Configure Captive Portal
The following procedure shows how to configure Captive Portal using the PAN-OS integrated User-ID agent to redirect web requests that match a Captive Portal rule to a redirect host. A redirect host is the intranet hostname (a hostname with no period in its name) that resolves to the IP address of the Layer 3 interface on the firewall to which the firewall will redirect requests.
If you use Captive Portal without the other User-ID functions (user mapping and group mapping), you don’t need to configure a User-ID agent.
- Configure the interfaces that the firewall will use for redirecting web requests, authenticating users, and communicating with directory servers to map usernames to IP addresses.The firewall uses the management (MGT) interface for all these functions by default, but you can configure other interfaces. In redirect mode, you must use a Layer 3 interface for redirecting requests.
- (MGT interface only) Select, edit the Management Interface Settings, select theDeviceSetupManagementUser-IDcheck box, and clickOK.
- (Non-MGT interface only) Assign an Interface Management profile to the Layer 3 interface that the firewall will use to redirect web requests and communicate with directory servers. You must enableResponse PagesandUser-IDin the Interface Management profile.
- (Non-MGT interface only) Configure a service route for the interface that the firewall will use to authenticate users. If the firewall has more than one virtual system (vsys), the service route can be global or vsys-specific. The services must includeLDAPand potentially the following:
- Kerberos,RADIUS, orTACACS+—Configure a service route for one of these services only if you will use it for external authentication.
- (Redirect mode only) Create a DNS address (A) record that maps the IP address on the Layer 3 interface to the redirect host. If you will use Kerberos SSO, you must also add a DNS pointer (PTR) record that performs the same mapping.
- Make sure Domain Name System (DNS) is configured to resolve your domain controller addresses.To verify proper resolution, ping the server FQDN. For example:admin@PA-200>ping host dc1.acme.com
- Create a Kerberos keytab for the redirect host.Required for Kerberos SSO authentication.1 A keytab is a file that contains Kerberos account information (principal name and hashed password) for the redirect host (the firewall).To support Kerberos SSO, your network must have a Kerberos infrastructure, including a key distribution center (KDC) with an authentication server and ticket granting service.
- Configure clients to trust Captive Portal certificates.Required for redirect mode—to transparently redirect users without displaying certificate errors. You can generate a self-signed certificate or import a certificate that an external certificate authority (CA) signed.To use a self-signed certificate, create a root CA certificate and use it to sign the certificate you will use for Captive Portal:
- Select.DeviceCertificate ManagementCertificatesDevice Certificates
- Generate a Certificate to use for Captive Portal. Be sure to configure the following fields:
- Common Name—Enter the DNS name of the intranet host for the Layer 3 interface.
- Signed By—Select the CA certificate you just created or imported.
- Certificate Attributes—ClickAdd, for theTypeselectIPand, for theValue, enter the IP address of the Layer 3 interface to which the firewall will redirect requests.
- Configure an SSL/TLS Service Profile. Assign the Captive Portal certificate you just created to the profile.
- Configure clients to trust the certificate:
- Import the certificate as a trusted root CA into all client browsers, either by manually configuring the browser or by adding the certificate to the trusted roots in an Active Directory (AD) Group Policy Object (GPO).
- Configure an authentication server profile.Required for external authentication. If you enable Kerberos SSO or NTLM authentication, the firewall uses the external service only if those methods fail.As a best practice, choose Kerberos transparent authentication over NTLM authentication. Kerberos is a stronger, more robust authentication method than NTLM and it does not require the firewall to have an administrative account to join the domain.The PAN-OS web server timeout (default is 3 seconds) must be the same as or greater than the server profile timeout multiplied by the number of servers in the profile. For RADIUS and TACACS+, the default server profileTimeoutis 3 seconds. For LDAP, the timeout is the total of theBind Timeout(default is 30 seconds) andSearch Timeout(default is 30 seconds) for each server. For Kerberos, the non-configurable timeout can take up to 17 seconds for each server. Also, the Captive Portal session timeout (default is 30 seconds) must be greater than the web server timeout.To change the web server timeout, enter the following firewall CLI command, where<value>is 3-30 seconds:set deviceconfig setting l3-service timeout <value>. To change the Captive Portal session timeout, select, edit the Session Timeouts, and enter a newDeviceSetupSessionCaptive Portalvalue in seconds (range is 1-1,599,999). Keep in mind that the more you raise the web server and Captive Portal session timeouts, the slower Captive Portal will respond to users.
