Captive Portal Authentication Methods
Captive Portal uses the following methods to authenticate users whose web requests match Authentication Policy rules:
The firewall uses Kerberos single sign-on (SSO) to transparently obtain user credentials from the browser. To use this method, your network requires a Kerberos infrastructure, including a key distribution center (KDC) with an authentication server and ticket granting service. The firewall must have a Kerberos account.
If Kerberos SSO authentication fails, the firewall falls back to NT LAN Manager (NTLM) authentication. If you don’t configure NTLM, or NTLM authentication fails, the firewall falls back to web form or client certificate authentication, depending on your Authentication policy and Captive Portal configuration.
Kerberos SSO is preferable to NTLM authentication. Kerberos is a stronger, more robust authentication method than NTLM and it does not require the firewall to have an administrative account to join the domain.
NT LAN Manager (NTLM)
The firewall uses an encrypted challenge-response mechanism to obtain the user credentials from the browser. When configured properly, the browser will transparently provide the credentials to the firewall without prompting the user, but will prompt for credentials if necessary.
If you use the Windows-based User-ID agent, NTLM responses go directly to the domain controller where you installed the agent.
If you configure Kerberos SSO authentication, the firewall tries that method first before falling back to NTLM authentication. If the browser can’t perform NTLM or if NTLM authentication fails, the firewall falls back to web form or client certificate authentication, depending on your Authentication policy and Captive Portal configuration.
Microsoft Internet Explorer supports NTLM by default. You can configure Mozilla Firefox and Google Chrome to also use NTLM but you can’t use NTLM to authenticate non-Windows clients.
The firewall redirects web requests to a web form for authentication. For this method, you can configure Authentication policy to use Multi-Factor Authentication (MFA), SAML, Kerberos, TACACS+, RADIUS, or LDAP authentication. Although users have to manually enter their login credentials, this method works with all browsers and operating systems.
Client Certificate Authentication
The firewall prompts the browser to present a valid client certificate to authenticate the user. To use this method, you must provision client certificates on each user system and install the trusted certificate authority (CA) certificate used to issue those certificates on the firewall.
Objects > Authentication
Objects > Authentication An authentication enforcement object specifies the method and service to use for authenticating end users who access your network resources. You assign ...
Device > User Identification > Captive Portal Settings
Device > User Identification > Captive Portal Settings Edit ( ) the Captive Portal Settings to configure the firewall to authenticate users whose traffic matches ...
Configure Authentication Policy
Configure Authentication Policy Perform the following steps to configure Authentication policy for end users who access services through Captive Portal. Before starting, ensure that your ...
NTLM Authentication Device User Identification User Mapping Palo Alto Networks User-ID Agent Setup NTLM You can use NT LAN Manager (NTLM) to authenticate only Windows ...
Configure Captive Portal
Configure Captive Portal The following procedure shows how to set up Captive Portal authentication by configuring the PAN-OS integrated User-ID agent to redirect web requests ...
Kerberos Kerberos is an authentication protocol that enables a secure exchange of information between parties over an insecure network using unique keys (called tickets) to ...
Captive Portal Modes
Captive Portal Modes The Captive Portal mode defines how the firewall captures web requests for authentication: Mode Description Transparent The firewall intercepts the browser traffic ...
Configure an Authentication Profile and Sequence
Configure an Authentication Profile and Sequence An authentication profile defines the authentication service that validates the login credentials of administrators who access the firewall web ...
Authentication Authentication is a method for protecting services and applications by verifying the identities of users so that only legitimate users have access. Several firewall ...