Paloalto firewall captive portal
From Notes_Wiki
Home > Enterprise security devices or applications > Paloalto firewall > Captive Portal
Configure a captive portal with AD authentication
For captive portal via AD we need to add a LDAP server, create group mapping, create authentication profile and optionally create authentication sequence as explained at Paloalto firewall AD integration. Here for captive portal select appropriate AD Group eg "Captive Portal Users" instead of VPN related group as explained in linked article.
Assuming following is done using above reference:
- Configure LDAP server profile
- Configure Group mapping for the LDAP server
- Create Authentication Profile based on LDAP server and Group mapping
- (Optional) Create required local users and groups
- use lowercase letter for username as username are case-sensitive
- We can change username without changing password
- (Optionally) Create authentication sequence where first local authentication is tried before trying AD authentication followed by testing as per "Test AD integration with Admin roles"
- It is important to have AD for captive portal as there is no easy way to allow local firewall users to change their passwords
After above specifically for captive portal use:
- Login into palo-alto firewall
- Go to "Device" -> "User Identification" -> "Authentication Portal Settings"
- Click on Gearbox icon to open settings dialog
- Ensure "Enable authentication portal" is selected
- Under "Authentication Profile" choose LDAP based profile or Authentication sequence which will allow both local and AD based logins
- Enable mode as "Redirect"
- Set Idle timer to 300
- Enable session cookie with 1440 timeout with roaming enabled
- Without this users get logged out frequently and that creates usability issues. When such problems occur randomly sites wont open and Internet would stop without any proper redirection to captive portal. Opening a new site such as google.com or sbarjatiya.com may show prompt in browser network authentication required to continue.
- In redirect host give firewall LAN management IP address. This is the IP where we open firewall for management and not gateway IP used by devices to route traffic to firewall.
- Click ok
- Go to "Network" -> "Network Profiles" -> "Interface Mgmt"
- Edit the management profile used for LAN interface
- Ensure "Response pages" and "User-ID" are selected. Click ok
- Go to "Network" -> "Zones". Select the zone for "LAN" typically named 'LAN'
- Enable "Enable User Identification" and click ok
- Go to "Objects" -> "Authentication" and click "Add"
- Add authentication object with desired name
- Set authentication method as "Web form"
- Select appropriate authentication profile (Or preferably authentication sequence)
- Click ok to add authentication object
- Go to "Polices" -> Authentication and add a authentication profile with desired name
- In the policy choose Source Zone as LAN
- If policy should be applied only to a few selected addresses (Good for testing before implenting the same org-wide), then specify the IP address (/32).
- In Destination choose "WAN" zone
- In service/URL category ensure that only service-http and service-https are selected.
- Under Actions choose the Authentication enforcement object created in previous steps
- Click ok to add authentication policy
- Test the captive portal from specified source addresses in the authentication policy. If it is working as per expectation, optionally enable it for the organization.
- You can negate the policy for a few IPS eg servers / devices which may need Internet but may not have option to go through captive portal (Eg command line based servers without any GUI for captive portal authentication). Same can be required for appliances such as VMWare vCenter, etc.
Create exception for captive portal
Add a rule in captive portal above default rule under "Polices" -> Authentication" of all users with captive portal as none.
Home > Enterprise security devices or applications > Paloalto firewall > Captive Portal