From the menu, select Identities & Authentication.

• Click Add Identity.

• Enter the Identity Name.

• Click Add Device.

In the Select devices allocated to identity window:

• Search for the device by:

  • MAC address, or

  • IP address

• Select the required device(s).

• Click Assign Devices.

• The Add Identity window will now display the identity name and linked MAC addresses.

  • • At this stage, a policy may be selected if one has already been created. For this example, the default policy is used.

  • Click Add Identity to complete the process.

• Repeat this process until all required devices on the network have been identified.

The Default Identity is automatically applied to any device that has not yet been bound to a specific identity.

Managing the default identity is a critical part of network security. Common best practice is to associate a restrictive policy with the default identity—often blocking internet access entirely—so that new or unknown devices are denied access by default.

Editing the default identity allows the administrator to:

• Define the default policy for all unidentified devices

• Apply policies to entire network ranges using SRC Network Policies

This feature is particularly useful in:

• Large networks

• Environments where individual device identification is impractical

• Scenarios where per‑network policy enforcement is sufficient

Adding a Network SRC Policy Rule

• Navigate to the Default Identity.

• Click Add Network Src Policy Rule.

The Edit Default Identity configuration window will expand to include SRC Network Policy options.

Required Parameters:

• Network SRC: 192.168.1.0

• Netmask: 255.255.255.0 / 24

• Policy: select the required policy

3. Click Add.

4. Click Update Identity to save the changes.

Changes will not be committed until a reload is performed.

The default identity will now display the configured SRC network and linked policy on the Identities & Authentication page.

Define the IP ranges that require authentication. 

Click Add Range under Captive Portal IP Ranges. 

Complete the following fields:

• IP Address: 192.168.1.0

• Subnet: 255.255.255.0 / 24

• Click Add IP Range.

• Click Save changes.

Note: Changes will not be committed if you navigate away without saving. 

Guest access allows users to authenticate without assigned credentials. 

When enabling guest access, apply a restrictive policy that only permits access to essential websites and services only. This prevents users from bypassing filtering and security controls. 

• Click Add External Authenticator.

• Enter:

  • Name: Authenticator name

  • Type: Local Users

• Click Add External Authenticator.

The localusers authenticator will be displayed in the captive portal configuration.

Managing Users

1. Select Manage Users.

2. Select Add User.

• Username: Used to authenticate the session (email format recommended)

• Friendly Name: Displayed in reports only

• Policy: Select the policy that will be applied

• Enabled: Enable user authentication

• Password:

  • Set by the administrator

  • Minimum of six characters

  • Must be shared with the user manually

3. Click Save.

Users can be edited at any time to modify credentials, policy, or enabled state.

Create an Azure External Authenticator

• Click Add External Authenticator.

  • Name: Authenticator name

  • Enabled:

    1. 1. • Enabled: Users will be allowed to authenticate using Azure AD / Entra ID

          • Disabled: Authentication using this external authenticator will be blocked

  • Type: Azure Active Directory

• Friendly Name: A user-friendly label used internally to reference this Azure AD integration. 

• TenantID: The Tenant ID obtained from the Microsoft Entra ID section of the Azure Portal. 

• Prompt Mode: 

  • prompt=login: Forces the user to enter credentials on every authentication request, disabling single sign-on. 

  • prompt=none: Attempts silent authentication using existing single sign-on sessions. If silent authentication is not possible, Microsoft returns an interaction_required error. 

  • prompt=consent: Displays the OAuth consent screen after login, requesting permission for the application. 

  • prompt=select_account: Interrupts single sign-on and presents an account selection screen, allowing users to choose from existing or alternate accounts.

• Once all required information has been entered, click Add External Authenticator. 

The azureAD external authenticator should now appear in the Captive Portal configuration list. 

Authorise the Azure Integration

• Click Test / Connect AD next to the Azure external authenticator.

• You will be redirected to Microsoft’s authorisation page

• Review the permissions requested by iShield

• Click Accept to continue

Note: Microsoft requires this authorisation step to be completed using an administrator account. 

Once authorisation is complete, you will be redirected back to the iShield and shown a confirmation page indicating a successful connection. 

Users may authenticate using:

• Their Microsoft Azure AD / Entra ID credentials

• A local account

• Guest access, if permitted by policy

On successful authentication, the user will be granted internet access and permitted resources according to their assigned policies.