Sophos Firewall: How to configure Captive Portal to authenticate users when accessing the internet with users synchronized from AD

1.The purpose of the article

In this article techbast will guide you on how to configure Captive Portal, this is a feature that provides the ability to authenticate users in the internal network when they make internet access with an account and this account will be synchronized from AD in the system.



The internet connection will be connected at Port 2 of Sophos Firewall device with IP

Inside is the LAN subnet configured at Port 1 of the device with IP and configured with DHCP.

In the LAN subnet, there is also an AD Server with IP, on this server, and IT OU has been created, in the IT OU, there is a Support group, in the Support group there are users as user1,user2,user3.

Laptop 1 is connected to the LAN and receives DHCP with IP 10,145.41.50/24.


Techbast will configure the Captive Portal on the Sophos Firewall device so that when the devices in the LAN area access and use the internet, they will have to authenticate with the synced account from the AD Server.

4.What to do ?

  • AD Sync
  • Import user and group
  • Create policy
  • Result


5.1.AD Sync

The first step we need to sync AD with Sophos Firewall.

To synchronize we go to CONFIGURE > Authentication > Server > click Add.

Configure with the following parameters:

  • Server type: select Active Directory
  • Server name*: LearningIT
  • Server IP/domain:
  • Connection security: select Plaintext
  • Port*: 389
  • NetBIOS domain: LEARNINGIT
  • ADS user name*: administrator
  • Password*: enter the password of administrator account
  • Display name attribute: leave blank
  • Email address attribute: mail
  • Domain name*:
  • Search quries*: Click Add, enter dc=learningit,dc=xyz and click OK.
  • Click Test connection to test the connection to the AD server.
  • Click Save.

5.2.Import OU and Group

After successful AD sync, we need to import OU and Group from AD.

Click the icon as shown in the image to perform the import.

Now the Import group wizard help window appears, click Start.

In Step 1: Provide base DN for group, select dc=learningit,dc=xyz from the drop-down menu.

In Step 2: Select AD groups to import will show the OUs and groups that AD currently has, here techbast will select the Support group located in the IT OU as shown.

Nhấn nút “>” để tiếp tục.

Press the “>” button to continue.

Press the “>” button and OK to continue.

Click Close to close the window.

After importing, we can go to CONFIGURE > Authentication > Group to check if the group has been imported.

As a result, the Support group was imported.

Next for the firewall device to authenticate users from AD we need to go to CONFIGURE > Authentication > Service.

In the Firewall authentication methods section, we see that currently we only perform authentication for local accounts on the firewall.

We tick LearningIT this is the server we just synced and on the right side, we hold down the mouse on LearningIT and drag it above Local.

Click Apply to save.

5.3.Create Policy

The next step we need to enable the Captive Portal feature in the policy that allows the LAN to access the internet.

If we do not have a policy, we can create it according to the image below, if we already have this policy, just configure the red section as shown below.

We select Match Know User and Use web authentication for unknown users.

In the Users or Groups panel we select the Support group we just imported.


To check the results techbast will access Laptop 1, open a browser and visit

Then the authentication page will appear, we need to enter the account and password to authenticate.

Techbast will enter the user1 account this is the synced account from AD and click Sign in.

A successful login message appears.

Now we can access the internet.

Note that we must not turn off this authentication tab, otherwise we will have to re-authenticate.

Open another tab and try to access google again, now you can access the internet.

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.