https://live.paloaltonetworks.com/t5/general-topics/captive-portal/m-p/14429#M10615 <HTML><HEAD></HEAD><BODY><P>Scenario:</P><P></P><P>I want to authenticate unknown users from my network to the internet.</P><P>I´m able to authenticate users in my ldap server using the web form, from my captive-portal in my pa-500.</P><P>But my issue is this:</P><P>Before the users receiving the portal page they receive the error in the browser saying, that is an invalid certificate. I understand this, because I’m using the pa certificate witch is invalid. Not a public one.</P><P>My question is: can I use the captive portal, just in http??? Pa intercepts for authentication in https: but the form is in http. Is there any change to intercept and prompt credentials in http:</P><P>Or I must buy a public certificate? I can´t use an internal certificate using the active directory, because I’ve got some machines not joined to the domain. Appreciate some help.</P><P></P></BODY></HTML> Wed, 13 Mar 2013 11:15:32 GMT helder_teixeira 2013-03-13T11:15:32Z https://live.paloaltonetworks.com/t5/general-topics/captive-portal/m-p/14429#M10615 <HTML><HEAD></HEAD><BODY><P>Scenario:</P><P></P><P>I want to authenticate unknown users from my network to the internet.</P><P>I´m able to authenticate users in my ldap server using the web form, from my captive-portal in my pa-500.</P><P>But my issue is this:</P><P>Before the users receiving the portal page they receive the error in the browser saying, that is an invalid certificate. I understand this, because I’m using the pa certificate witch is invalid. Not a public one.</P><P>My question is: can I use the captive portal, just in http??? Pa intercepts for authentication in https: but the form is in http. Is there any change to intercept and prompt credentials in http:</P><P>Or I must buy a public certificate? I can´t use an internal certificate using the active directory, because I’ve got some machines not joined to the domain. Appreciate some help.</P><P></P></BODY></HTML> Wed, 13 Mar 2013 11:15:32 GMT https://live.paloaltonetworks.com/t5/general-topics/captive-portal/m-p/14429#M10615 helder_teixeira 2013-03-13T11:15:32Z https://live.paloaltonetworks.com/t5/general-topics/captive-portal/m-p/14430#M10616 <HTML><HEAD></HEAD><BODY><P>If you have a few non domain machines, is it possible to manually have these users install the CA in the trusted CA store?</P><P>You can generate a CA on the PA device (or use your internal windows CA) &amp; use it to generate the captive portal certificate. You can then export this CA out of the PA &amp; possibly push it out through GPO to your domain machines.</P><P>Authentication in the clear may not be a good idea, since a sniffer on the wire may be used to get access to the credentials being used.</P></BODY></HTML> Wed, 13 Mar 2013 13:03:13 GMT https://live.paloaltonetworks.com/t5/general-topics/captive-portal/m-p/14430#M10616 goku123 2013-03-13T13:03:13Z https://live.paloaltonetworks.com/t5/general-topics/captive-portal/m-p/14431#M10617 <HTML><HEAD></HEAD><BODY><P>I agree with achitwadgi.&nbsp; Would like to add that a public cert is not that expensive if you want to avoid the warning messages.&nbsp; We have a public cert for our PA5000s.&nbsp; We have a self signed cert for our PA-500 which we use in a test environment and guest access.</P></BODY></HTML> Wed, 13 Mar 2013 13:29:28 GMT https://live.paloaltonetworks.com/t5/general-topics/captive-portal/m-p/14431#M10617 HITSSEC 2013-03-13T13:29:28Z https://live.paloaltonetworks.com/t5/general-topics/captive-portal/m-p/14432#M10618 <HTML><HEAD></HEAD><BODY><P>I know about the public certificate, because I have several customers with the public certificate. The sniffer, is not an issue to me in the internal network, but I would like to know, how to make it possible without https in captive portal. </P></BODY></HTML> Wed, 13 Mar 2013 14:25:14 GMT https://live.paloaltonetworks.com/t5/general-topics/captive-portal/m-p/14432#M10618 helder_teixeira 2013-03-13T14:25:14Z