[FAQE] USG FLEX H Series [uOS 1.32] - Changes and special behavior of Captive Portal in UOS 1.32

With the release of Zyxel firmware version uOS 1.32, the Captive Portal functionality has undergone significant improvements. These enhancements affect both configuration and authentication behavior, including support for Two-Factor Authentication (2FA), increased security, and redesigned user interface components.

What is Captive Portal?

The Captive Portal is a web-based authentication page that intercepts user traffic before granting internet access. Users must enter valid credentials (username and password) to proceed. It provides administrators with flexible access control across various interface types (Ethernet, VLAN, Bridge, LAG), and supports both local and external authentication servers (AD, RADIUS, etc.).

Key Features

• Web-based authentication before network access
• Customizable authentication methods: local and external
• Multi-interface support for policy triggering
• Redesigned login and session pages
• System log entries marked with Captive Portal identifiers

Configuration Overview

1. Navigation Path: Captive Portal > Authentication Policy > Policy
2. Default Status: Disabled — must be manually enabled
3. Triggering Interface: Select the incoming interface to activate the Captive Portal
4. Authentication Server:
   • Defaults to local server
   • External servers become available after AAA server setup
   • Only one server can be assigned per policy

Advanced Settings

• Default Redirect IP: 6.6.6.6 — can be entered manually if the portal page fails to load
• Port Separation (New in 1.32):
  • HTTP Redirect: 1080
  • HTTPS Redirect: 1443
  • These are now separate from system GUI ports to prevent conflicts. Warnings will appear if overlap occurs.
• Timeout Configuration:
  • Path: User & Authentication > User/Group > Setting > Edit Default Authentication Timeout Settings
  • Options: Lease Time, Reauthentication Time
  • Auto-refresh or user activity resets the timeout. Inactivity will terminate the session based on the shorter timeout.

2FA Behaviour and Considerations

2FA can now be enabled for local users logging in via Captive Portal:

• Configuration Path: User & Authentication > User/Group > User
• Enable 2FA in the user profile
• After setup, users must enter their credentials and 2FA code to gain internet access

⚠️ Important: In the current implementation, traffic may still pass through the firewall even if the second step of 2FA is not completed, as long as the primary login is successful. This may mislead administrators, since there may be no log or UI indication that 2FA is incomplete. More transparent logging is planned in future firmware updates.

Login Interface and Access Restrictions

• Session Confirmation Screen: Starting with version 1.32, non-admin users no longer see the login confirmation screen that previously displayed session lease time and logout options. This change may require workflow adjustments.

• GUI Access:
  • Only Admin and Viewer user types can access the Web GUI
  • User type accounts (from the local database) can only authenticate via the Captive Portal

Session Monitoring and Audit

• Path: Network Status > Login Users > Login Users
• All active sessions are listed, showing:
  • Username
  • Source IP
  • Login type (Captive Portal)

Related events are also recorded in the System Log for audit and review.

These updates in uOS 1.32 aim to improve Captive Portal flexibility and security. Administrators are advised to familiarize themselves with the changes and adapt their workflows accordingly.