End-of-Life (EoL)

Configure Captive Portal

The following procedure shows how to configure Captive Portal using the PAN-OS integrated User-ID agent to redirect web requests that match a Captive Portal rule to a redirect host. A redirect host is the intranet hostname (a hostname with no period in its name) that resolves to the IP address of the Layer 3 interface on the firewall to which the firewall will redirect requests.
If you use Captive Portal without the other User-ID functions (user mapping and group mapping), you don’t need to configure a User-ID agent.
  1. Configure the interfaces that the firewall will use for redirecting web requests, authenticating users, and communicating with directory servers to map usernames to IP addresses.
    The firewall uses the management (MGT) interface for all these functions by default, but you can configure other interfaces. In redirect mode, you must use a Layer 3 interface for redirecting requests.
    1. (
      MGT interface only
      ) Select
      , edit the Management Interface Settings, select the
      check box, and click
    2. (
      Non-MGT interface only
      ) Assign an Interface Management profile to the Layer 3 interface that the firewall will use to redirect web requests and communicate with directory servers. You must enable
      Response Pages
      in the Interface Management profile.
    3. (
      Non-MGT interface only
      ) Configure a service route for the interface that the firewall will use to authenticate users. If the firewall has more than one virtual system (vsys), the service route can be global or vsys-specific. The services must include
      and potentially the following:
      • Kerberos
        , or
        —Configure a service route for one of these services only if you will use it for external authentication.
      • UID Agent
        —Configure this service only if you will enable NT LAN Manager (NTLM) authentication or if you will Enable User- and Group-Based Policy.
    4. (
      Redirect mode only
      ) Create a DNS address (A) record that maps the IP address on the Layer 3 interface to the redirect host. If you will use Kerberos SSO, you must also add a DNS pointer (PTR) record that performs the same mapping.
    If your network doesn’t support access to the directory servers from any firewall interface, you must Configure User Mapping Using the Windows User-ID Agent.
  2. Make sure Domain Name System (DNS) is configured to resolve your domain controller addresses.
    To verify proper resolution, ping the server FQDN. For example:
    ping host dc1.acme.com
  3. Create a Kerberos keytab for the redirect host.
    Required for Kerberos SSO authentication.
    1 A keytab is a file that contains Kerberos account information (principal name and hashed password) for the redirect host (the firewall).
    To support Kerberos SSO, your network must have a Kerberos infrastructure, including a key distribution center (KDC) with an authentication server and ticket granting service.
  4. Configure clients to trust Captive Portal certificates.
    Required for redirect mode—to transparently redirect users without displaying certificate errors. You can generate a self-signed certificate or import a certificate that an external certificate authority (CA) signed.
    To use a self-signed certificate, create a root CA certificate and use it to sign the certificate you will use for Captive Portal:
    1. Select
      Certificate Management
      Device Certificates
    2. Generate a Certificate to use for Captive Portal. Be sure to configure the following fields:
      • Common Name
        —Enter the DNS name of the intranet host for the Layer 3 interface.
      • Signed By
        —Select the CA certificate you just created or imported.
      • Certificate Attributes—Click
        , for the
        and, for the
        , enter the IP address of the Layer 3 interface to which the firewall will redirect requests.
    3. Configure an SSL/TLS Service Profile. Assign the Captive Portal certificate you just created to the profile.
    4. Configure clients to trust the certificate:
      1. Export the CA certificate you created or imported.
      2. Import the certificate as a trusted root CA into all client browsers, either by manually configuring the browser or by adding the certificate to the trusted roots in an Active Directory (AD) Group Policy Object (GPO).
  5. Configure an authentication server profile.
    Required for external authentication. If you enable Kerberos SSO or NTLM authentication, the firewall uses the external service only if those methods fail.
    As a best practice, choose Kerberos transparent authentication over NTLM authentication. Kerberos is a stronger, more robust authentication method than NTLM and it does not require the firewall to have an administrative account to join the domain.
    The PAN-OS web server timeout (default is 3 seconds) must be the same as or greater than the server profile timeout multiplied by the number of servers in the profile. For RADIUS and TACACS+, the default server profile
    is 3 seconds. For LDAP, the timeout is the total of the
    Bind Timeout
    (default is 30 seconds) and
    Search Timeout
    (default is 30 seconds) for each server. For Kerberos, the non-configurable timeout can take up to 17 seconds for each server. Also, the Captive Portal session timeout (default is 30 seconds) must be greater than the web server timeout.
