topic Re: Captive portal auth with Client Certificate as first auth method and local auth as fallback in General Topics

Captive portal auth with Client Certificate as first auth method and local auth as fallback

karimanizer — Sat, 23 Feb 2019 16:02:16 GMT

Hello team,

To identify my users, I have used Captive Portal with ldap authentication profile.

Then I removed the ldap from the captive protal config and added a "Certificate profile", and it works well as well.

However, when I assign both an ldap profile AND a certificate profile to my captive portal configuration (Device> User Identification> Captive Portal settings), the paloalto first ask me to provide a client certificat then it allways prompt me for username/ password .... which is not something I want.

My question is the following, is there a way to configure to paloalto so that if the client certificate authentication succeed then it doesn't prompt us for username/password. And if the client certificat authentication fails then it does prompt us for username password.

I'm in lab environment and I can show my config,

Many thanks for your help

karim benyelloul

Re: Captive portal auth with Client Certificate as first auth method and local auth as fallback

karimanizer — Mon, 25 Feb 2019 09:37:13 GMT

anyone ? 😞

Re: Captive portal auth with Client Certificate as first auth method and local auth as fallback

reaper — Mon, 25 Feb 2019 09:51:57 GMT

Client certificates are a strict authentication method that it is part of the handshake whereas username/password happen after a connection is established

It is inefficient to first establish a session that requires a client certificate, to then restart a new session that doesn't require a client certificate

Re: Captive portal auth with Client Certificate as first auth method and local auth as fallback

Chacko42 — Mon, 25 Feb 2019 10:03:53 GMT

Dear @karimanizer,

"You don’t need an authentication profile or sequence for client certificate authentication. If
you configure both an authentication profile/sequence and certificate authentication, users
must authenticate using both."

Admin Guide 8.1 page 466

So it's expected behavior to have both validated

Re: Captive portal auth with Client Certificate as first auth method and local auth as fallback

karimanizer — Mon, 25 Feb 2019 10:31:05 GMT

Hi @reaper ,

Thanks for your reply,

| It is inefficient to first establish a session that requires a client certificate, to then restart a new session that doesn't require a client certificate

This is not what I was expecting to happen. For me client certificate authentication is a relyable authenticate method by itself, and the firewall does not need to ask the user to enter its username/password to validate its identity.

The senario I was expecting looks like this:

if { client_certificate auth is sucessful } 
      get the username from the certificat and map it to its IP adress. 
else
      prompt the user to enter username/password.

Is it because the firewall sees it as a different authentication factor "something the user have" ? instead of the username/password which are "something the user know"?

many thanks,

Re: Captive portal auth with Client Certificate as first auth method and local auth as fallback

reaper — Mon, 25 Feb 2019 12:26:50 GMT

This is not what I was expecting to happen. For me client certificate authentication is a relyable authenticate method by itself, and the firewall does not need to ask the user to enter its username/password to validate its identity.

this is correct, you do not need to add an additional username and password after the clienbt cert is validated, but you can as an additional form of authentication

The senario I was expecting looks like this:
if { client_certificate auth is sucessful } 
      get the username from the certificat and map it to its IP adress. 
else
      prompt the user to enter username/password.
Is it because the firewall sees it as a different authentication factor "something the user have" ? instead of the username/password which are "something the user know"?

well, no

The delivery mechanism for these 2 forms of authentication is completely different

the client certificate is exchanged as part of the ssl handshake (layer 6) while the username/password is essentially a web form (layer7)

You can't get to layer 7 whithout passing through layer6, this is why a client certificate can't be an OR condition, but authentication methods (ldap, kerberos, radius,..) can

Re: Captive portal auth with Client Certificate as first auth method and local auth as fallback

reaper — Tue, 26 Feb 2019 12:17:04 GMT

To touch back on this subject, in the GlobalProtect agent (because it is a piece of software), you DO have this option

In case you really need this :

Re: Captive portal auth with Client Certificate as first auth method and local auth as fallback

karimanizer — Mon, 04 Mar 2019 10:05:45 GMT

Many thanks!

Re: Captive portal auth with Client Certificate as first auth method and local auth as fallback

AlexCalderar — Thu, 07 Nov 2024 20:44:03 GMT

ing to configure my captive portal to auth just with a cert, so I left the auth profile empty and I added the cert profile, but after the portal asks for the cert I get the username\password page anyways. I had it set to redirect, so I changed to transparent and still gives me the credential page. Could someone tell me what am I missing?
my steps were:

remove auth profile

set mode to transparent

add cert profile

not sure if this issue is with the response page or if that is with the auth enforcement option I used in the auth rule. (defaul-web-form)