Webauth

From Wiki of WFilter NG Firewall
(Difference between revisions)
Jump to: navigation, search
(Created page with "{{DISPLAYTITLE:Web认证}} ==启用用户名认证== File:Faq_en_webauth001.jpg <p>勾选'''本地认证'''后,需要在本地账号模块中添加账号;勾选'''远...")
 
(27 intermediate revisions by one user not shown)
Line 1: Line 1:
{{DISPLAYTITLE:Web认证}}
+
{{DISPLAYTITLE:Web Auth}}
==启用用户名认证==
+
== Introduction ==
[[File:Faq_en_webauth001.jpg]]
+
"Web Auth" brings you below features:
<p>勾选'''本地认证'''后,需要在本地账号模块中添加账号;勾选'''远程认证'''需要配置radius服务器相关信息,所以前提是存在一个radius服务器,请参考[[how_to_conf_radius_server|How to config radius server]]。</p>
+
* "User & Pass Auth": correct username and password are required to access internet. You can use WFilter local accounts service or third party services(Email, LDAP, Radius) for authentication.
<p>效果:客户机访问网页跳转到认证界面</p>
+
* "Third Party Auth": interface for third party authentication. The authentication logic is done via a third party service. For example:
[[File:Faq_en_webauth002.jpg]]
+
** SMS authentication
==启用营销认证==
+
** Dingtalk
 +
** Wechat for business
 +
** QR code
 +
** Wechat mini-program
 +
Together with other modules, you can:
 +
* Display usernames for client devices.(Real-time Bandwidth)
 +
* Record internet activites by username.([[Logs & Reports]])
 +
* Set access policy by username.([[Access Policy]])
 +
* Query webauth login history.([[account|Accounts]])
  
 +
== User & Pass Auth ==
 +
When enabled, clients in the target ip ranges will be required for username and password when browsing webpages.
  
==常见问题==
+
[[File:Faq_en_webauth002.jpg|800px]]
 +
 
 +
Settings:
 +
* IP Range: ip ranges to enable "User & Pass Auth".
 +
* Auth Type
 +
** "Local Auth": authenticate with username and password of local accounts. This user shall enable "Web" access in [[Account|Local_Account]].
 +
** "Email Auth": send credentials to a pop/imap email server for authentication.
 +
** "Ldap Auth": send credentials to a ldap server for authentication.
 +
** "Radius Auth": send credentials to a remote radius server for authentication.
 +
** "Local + Email": local authenticate first, if not found, try email authentication.
 +
** "Local + Ldap": local authenticate first, if not found, try ldap authentication.
 +
** "Local + Radius": local authenticate first, if not found, try radius authentication.
 +
* Timeout: re-authentication is required on timeout.
 +
 
 +
[[File:Faq_en_webauth001.png|900px]]
 +
 
 +
== Third Party Auth ==
 +
 
 +
* Landing page: default landing page after user authentication.
 +
* Port: listening port of the authentication page.
 +
* Edit Auth Page: edit content of the authentication page.
 +
* Bound to a local user: bound the authenticated user to a local user. So you can set policy and get reports of the "third party authed users".
 +
 
 +
=== SMS WiFi ===
 +
 
 +
When SMS is enabled, users need to input a correct verification code which is received via mobile phone text message. Settings:
 +
* SMS API URL: web API URL to send SMS.
 +
* Post Format: the message format POST to SMS web API.
 +
* Code Length: verification code length.
 +
* Interval: interval of re-sending verification code.
 +
 
 +
[[File:Faq_en_smswifi001.png|800px]]
 +
 
 +
[[File:Faq_en_smswifi002.png|450px]]
 +
 
 +
 
 +
=== Dingtalk ===
 +
When enabled, the clients can login by QR code scanning with dingtalk app.
 +
 
 +
[[File:Faq_webauth_dingtalk.png|900px]]
 +
 
 +
=== Wechat for business ===
 +
 
 +
When enabled, the clients can login by QR code scanning with business wechat app.
 +
 
 +
[[File:Faq_webauth_bwechat.png|900px]]
 +
 
 +
=== QR Code ===
 +
 
 +
When enabled, a visitor shows a QR code, which needs to be checked by a moderator.
 +
 
 +
[[File:Faq_webauth_qrcode.png|900px]]
 +
 
 +
=== Wechat Mini-program ===
 +
 
 +
Wechat mini-program can retrieve phone number to finish the authentication process.
 +
 
