Contact UsContact Us

Configuring a Captive Portal

This article is intended for IT support.

School Manager allows you to enable a Captive Portal that users must interact with before they can access your school's network. Enabling a Captive Portal will stop users from connecting to your school’s network unless they can prove that they’re actually staff, students, or other authorized users.

Why should I use a Captive Portal?

Responsible use of the school network

You can use Captive Portal to make sure that only authorized users and guests can connect to the school network and that they agree to the terms and conditions of using the service.

Device association with the user

Captive Portal associates a device to a user. By associating a device to a user, Captive Portal further ensures network security and responsible use, but also convenience on the part of the user. Users whose devices are permanently associated with their accounts need only to log in once unless they choose to logout of Captive Portal. See Permanent Associations

Ensure BYOD users install the required security certificates on their devices. 

Captive Portal looks for security certificates that allow you to monitor connections on Windows and Mac BYODs. It will not allow a user to login on their personal device if it does not detect the certificates. See: HTTPS Inspections.

Setting up a Captive Portal

  1. In School Manager, navigate to CONFIGURATION  > AUTHENTICATION > CAPTIVE PORTAL.

  2. Select Enabled.
    Selecting this item enables the Captive Portal.

  3. Enter a descriptive name for the Captive Portal.
    This will identify your custom Captive Portal from the list and who it is for. This is helpful for schools that have created multiple Captive Portals.

  1. On the Networks field, select Edit. The Edit Included Networks dialog will appear.  
    Included Networks determine which networks within the school require logging into Captive Portal. For example, if you select Any, then Captive Portal will require users across the campus to log in. If you select Network Range, then all users who are connecting within a range of IP addresses will be asked to log in; those who are connecting outside the network range will not be asked to log in. 

  1. Select a Criteria from the dropdown.
    Select only one criteria and do not leave blank fields. A blank network criteria field can prevent your Captive Portal from working correctly.  
CRITERIA
DESCRIPTION
EXAMPLE
Any
  • Applies to all of the school network. All users will be asked to log in.

-

Network Range

  • Applies to an IP Range only.
  • Do not use wildcards.

192.168.0.10 - 192.168.0.25

Network

  • Applies to an IP Subnet only. 
  • Do not use wildcards.

192.168.0.0/255.255.255.0

IP Address

  • Applies to a single IP Address. 

192.168.0.1

IP Address Object

  • Used for multiple IP addresses that people will login in to that are not within a range. 
  • Not recommended for network connected devices like printers, projectors, or cameras.
  • Add a list of IP Addresses in School Manager  Filtering  Object  Pools

See: Objects and Object Pools for more information.

192.168.0.1

192.168.1.2

192.168.7.13

  1. Enter a Message for the user.
    This is a plain text field with no character limit. We recommend using less than 100 characters. For example, "Welcome to Your School, please log in to continue".
  2. Select Choose to upload a logo.
    Use a JPEG or PNG file that is less than 5MB. The image will be proportionally scaled to 480px width.

  1. Select your school’s Authentication Method.
    You can select any or all methods.

AUTHENTICATION METHOD

RESULT

Google

Users can log in with their approved Google accounts

Azure

Users can log in with Azure AD

Standard

Users log in with their username and password

Guest

Users will log in as a Guest using a temporary token.

  1. Select SAVE to save the new Captive Portal.

What do users see?

When all authentication methods are enabled, the users will see the links on the Captive Portal page. To login, authenticated users can enter their school-provided username and password, or select Google or Azure AD. Guests need to select Login as a Guest using temporary tokens to continue.

 

Optional Settings

You can configure the Captive Portal’s optional settings to help you:

  • manage device associations;
  • redirect users to a website after successfully logging in; and
  • enable SSL inspections.

1. Permanent Associations

A Permanent Association links a device with a user's authenticated identity or account, letting that user connect to your school's network on that device without logging into the Captive Portal again. 

If the user attempts to connect on the school network with a new device, that device will also need to be permanently associated with the user if they want to skip logging in the next time they connect on the network using that device. 

A user can be permanently associated across multiple devices with the same account.

Enabling Permanent Associations

  1. Under Permanent Associations, select:
  • All Users to permanently associate devices for all users.
    Selecting All Users will hide the Groups option.
  • Groups to permanently associate devices for certain groups only. For example, you can allow teachers, non-teaching staff, or certain students only.
  1. Select SAVE.

What do users see?

Permanent Association is enabled

Upon successful login, the user has the option to permanently associate their current device to their account by selecting Continue and Save My Device. They don’t have to login when they reconnect on the network using the same device.

