In access control, what is the difference between authentication and authorization, and how does a Captive Portal combine them?
Authentication verifies who you are; authorization decides what resources you may access. The Captive Portal setup treats both together under "Authentication."
* Two gates: authenticate once (who), authorize per request (what). *
These are two separate steps that are frequently combined in practice:
| Term | Question it answers | Example |
|---|---|---|
| Authentication | Who are you? | Logging into the Captive Portal with username + password |
| Authorization | What are you allowed to do? | A Security Rule that lets the C-level user reach meteo.ch but blocks the Normalbürger group |
The user first authenticates at the Captive Portal (proving identity), which binds their identity to their IP via User-ID. Security Policy Rules then authorize — deciding per user/group what traffic is permitted. This combined flow is called simply "Authentication."
Why keep them conceptually separate? A valid login (authentication) does not automatically grant access to everything (authorization). Mixing them up leads to over-privileged accounts.
Tip: "AuthN = who, AuthZ = what." Authenticate once, authorize on every request.
Go deeper:
Authentication (Wikipedia) — the "who are you" half (factors, MFA).
Authorization (Wikipedia) — the "what may you do" half (access rights/privileges).