 +
== Settings ==
 +
 
 +
[[File:Faq_webauth009.png|900px]]
 +
 
 +
* Redirect: Redirect unauthorized traffic to the web portal.
 +
** HTTP Only, only redirect HTTP traffic, HTTPS access will be blocked.
 +
** HTTP and HTTPS: both types traffic will be redirected. Please note: HTTPS authenticate port will be HTTP port plus one. To remove certificate warning, please install the ca certificate in [[SSLInspect|SSL Inspector]].
 +
** HTTPS redirection doesn't work in "pass-by deployment".
 +
* Mode:
 +
** If your core switch is three layer and "mac address collector" is not enabled, you need to use "by IP" mode.
 +
** Otherwise, "by MAC" mode is recommended.
 +
* MAC White List: mac addresses in this list do not require authentication.
 +
* Domain Exception: domains in this list can be visited without authentication.
 +
** IP address, eg: 192.168.1.100
 +
** IP segment, eg: 192.168.1.0/24
 +
** Domains, eg: *.google.com, wildcards(*?) are supported.
 +
 
 +
== External Links ==
 +
* [http://blog.wfilterngf.com/?p=97 Wifi network monitoring solutions of WFilter]
 +
* [http://blog.wfilterngf.com/?p=88 WFilter NG firewall added support of Facebook Wi-Fi.]

Revision as of 14:23, 10 October 2020

Contents

1 Introduction

"Web Auth" brings you below features:

  • "User & Pass Auth": correct username and password are required to access internet. You can use WFilter local accounts service or third party services(Email, LDAP, Radius) for authentication.
  • "Third Party Auth": interface for third party authentication. The authentication logic is done via a third party service. For example:
    • SMS authentication
    • Dingtalk
    • Wechat for business
    • QR code
    • Wechat mini-program

Together with other modules, you can:

  • Display usernames for client devices.(Real-time Bandwidth)
  • Record internet activites by username.(Logs & Reports)
  • Set access policy by username.(Access Policy)
  • Query webauth login history.(Accounts)

2 User & Pass Auth

When enabled, clients in the target ip ranges will be required for username and password when browsing webpages.

Faq en webauth002.jpg

Settings:

  • IP Range: ip ranges to enable "User & Pass Auth".
  • Auth Type
    • "Local Auth": authenticate with username and password of local accounts. This user shall enable "Web" access in Local_Account.
    • "Email Auth": send credentials to a pop/imap email server for authentication.
    • "Ldap Auth": send credentials to a ldap server for authentication.
    • "Radius Auth": send credentials to a remote radius server for authentication.
    • "Local + Email": local authenticate first, if not found, try email authentication.
    • "Local + Ldap": local authenticate first, if not found, try ldap authentication.
    • "Local + Radius": local authenticate first, if not found, try radius authentication.
  • Timeout: re-authentication is required on timeout.

Faq en webauth001.png

3 Third Party Auth

  • Landing page: default landing page after user authentication.
  • Port: listening port of the authentication page.
  • Edit Auth Page: edit content of the authentication page.
  • Bound to a local user: bound the authenticated user to a local user. So you can set policy and get reports of the "third party authed users".

3.1 SMS WiFi

When SMS is enabled, users need to input a correct verification code which is received via mobile phone text message. Settings:

  • SMS API URL: web API URL to send SMS.
  • Post Format: the message format POST to SMS web API.
  • Code Length: verification code length.
  • Interval: interval of re-sending verification code.

Faq en smswifi001.png

Faq en smswifi002.png


3.2 Dingtalk

When enabled, the clients can login by QR code scanning with dingtalk app.

Faq webauth dingtalk.png

3.3 Wechat for business

When enabled, the clients can login by QR code scanning with business wechat app.

Faq webauth bwechat.png

3.4 QR Code

When enabled, a visitor shows a QR code, which needs to be checked by a moderator.

Faq webauth qrcode.png

3.5 Wechat Mini-program

Wechat mini-program can retrieve phone number to finish the authentication process.

4 Settings

Faq webauth009.png

  • Redirect: Redirect unauthorized traffic to the web portal.
    • HTTP Only, only redirect HTTP traffic, HTTPS access will be blocked.
    • HTTP and HTTPS: both types traffic will be redirected. Please note: HTTPS authenticate port will be HTTP port plus one. To remove certificate warning, please install the ca certificate in SSL Inspector.
    • HTTPS redirection doesn't work in "pass-by deployment".
  • Mode:
    • If your core switch is three layer and "mac address collector" is not enabled, you need to use "by IP" mode.
    • Otherwise, "by MAC" mode is recommended.
  • MAC White List: mac addresses in this list do not require authentication.
  • Domain Exception: domains in this list can be visited without authentication.
    • IP address, eg: 192.168.1.100
    • IP segment, eg: 192.168.1.0/24
    • Domains, eg: *.google.com, wildcards(*?) are supported.

5 External Links

Personal tools
Namespaces

Variants
Actions
Navigation
Tools