- Add an authentication profileThe profile defines the authentication methods to use (Kerberos SSO, external service, or local database) when a Captive Portal rule invokes Web Form authentication. Even if you enable NTLM, you must define a secondary authentication method in case NTLM authentication fails or the User-ID agent doesn’t support NTLM.If you set the authenticationTypetoRADIUS, specify a RADIUSUser Domainin case users don’t enter the domain at login.
- If the authenticationTypeis an external service (RADIUS,TACACS+,LDAP, orKerberos), select the authenticationServer Profileyou created.
- If you use Kerberos SSO, enter theKerberos Realm(usually the DNS domain of the users, except that the realm is uppercase), and import theKerberos Keytabyou created.
- SelectAdvancedandAddthe users and user groups that can authenticate using this profile. If the authenticationTypeisLocal Database, add the Captive Portal users or user groups you created. You can selectallto allow every user to authenticate. After completing the Allow List, clickOK.If your users are in multiple domains or Kerberos realms, you can create an authentication profile for each domain or realm, assign all the profiles to the authentication sequence, and assign the sequence to the Captive Portal configuration.
- (Optional) Configure Client Certificate Authentication.You don’t need an authentication profile or sequence for client certificate authentication. If you configure both an authentication profile/sequence and certificate authentication, users must authenticate using both.
- Use a root CA certificate to generate a client certificate for each user who will authenticate to Captive Portal. The CA in this case is usually your enterprise CA, not the firewall.
- Export the CA certificate in PEM format to a system that the firewall can access.
- Import the CA certificate onto the firewall: see Import a Certificate and Private Key. After the import, click the imported certificate, selectTrusted Root CA, and clickOK.
- In theUsername Fielddrop-down, select the certificate field that contains the user identity information.
- In theCA Certificateslist, clickAddand select the CA certificate you just imported.
- (Optional) Enable NT LAN Manager (NTLM) authentication.As a best practice, choose Kerberos transparent authentication over NTLM authentication. Kerberos is a stronger, more robust authentication method than NTLM and it does not require the firewall to have an administrative account to join the domain. If you do configure NTLM, the PAN-OS integrated User-ID agent must be able to successfully resolve the DNS name of your domain controller to join the domain.
- If you haven’t already done so, Create a Dedicated Service Account for the User-ID Agent.
- Selectand edit the Palo Alto Networks User ID Agent Setup section.DeviceUser IdentificationUser Mapping
- On theNTLMtab, select theEnable NTLM authentication processingcheck box.
- Enter theNTLM Domainagainst which the User-ID agent on the firewall will check NTLM credentials.
- In theAdmin User Name,Password, andConfirm Passwordfields, enter the username and password of the Active Directory account you created for the User-ID agent.Do not include the domain in theAdmin User Namefield. Otherwise, the firewall will fail to join the domain.Palo Alto Networks recommends that you use a User-ID agent account that is separate from your firewall administrator account.
- Configure the Captive Portal settings.
- Selectand edit the settings.DeviceUser IdentificationCaptive Portal Settings
- Make sure theEnable Captive Portalcheck box is selected.
- Select theSSL/TLS Service Profileyou created for redirect requests over TLS.
- Select theMode(in this example,Redirect).
- (Redirect mode only) Specify theRedirect Hostname that resolves to the IP address of the Layer 3 interface for redirected requests.
- Select the authentication method to use if NTLM fails (or if you don’t use NTLM):
- To use Kerberos SSO, an external server, or the local database, select theAuthentication Profileor authentication sequence you created.
- To use client certificate authentication, select theCertificate Profileyou created.
- ClickOKandCommitto save the Captive Portal configuration.
Recommended For You
Recommended videos not found.