diff --git a/src/opnsense/mvc/app/controllers/OPNsense/CaptivePortal/Api/AccessController.php b/src/opnsense/mvc/app/controllers/OPNsense/CaptivePortal/Api/AccessController.php
index 1bb1553c3..f3eae1474 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/CaptivePortal/Api/AccessController.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/CaptivePortal/Api/AccessController.php
@@ -148,6 +148,11 @@ class AccessController extends ApiControllerBase
$this->request->getPost("password", "string")
);
+ // check group when group enforcement is set
+ if ($isAuthenticated && (string)$cpZone->authEnforceGroup != "") {
+ $isAuthenticated = $authServer->groupAllowed($userName, $cpZone->authEnforceGroup);
+ }
+
if ($isAuthenticated) {
// stop trying, when authenticated
break;
diff --git a/src/opnsense/mvc/app/controllers/OPNsense/CaptivePortal/forms/dialogZone.xml b/src/opnsense/mvc/app/controllers/OPNsense/CaptivePortal/forms/dialogZone.xml
index 684466f58..fe1829f4a 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/CaptivePortal/forms/dialogZone.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/CaptivePortal/forms/dialogZone.xml
@@ -26,6 +26,12 @@
+
+ zone.authEnforceGroup
+
+ dropdown
+
+
zone.idletimeout
diff --git a/src/opnsense/mvc/app/models/OPNsense/CaptivePortal/CaptivePortal.xml b/src/opnsense/mvc/app/models/OPNsense/CaptivePortal/CaptivePortal.xml
index 595117cdb..ae400c21a 100644
--- a/src/opnsense/mvc/app/models/OPNsense/CaptivePortal/CaptivePortal.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/CaptivePortal/CaptivePortal.xml
@@ -31,6 +31,9 @@
Y
Local Database
+
+ N
+
Y
0