Captive Portal with VASCO SMS OTP

sbarghouthi — Fri, 07 Sep 2012 16:21:45 GMT

Hello folks,

I hope everyone is doing well, I have been stumped over this issue that I am trying to find an effective solution for. One of our customers have requested the need to verify Guest Wireless Users that connect to the network via a Cisco Wireless LAN Controller. What they want to do is force the Guest Wireless users to register their Phone Number so that they may receive a One Time Password so that they can use the companies Internet, and most importantly have the users name set to the phone number so that it may be logged on the Palo Alto.

I have some ideas that may have some flaws so if someone could point me in the right direction it would be much appreciated. I have setup User-ID so all Domain Users access the internet depending on their user-id. This is working flawlessly at the moment along with global protect. So obviously any of the wireless guest users that access the internet will not have a user-id as they do not have domain accounts. So I would be able to force them through to the captive portal, and have the Captive Portal authenticate with the Vasco SMS OTP server.

However from what I have seen I am unable to add additional fields to captive portal other than User/Password, is there any possibility of adding a custom-attribute so that it may be relayed to the Vasco Server. Is there anyway this can be done with only the PA and VASCO Radius server?

So basically is there anyway that I can force users through captive portal and have the Palo Alto send User-Attributes to the radius server so that a challenge-response can be initiated back to the user?

Or is the only solution to configure 802.1x on the switch and configure Dynamic VLAN Assignment on the WLC and have them authenticate with the Vasco directly before accessing the PA?

If anyone could provide me with their two cents I would forever be in debt.

Best Regards

Re: Captive Portal with VASCO SMS OTP

HRU — Thu, 13 Sep 2012 09:38:07 GMT

Hi Barghouthi,

If you want SMS OTP sent by Vasco to your guest users, somehow you should have already created your user database on the Vasco database (or users should already reside Identikey's backend database). Therefore just passing some User-Attributes from Captive Portal page to Vasco's Identikey won't be enough. There is the question of who manages the guest users provisioning process.

For those purposed, Vasco’s RADIUS solution Identikey offers a mini web site called “OTP Request Site”, available during the installation. When you deploy Identikey at your customer, you can modify Captive Portal response page to include some descriptive text instructing guest users to visit that particular URL, letting them to do their self-service account creation (if this is their first use of the customer network), enter their mobile number, request OTP over SMS etc. (from Guest-Zone; to OTP-Request-Server; application web-browsing; should be allowed by the policy on your fw). Then, guest users can submit their own-created username and SMS OTP to our Captive Portal prompt and get authenticated by Identikey over RADIUS. FW admins of your customer never deals with creating/deleting users.

Attached is a sample code for modified Captive Portal page. I modified an existing sample. I don't have much expertise on HTML code, therefore you'd better get it formatted more elegantly by someone who knows HTML better than me.

Rgrds,

Hakan Unsal

topic Captive Portal with VASCO SMS OTP in General Topics

Captive Portal with VASCO SMS OTP

Re: Captive Portal with VASCO SMS OTP