Issue
The Palo Alto Networks firewall is configured for NTLM Captive Portal to authenticate users. An unknown user attempts to access a web page and the Captive Portal policy brings up the authentication page. However, once authenticated, the original user-intended destination site does not load. Instead, a connection timeout message appears:
Note: In PAN-OS 5.0, the NTLM action is labeled 'browser-challenge'. In PAN-OS 4.0, 4.1 the same action is labeled 'ntlm-auth'.
Resolution
Though NTLM method of Captive portal authentication does not need any user intervention, it requires Response Pages to be enabled on the firewall redirected interface.
1. Go to Network > Network Profiles > Interface Mgmt.
2. Select the interface management profile applied to the captive portal redirected interface.
3. Enable Response Pages.
Troubleshooting
Tips to troubleshoot NTLM Captive Portal:
- A User-ID Agent should be running in the network.
- Web browser client should support NTLM, else it has to be enabled if applicable. The IE browser should not have issues.
- Make sure that Enable User Identification is checked on the applicable zone (on the Network > Zone page).
- Redirect method is recommended for NTLM Authentication.
- Ensure that Captive Portal rules are created and allow the source users.
For example, test cp-policy-match source 192.168.10.1 destination 4.2.2.2 - CLI commands to view applicable logs:
# debug l3svc on debug
# less mp-log appweb3-l3svc.log
# debug l3svc on info - CLI commands to clear the username in the firewall if already detected
> clear user-cache all
> clear user-cache-mp all - The user should be identified as authenticated through "NTLM" with the following command:
> show user ip-user-mapping ip 192.168.10.1
See Also
Troubleshooting Captive Portal Redirect Page Issues
owner: ssunku