Skip to content

Captive Portal Authentication

Our proxy will utilize Microsoft Entra ID / Azure Active Directory authentication with the help of Captive Portal. The idea is simple - if a connecting user is not known for the proxy, the proxy redirects the user to authentication page of Microsoft Entra ID.

After credentials are verified correctly, Microsoft Entra ID tells the proxy which user name should be used for the connection. The proxy will then select the appropriate web filtering policy, apply filtering algorithms, save the information about the user in the traffic monitor and reporting modules.

Provision Captive Portal App

In order to the proxy to be able to redirect users to Microsoft Entra we need to register the proxy Captive Portal application in it. So, login into your Azure portal and click Microsoft Entra ID on the left dark menu and then select the App Registrations menu item.

aad overview

Choose New Registration from the top as shown on the following screenshot.

aad new registration

Follow the steps on the wizard providing the following information and click the Register button. Be sure to change the name of proxy.diladele.dev to your actual proxy name of course.

Parameter Description
Display Name Proxy Authentication Portal
Account types Single Tenant
Redirect URI Select Web, type https://proxy.diladele.dev/portal/login/azure_ad/callback/, please be sure to adjust for actual your proxy name.

After registration, click the Authentication menu on the left and add the following values too.

Parameter Description
Logout URL https://proxy.diladele.dev/portal/logout/azure_ad/complete/, please be sure to adjust for actual your proxy name.
Implicit grant Set only ID tokens (used for implicit and hybrid flows) checkbox

aad auth

Next, generate a client secret (application password) for our app in Certificates and Secrets menu on the left. Be sure to note the client secret (which looks like a long randomly generated string of characters) because you would need it in actual Captive Portal settings later.

aad secret

Important

The client secret has specific validity period after which it expires which will mean proxy authentication will fail. So, it might be a good idea somehow not to forget to re-generate that client secret in the future.

Finally, adjust the claims (information about the user) that will be present in the authentication response from Azure Active Directory to contain the list of assigned groups of the authenticated user. This will allow you to use security groups from Azure Active Directory as members of web filtering policies, greatly simplifying overall management of the application.

add groups claim

Add Required Exclusions in Admin UI

In order to let the Azure Active Directory to render the Azure Login UI without redirection we would need to add the following domains to Admin UI / Squid / Global Exclusions.

login.microsoftonline.com 
login.live.com 
.msauth.net

Just add those as shown on the following screenshot.

add portal exclusions

Configure Captive Portal in Admin UI

Next, we need to configure the proxy side for the Captive Portal authentication. This can be done at Admin UI / Squid / Auth / Captive Portal. Select the Auth Backends tab and click the Azure Active Directory integration settings.

admin ui backends

Fill in the settings with the following example information. Please be sure to put actual values for your specific case.

Parameter Description
Authority https://login.microsoftonline.com/diladele.dev
Client ID a GUID string like 655B2BFA-14D4-4174-BB07-DDBE40FDBDC7
Client Secret long string of chars we have generated earlier

admin ui integration

Now switch to the General tab and set the Portal Address to your proxy fully qualified domain name (proxy.diladele.dev in our example). Note this is important as Captive Portal is not able to determine correct FQDN/IP address to redirect to if deployed in Microsoft Azure.

portal enable

Click Save Changes and then Apply Settings from top right corner of Admin UI. Our proxy is now ready to redirect connecting clients to the Azure Active Directory for authentication.