Permanent Association is not enabled

The user is asked to visit their Dashboard or is redirected to a URL. They have to login to Captive Portal each time they connect on the school network.

Purging Associations

You can purge associations to stop associating a device to a user. This is especially useful when a school-managed device is given to a new student at the start of the new term or to a new staff member.

To purge associations:

  1. Go to CONFIGURATIONS > USERS AND GROUPS > ASSOCIATIONS.
  2. Select PURGE ASSOCIATIONS.
  3. On the Purge Associations dialog:
  1. Select PURGE STALE ASSOCIATIONS to delete associations for users who are no longer active, such as those who have left the school or no longer use their associated devices, or who have been deleted from School Manager.
  2. Select PURGE ALL ASSOCIATIONS to delete all associations between users and devices.

2. Redirect to Website

To redirect the user to a specific page once they have logged in:

  1. Select Auto Redirect.
  2. Type https:// and a web address.

If this feature is not enabled, the user will see the default Welcome page instead of redirecting to another site.

3. SSL Onboarding

SSL Onboarding checks if the user’s device has installed the Linewize SSL certificates needed to enable HTTPS inspection of the device. If the device doesn’t have the certificates, Captive Portal will prompt the user to install the certificates which they can download from http://certs.linewize.net.

See Setting Up HTTPS Inspection for more information about deploying SSL certificates in students’ devices.

4. Adding Exceptions

Exceptions allow you to configure networks or device types to bypass the Captive Portal if they meet certain criteria. 




To avoid disruptions when using non-user devices and office equipment (for example: printers, scanners, wireless routers and extenders, projectors and smart monitors), we recommend setting up exceptions. This way, users do not have to log in each time they use, restart, or reconnect these equipment.

Configuring Exceptions

  1. Select ADD EXCEPTION
  2. On the Add Exception dialog that appears, enter a Name and select a Criteria from the Select Criteria dropdown. 
  3. Enter the required value(s) for the criteria.
    If you’re using multiple entries, separate each entry with a comma.
  4. Select SAVE.

Exception Criteria

CRITERIA
DESCRIPTION
EXAMPLE

Application

  • Applies to an application using Signatures

Adobe, AOL, BBC etc

Device Type

  • Applies to a specific device type.

Apple MAC, Apple iPad, Windows etc

IP Address

  • Applies to a single IP Address

192.168.0.1

IP Address Object

192.168.0.1

192.168.0.2

MAC Address Object

00:1b:44:91:3a:b7

00:1c:41:11:2a:b7

Network

  • Applies to an IP Subnet

192.168.0.0/255.255.255.0

Network Range

  • Applies to an IP Range

192.168.0.10 - 192.168.0.25

Website

  • Applies to a single website

facebook.com

Website Object

Streaming sites object pool

Safe sites object pool

Troubleshooting

Can I limit Captive Portal logins to certain users, groups, or classrooms only?

You can enable Captive Portal for specific networks, but not for specific users or groups. You can set certain networks (see Steps 4-5 of the Setting Up a Captive Portal section), such as those at classrooms, offices, or public spaces, that will require users to login to Captive Portal.

I can't connect my server to the Internet or perform updates

You may need to set up exceptions for your services and networking infrastructure. When enabling Captive Portal, you must ensure that you have created exceptions for your school's networking devices.

What happens if all devices are already Permanently Associated?

Permanent Association works by remembering the MAC address of the user’s device. If your school VLANs terminate on the core switch, each user device will share the same MAC address as the core switch. If one user has already permanently associated a device in this environment, then all devices will also be permanently associated. 

To fix this you must ensure that your VLANs don’t terminate on the core switch. Once you’ve done this, we also recommend that you reset all Permanent Associations by navigating to Configuration  > Users and Groups > Associations > Purge Associations.

Why are some sites and traffic excluded from Captive Portal?

Some sites and traffic will not be gated behind your Captive Portal, and unauthenticated users may be able to access them. These sites and traffic are allowed to bypass the Captive Portal exclusively to ensure that you don’t experience network or service disruption, including disruption of your Linewize services or of your Google Workspace or Azure Active Directory user authentication.

Google services such as Google Drive or Google Search may be accessible to unauthenticated users, but once an unauthenticated user attempts to access a website or filtering signature that is not on the Captive Portal Exception list, they will be directed to a Captive Portal sign-in page.  

You can contact Linewize Support United States (844) 723-3932 | Australia 1300 687 052 | New Zealand 0800 445 206 for more information on what traffic and sites are on the bypass list.  

Can I remove permanent associations from shared computers?  

If you find there are too many usernames saved on shared computers using Captive Portal, you can use School Manager to remove old usernames or all user names associated with the devices.