.
  • System can only save one file of the default template page and the customized page. When you upload the new customized page file, the old file will be covered. You are suggested to back up the old file.
  • If you want trigger WebAuth through HTTPS request, you need import the root certificate (certificate of the device) to the browser firstly. Triggering WebAuth through HTTPS requests depends on the feature of SSL proxy . If the devrice does not support the SSL proxy. Triggering WebAuth through HTTPS requests will not work and you can then trigger WebAuth through HTTP requests.

NTLM Authentication

This method still needs to trigger the browser, and the browser will send user information to the AD server automatically.

To configure the NTLM authentication, take the following two steps:

Step 1: Configure NTLM for System

  1. Click Network > WebAuth > WebAuth to enter the WebAuth page.
  2. Select NTLM from the Authentication Mode drop-down list. For the basic configurations, see Configuring Basic Parameters for WebAuth.
  3. Click Apply.

Step 2: Configure settings for User Browser

  1. On the PC terminal of a user, open a browser (take IE as an example).
  2. On the menu bar of IE browser, select Tools > Internet options.
  3. In the pop-up Internet Options dialog box, click the Security tab, and click Custom level....
  4. In the pop-up Security Settings - Internet Zone dialog box, enter User Authentication>Logon and select Automatic logon with current user name and password.
  5. Click OK.

WeChat Authentication

“Wi-Fi via WeChat” is the function that WeChat connects the Wi-Fi hotspots quickly. After the merchant enables the function, customer can quickly access the Internet by scanning a WeChat QR code without typing any complicated Wi-Fi passwords.

After the user connects the Wi-Fi successfully, the WeChat authentication will be triggered by opening WeChat client automatically through Portal page, and then WeChat server sends user information to the device for authentication.

  • The WeChat authentication is only supported on WeChat for mobile terminal, not WeChat for PC terminal.
  • For iOS, if the WeChat client cannot be opened automatically through the Portal page, please click “If WeChat cannot be opened, click here” on the Portal page to complete WeChat authentication.

To configure the WeChat authentication, take the following two steps:

Step 1: Configure Settings for WeChat Official Accounts Platform

This step needs to be configured on the WeChat official accounts platform. For detailed configuration of WeChat official accounts platform, refer to the relevant manuals of WeChat official accounts platform.

  1. Add "Store MiniProgram" function plug-in on WeChat official accounts platform, and create a shop.
  2. Add the "Wi-Fi" plug-in, and configure the related device management information of "Wi-Fi", including the created store information and network name (SSID).
  3. After the configurations are completed, you can obtain the device configuration parameters, including store name, network name (SSID), developer ID (AppID), ShopID and SecretKey.

Step 2: Configure WeChat Authentication for System

  1. Click Network > WebAuth > WebAuth to enter the WebAuth page.
  2. Select WeChat from the Authentication Mode drop-down list. For the basic configurations, see Configuring Basic Parameters for WebAuth.
  3. Click Apply.