Hello, I am looking for tips/ideas to a problem that I am running into. I need to define a firewall rule set that will allow a client to connect to a public hotspot, authenticate to the hotspot via whatever portal application they use but disallow the user to access anything other than the authentication portal and establish a VPN connection once they are authenticated to the hotspot. Here is my current configuration I have defined:
Location1 : Trusted Network
Desc: On the trusted LAN allows access to everything.
Location2: Untrusted Network
Desc: Only allows outbound access to private IP ranges and allows VPN client to communicate outbound. Blocks all incoming.
Location3: VPN Connection
Desc: Split-tunneling is disabled, allows all traffic to route through the VPN tunnel.
These locations/rule sets work perfectly when there is no page redirect requiring authentication. But in testing it a local hotel I am able to connect to the wireless network but cannot establish a VPN connection due to the requirement of inputting their code at the hotels authentication page. When I first pull up your browser it tries to establish an HTTP session to openDNS.com which is blocked. Ofcourse, not all hotspots will have the same architecture in place for authentication so just allowing HTTP to openDNS will not work across all hotspots.
Has anyone ran into this same problem and found a solution? I was considering creating a 4th policy but I am not so sure that will work properly either. Thanks!