https://live.paloaltonetworks.com/t5/general-topics/captive-portal-authentication/m-p/31817#M23280 <HTML><HEAD></HEAD><BODY><P>Samuel,</P><P></P><P>I may be misunderstanding your question.</P><P></P><P>Captive portal is part of the "User Identification" feature. If a user is identified by his AD login he will never see the the portal. Only unknown users, Linux devices and guest users, will be "Unknown" and the portal will present itself to the user to force authentication and use this as the identification method. You do not pick groups or users for Portal usage.</P><P></P><P>Steve Krall</P></BODY></HTML> Fri, 30 Dec 2011 01:00:50 GMT skrall 2011-12-30T01:00:50Z https://live.paloaltonetworks.com/t5/general-topics/captive-portal-authentication/m-p/31814#M23277 <HTML><HEAD></HEAD><BODY><P>Hi, I've PA-500 with 4.1.1 and I've configured Captive Portal with AD Authentication. Pan-agenty seems to work fine and I can select the AD groups when I configure Securtiy Policy. </P><P>I've created an authentication profile only for Captive Portal with Kerberos authentication and my Domain controller as Server profile but I cannot see the groups in allow list, only can see local users. Although with all in allow list, Captive Portal authentication works fine</P><P></P><P>I'm not sure if I need to configure Group Mappings but as I've read in Administrator Guide of 4.1 group mapping is configured as LDAP server, is it correct?, do I need to configure Group mapping only to have my AD groups in allow list of authentication Profile?.</P><P></P><P>Thank you in advance.</P><P></P><P>Samuel</P></BODY></HTML> Mon, 19 Dec 2011 10:06:24 GMT https://live.paloaltonetworks.com/t5/general-topics/captive-portal-authentication/m-p/31814#M23277 ssancho 2011-12-19T10:06:24Z https://live.paloaltonetworks.com/t5/general-topics/captive-portal-authentication/m-p/31815#M23278 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>With PANOS 4.1.x, you need to configure Group Mapping Settings for PAN to get the user-group mappings.&nbsp; You would need to create an LDAP server profile first and then apply that to the Group Mapping Settings.&nbsp; With this configured, you will be able to reference groups in your policies.</P><P><BR />Thanks,</P><P>Ahsan</P></BODY></HTML> Wed, 21 Dec 2011 03:39:15 GMT https://live.paloaltonetworks.com/t5/general-topics/captive-portal-authentication/m-p/31815#M23278 akhan 2011-12-21T03:39:15Z https://live.paloaltonetworks.com/t5/general-topics/captive-portal-authentication/m-p/31816#M23279 <HTML><HEAD></HEAD><BODY><P>Hi, thanks for your reply. I supossed that, but the strange think is that I can select my groups in security policy but not in allow list of authentication Profile. Do I need to configure LDAP profile to have user-group mappings in allow list of Authentication Profile?.</P><P></P><P>It seems strange to have groups in policies without LDAP profile and need it to use groups in Authentication Profile.</P><P></P><P></P><P></P><P>EDIT: Hi, I've configured LDAP server profile and install User-ID (not pan-agent) in domain controller. All seems to work fine, I can create policies with users and make the filter of groups in firewall (Device, User Identification, Group Mappings), BUT I cannot select the active directory groups in Authentication Profile.</P><P></P><P>How could I filter the users of Active Directory that can login in captive portal?, at the moment I only can select my local users.</P><P></P><P>Thanks</P><P></P><P>Samuel</P></BODY></HTML> Thu, 22 Dec 2011 15:07:13 GMT https://live.paloaltonetworks.com/t5/general-topics/captive-portal-authentication/m-p/31816#M23279 ssancho 2011-12-22T15:07:13Z https://live.paloaltonetworks.com/t5/general-topics/captive-portal-authentication/m-p/31817#M23280 <HTML><HEAD></HEAD><BODY><P>Samuel,</P><P></P><P>I may be misunderstanding your question.</P><P></P><P>Captive portal is part of the "User Identification" feature. If a user is identified by his AD login he will never see the the portal. Only unknown users, Linux devices and guest users, will be "Unknown" and the portal will present itself to the user to force authentication and use this as the identification method. You do not pick groups or users for Portal usage.</P><P></P><P>Steve Krall</P></BODY></HTML> Fri, 30 Dec 2011 01:00:50 GMT https://live.paloaltonetworks.com/t5/general-topics/captive-portal-authentication/m-p/31817#M23280 skrall 2011-12-30T01:00:50Z