https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-captive-portal-ntlm-auth/m-p/44382#M32578 <HTML><HEAD></HEAD><BODY><P>I have a customer who has AD and is using the UserAgent sucessfully.</P><P>However, many users are not always logged in, or are using corporate hardware, so aren't logged in.</P><P>I want to configure Captive Portal for non-logged in users that uses NTLM to authenticate users from the AD.</P><P><BR />I've found a few KnowledgePoint articles that come close (using RADIUS), but I just want to call the AD to authenticate (maybe using the existing User Agent?).</P><P></P><P>I can't figure out the settings for the Authentication Profile...none of LocalDb/RADIUS/LDAP seem to fit..</P><P></P><P>Can someone let me know the steps for doing this?</P></BODY></HTML> Mon, 07 Feb 2011 20:37:57 GMT randomcamden 2011-02-07T20:37:57Z https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-captive-portal-ntlm-auth/m-p/44382#M32578 <HTML><HEAD></HEAD><BODY><P>I have a customer who has AD and is using the UserAgent sucessfully.</P><P>However, many users are not always logged in, or are using corporate hardware, so aren't logged in.</P><P>I want to configure Captive Portal for non-logged in users that uses NTLM to authenticate users from the AD.</P><P><BR />I've found a few KnowledgePoint articles that come close (using RADIUS), but I just want to call the AD to authenticate (maybe using the existing User Agent?).</P><P></P><P>I can't figure out the settings for the Authentication Profile...none of LocalDb/RADIUS/LDAP seem to fit..</P><P></P><P>Can someone let me know the steps for doing this?</P></BODY></HTML> Mon, 07 Feb 2011 20:37:57 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-captive-portal-ntlm-auth/m-p/44382#M32578 randomcamden 2011-02-07T20:37:57Z https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-captive-portal-ntlm-auth/m-p/44383#M32579 <HTML><HEAD></HEAD><BODY><P>captive portal using NTLM auth with redirect mode to an L3 interface of the firewall will do this for you.</P><P></P><P>don't forget to create a captive portal policy that uses the NTLM auth method!!!</P><P></P><P>-Benjamin</P></BODY></HTML> Mon, 07 Feb 2011 20:48:37 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-captive-portal-ntlm-auth/m-p/44383#M32579 bpappas 2011-02-07T20:48:37Z https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-captive-portal-ntlm-auth/m-p/44384#M32580 <HTML><HEAD></HEAD><BODY><P>LDAP server profile for AD should work with the authentication profile you'll need for Captive Portal. It's the same as the Radius with the exception of an additional 'Logon Attribute' field. For AD, you'll utilize 'sAMaccountName.'</P><P></P><P>Check your Captive Portal Settings:</P><P></P><P>NTLM authentication agent: One User Agent is used to proxy request to AD and it should be chosen based on its proximity to the PAN FW</P><P></P><P>Auth Profile - Choose the Auth Profile previously created</P><P></P><P>You'll eventually configure the Captive Portal Policy which specifies what form of user detection should be used for a given unknown user session:</P><P></P><P>1) no-captive-portal: the session remains unknown</P><P>2) captive-portal: Use Web Form based user detection</P><P>3) ntlm-auth: attempt NTLM authentication. If that fails, attempt web form based mapping.</P><P></P><P></P><P>I'm not sure if you've found these already but just to be sure. The Radius setup doc is similar to what you can do for LDAP over AD.</P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-1410">https://live.paloaltonetworks.com/docs/DOC-1410</A></P><P></P><P><A class="active_link" href="https://live.paloaltonetworks.com/docs/DOC-1040">https://live.paloaltonetworks.com/docs/DOC-1040</A></P><P></P><P></P><P></P><P></P><P>Hope this helps.</P><P></P><P>-Renato&nbsp;&nbsp;&nbsp;&nbsp; </P></BODY></HTML> Mon, 07 Feb 2011 20:59:07 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-captive-portal-ntlm-auth/m-p/44384#M32580 gswcowboy 2011-02-07T20:59:07Z https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-captive-portal-ntlm-auth/m-p/44385#M32581 <HTML><HEAD></HEAD><BODY><P>Thanks Guys...</P><P></P><P>Re this part..</P><P></P><P>"Check your Captive Portal Settings:</P><P></P><P>NTLM authentication agent: One User Agent is used to proxy request to AD and it should be chosen based on its proximity to the PAN FW"</P><P></P><P>I understand pointing at the existing PAN Agent, but what should I use as the Hostname? I don't get what this part does.</P></BODY></HTML> Mon, 07 Feb 2011 21:10:43 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-captive-portal-ntlm-auth/m-p/44385#M32581 randomcamden 2011-02-07T21:10:43Z https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-captive-portal-ntlm-auth/m-p/44386#M32582 <HTML><HEAD></HEAD><BODY><P>It relies on an http 302 redirect to a host in the client computers local zone. This is the host name used in the 302 reply. It is not in the form of a FQDN. This host name must resolve to an IP on an L3 interface or the mgt interface of the PAN firewall.</P></BODY></HTML> Mon, 07 Feb 2011 21:21:38 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-configure-captive-portal-ntlm-auth/m-p/44386#M32582 gswcowboy 2011-02-07T21:21:38Z