topic Re: Captive Portal in General Topics

Captive Portal

djrodb — Wed, 09 Jan 2013 19:34:14 GMT

has anyone got configuration for captive portal on and incoming untrusted public ip nat to private internal address.

i need to authenticate incoming connections before they reach the internal server address.

under captive portal I have the source as the public nat address and the destination as the internal server address and it does seem to work. The server can be reached from the Internet without any prompt for authentication?

thanks

rod

Re: Captive Portal

jteetsel — Thu, 10 Jan 2013 01:31:50 GMT

Hi Rod, If your intention is to prompt a CP login page for inbound connections from the internet to a system that you have created a destination nat for you Captive Portal policy would like like this:

source zone = Untrusted zone

source address = blank or whatever the public IP the traffic is comming from (if you want to be specific)

Destination Address = The Public IP for your server on the inside (not the private address)

Service = the service you are exposing (http,https)

This will force any connections coming from the outside to that public address to be faced with a CP login. If the public address is shared between other systems on the inside be careful to be specific with the Service on the CP policy

Hope this helps

John

Re: Captive Portal

djrodb — Thu, 10 Jan 2013 09:41:19 GMT

John, Thanks. That cleared things up.

I still can't get the system to present the redirected authentication login page. The documentation for Captive Portal hasn't been updated to PANOS 5 yet.

Rod

Re: Captive Portal

jteetsel — Thu, 10 Jan 2013 23:11:05 GMT

Below is a pretty good document with some details regarding Captive Portal, it has not changed very much since 4.0:

Starting on page 19 is how to configure. Use your traffic monitor to see which source and destination zones are used for the incoming connections for the server in question. Make sure your source and destination zones in your CP policy match what you see in the traffic log. Also, check the following:

Make sure captive portal is 'enabled' under Device > User Identification > Captive Portal Settings
Make sure that User ID is enabled on the source zone under Network > Zones (should be your untrusted zone in your case)
Make sure the host name or IP address you specify for the "Redirect Host" is accessible to the public. If you use a host name make sure it has a resolvable public DNS record
Make sure that the interface being used for the Redirect host is using a management profile that has response pages turned on ( Network > Interface Mgmt > Profile Name ) The interface profile is configured under Network > Interfaces > Interface Name > Advanced > Network Management Profile

Hope this helps

Re: Captive Portal

djrodb — Fri, 11 Jan 2013 10:35:23 GMT

John

Thanks for your help so far. I'm strugling with the concept of CP redirect and how the following statement translates to a working example.

Make sure the host name or IP address you specify for the "Redirect Host" is accessible to the public. If you use a host name make sure it has a resolvable public DNS record

Does this imply that the redirect host has to be an internal web server? or does it mean an interface on the firwewall - say for example the main firewall inside (trust) L3 interface?

If it's an internal web server do I need to go through the normal procedure of creating a static nat from the out side to the inside server IP for the captive portal bit?

I've added my current config to see if you or anyone else can clear this up? thanks.

Re: Captive Portal

jteetsel — Sat, 12 Jan 2013 00:51:29 GMT

The redirect host will be an L3 interface on the firewall. Weather its a trusted or untrusted interface depends on where the CP clients are coming from. If your case you want to use an untrusted interface since your CP clients are coming from the outside. Also, in your CP policy should have 'outside' for both your source and destination zones since the destination address is your public IP.

Re: Captive Portal

znlwin — Fri, 19 Jul 2013 06:58:08 GMT

Hi Support,

Regarding Captive Portal , my Wifi clients can use Skype & GTalk application without authenticated to Captive Portal. But when to browse http (or) https, the captive port login page kicked in.

What I want is, every users have to authenticate at Captive Portal login page first, then can use internet accordingly even Skype or Gtalk applications.

regards,

Re: Captive Portal

zarina — Sat, 20 Jul 2013 13:40:25 GMT

Captive portal will only with with web based traffic: http and https (with decryption enabled).

Re: Captive Portal

jteetsel — Sun, 21 Jul 2013 16:30:33 GMT

That’s correct, the CP intercept\logon page can only be displayed via a browser. You would need to deny Skype\Gtalk for unknown users in your security policy and force the users to hit a http\https page before expecting any internet dependent applications to function, this would force them to authenticate via CP before doing any web based type activity . This is usually how hotels do it.

Re: Captive Portal

znlwin — Mon, 22 Jul 2013 04:06:41 GMT

Thanks zarina and jteetsel.

Hi jteetsel, how to implement unknown users t force them to authenticate via CP before expecting any internet dependent applications to function. I would like to implement like hotels scenario.

My one is PA3020 & ver 5.0

rgds,

Re: Captive Portal

jteetsel — Tue, 23 Jul 2013 00:29:55 GMT

Hi Zn, the Palo Alto cannot force a user to open a browser and visit a site. We can only redirect the user to the CP login page if they do. You would need to inform the users to open a browser and sign in to CP.

Thanks

John