topic Re: Captive portal authentication with Radius/AD in General Topics

Captive portal authentication with Radius/AD

manaschai — Fri, 24 Feb 2012 00:19:16 GMT

Hello

I try PAN-OS 4.1.3, I use captive portal authentication with Radius/AD. I config user in WiFi zone access to any zone must authentication with captive portal. It work normally. But I try set Proxy server and user in WiFi Zone config Proxy IP into Internet Option. After that the user in WiFi zone can't access to any web becasue of the broswer doesn't redirect to captive portal authentication. Then I try to remove Proxy IP from Internet Option and test access web site. It redirect to captive portal page for authentication. Then I set Proxy IP into Internet Option. It can access to website pass through Proxy server normally.

Why I remove Proxy IP from Internet Option before authentication with captive portal?

How to config for this issue ?

Re: Captive portal authentication with Radius/AD

rmonvon — Fri, 24 Feb 2012 04:24:25 GMT

what device is acting as your proxy server? Are you trying to configure the PAN device as the proxy server?

Re: Captive portal authentication with Radius/AD

manaschai — Fri, 24 Feb 2012 04:49:29 GMT

Hi rmonvon

I use Ubuntu server install squid3 for my proxy server.

Regards.

Manaschai S.

Re: Captive portal authentication with Radius/AD

rmonvon — Fri, 24 Feb 2012 05:17:07 GMT

Thank you for the info. It sounds like your configuration is sendding all traffic to the proxy server, including the captive portal session. I suggest that you defining a proxy bypass for the captive portal session such that the traffic is going direct. You can try using the captive portal 'redirect' option to a host and set the proxy bypass for this host.

Re: Captive portal authentication with Radius/AD

manaschai — Fri, 24 Feb 2012 09:57:27 GMT

I set the captive portal 'redirect' on Palo Alto network firewall and on squid3 I config

acl server src 10.100.100.0/24 <-- my server zone and Palo Alto firewall management interface

always_direct allow server

but it still not work. I found address of browser is "https://www.google.co.th:6082/php/uid.php?vsys=2&url=http://www.google.co.th". That change after I set above command on squid3 software but the broswer not show login page.

Re: Captive portal authentication with Radius/AD

rmonvon — Fri, 24 Feb 2012 19:56:06 GMT

I am sorry but I don't understand what you mean by configuring 'redirect' on the proxy server and the 'acl server ...'.

My suggestion was to use 'redirect' on the PA device instead of 'transparent'. Once you select 'redirect', you also must define the 'redirect host' under the captive portal setting. When captive portal authenticates, the user will be forwarded to this 'redirect host' and this traffic should be direct (not going to your proxy server). So in the IE/FireFox browser, you will configure a proxy bypass for this 'redirect host'. The 'redirect host' should resolve to an IP address on the PA device but it should not be mgmt IP address.