    To change the web server timeout, enter the following firewall CLI command, where
    is 3-30 seconds:
    set deviceconfig setting l3-service timeout <value>
    . To change the Captive Portal session timeout, select
    , edit the Session Timeouts, and enter a new
    Captive Portal
    value in seconds (range is 1-1,599,999). Keep in mind that the more you raise the web server and Captive Portal session timeouts, the slower Captive Portal will respond to users.
  6. Add an authentication profile
    The profile defines the authentication methods to use (Kerberos SSO, external service, or local database) when a Captive Portal rule invokes Web Form authentication. Even if you enable NTLM, you must define a secondary authentication method in case NTLM authentication fails or the User-ID agent doesn’t support NTLM.
    If you set the authentication
    , specify a RADIUS
    User Domain
    in case users don’t enter the domain at login.
    1. If the authentication
      is an external service (
      , or
      ), select the authentication
      Server Profile
      you created.
    2. If you use Kerberos SSO, enter the
      Kerberos Realm
      (usually the DNS domain of the users, except that the realm is uppercase), and import the
      Kerberos Keytab
      you created.
    3. Select
      the users and user groups that can authenticate using this profile. If the authentication
      Local Database
      , add the Captive Portal users or user groups you created. You can select
      to allow every user to authenticate. After completing the Allow List, click
      If your users are in multiple domains or Kerberos realms, you can create an authentication profile for each domain or realm, assign all the profiles to the authentication sequence, and assign the sequence to the Captive Portal configuration.
  7. (Optional) Configure Client Certificate Authentication.
    You don’t need an authentication profile or sequence for client certificate authentication. If you configure both an authentication profile/sequence and certificate authentication, users must authenticate using both.
    1. Use a root CA certificate to generate a client certificate for each user who will authenticate to Captive Portal. The CA in this case is usually your enterprise CA, not the firewall.
    2. Export the CA certificate in PEM format to a system that the firewall can access.
    3. Import the CA certificate onto the firewall: see Import a Certificate and Private Key. After the import, click the imported certificate, select
      Trusted Root CA
      , and click
      • In the
        Username Field
        drop-down, select the certificate field that contains the user identity information.
      • In the
        CA Certificates
        list, click
        and select the CA certificate you just imported.
  8. (Optional) Enable NT LAN Manager (NTLM) authentication.
    As a best practice, choose Kerberos transparent authentication over NTLM authentication. Kerberos is a stronger, more robust authentication method than NTLM and it does not require the firewall to have an administrative account to join the domain. If you do configure NTLM, the PAN-OS integrated User-ID agent must be able to successfully resolve the DNS name of your domain controller to join the domain.
    1. Select
      User Identification
      User Mapping
      and edit the Palo Alto Networks User ID Agent Setup section.
    2. On the
      tab, select the
      Enable NTLM authentication processing
      check box.
    3. Enter the
      NTLM Domain
      against which the User-ID agent on the firewall will check NTLM credentials.
    4. In the
      Admin User Name
      , and
      Confirm Password
      fields, enter the username and password of the Active Directory account you created for the User-ID agent.
      Do not include the domain in the
      Admin User Name
      field. Otherwise, the firewall will fail to join the domain.
      Palo Alto Networks recommends that you use a User-ID agent account that is separate from your firewall administrator account.
    5. Click
  9. Configure the Captive Portal settings.
    1. Select
      User Identification
      Captive Portal Settings
      and edit the settings.
    2. Make sure the
      Enable Captive Portal
      check box is selected.
    3. Select the
      SSL/TLS Service Profile
      you created for redirect requests over TLS.
    4. Select the
      (in this example,
    5. (
      Redirect mode only
      ) Specify the
      Redirect Host
      name that resolves to the IP address of the Layer 3 interface for redirected requests.
      If users authenticate through Kerberos single sign-on (SSO), the
      Redirect Host
      must be the same as the hostname specified in the Kerberos keytab.
    6. Select the authentication method to use if NTLM fails (or if you don’t use NTLM):
      • To use Kerberos SSO, an external server, or the local database, select the
        Authentication Profile
        or authentication sequence you created.
      • To use client certificate authentication, select the
        Certificate Profile
        you created.
    7. Click
      to save the Captive Portal configuration.

Recommended For You