https://live.paloaltonetworks.com/t5/next-generation-firewall/using-captive-portal-and-azure-ad-for-user-network/m-p/518736#M498 <P>Is there any documentation available on how to achieve this for general user network access? I assume the network has to be set up with a captive portal, but traffic to identity provider for SAML exchange need to be allowed even before the user gets general network access. Is this possible through IP/DNS whitelists?</P> Fri, 21 Oct 2022 15:04:05 GMT JHOOPA 2022-10-21T15:04:05Z https://live.paloaltonetworks.com/t5/next-generation-firewall/using-captive-portal-and-azure-ad-for-user-network/m-p/518736#M498 <P>Is there any documentation available on how to achieve this for general user network access? I assume the network has to be set up with a captive portal, but traffic to identity provider for SAML exchange need to be allowed even before the user gets general network access. Is this possible through IP/DNS whitelists?</P> Fri, 21 Oct 2022 15:04:05 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/using-captive-portal-and-azure-ad-for-user-network/m-p/518736#M498 JHOOPA 2022-10-21T15:04:05Z https://live.paloaltonetworks.com/t5/next-generation-firewall/using-captive-portal-and-azure-ad-for-user-network/m-p/518739#M500 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/250609">@JHOOPA</a> ,</P> <P>&nbsp;</P> <P>You are correct, I can't find any documentation either.&nbsp; I have configured the authentication portal for network access, and not just for IP-User-Mapping.&nbsp; You would follow this doc -&gt; <A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/map-ip-addresses-to-users/map-ip-addresses-to-usernames-using-captive-portal/configure-captive-portal" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/map-ip-addresses-to-users/map-ip-addresses-to-usernames-using-captive-portal/configure-captive-portal</A>.</P> <P>&nbsp;</P> <P>For my case, it was a web app and the redirection occurred within HTTPS.&nbsp; The server for which I was requiring additional authentication was specified in the destination of the authentication policy.&nbsp; Once I logged into the portal, the web page behind the firewall came up.&nbsp; The 1st note in the above URL is extremely important.&nbsp; If you want to redirect HTTPS, you will need to enable SSL Decryption.</P> <P>&nbsp;</P> <P>If you want to use the authentication portal for "general user network access" as you say, you would have to have the user manually login to the portal or use "the native captive portal assistant built in to the endpoint operating system (OS)."&nbsp; <A href="https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-quick-configs/captive-portal-and-enforce-globalprotect-for-network-access" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-quick-configs/captive-portal-and-enforce-globalprotect-for-network-access</A></P> <P>&nbsp;</P> <P>The authentication portal is a good option, but requires a lot of steps to configure.&nbsp; For general user network access, you may also want to consider alternative methods such as User-ID in the security policy, which also requires authentication.&nbsp; If no method of User-ID is available, GlobalProtect with an internal gateway with no tunnel is an option.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> <P>&nbsp;</P> <P>Edit:&nbsp; Here is an additional link -&gt; <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCEzCAO" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCEzCAO</A>.</P> <P>&nbsp;</P> Fri, 21 Oct 2022 17:57:47 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/using-captive-portal-and-azure-ad-for-user-network/m-p/518739#M500 TomYoung 2022-10-21T17:57:47Z