https://live.paloaltonetworks.com/t5/general-topics/external-captive-portal/m-p/50219#M36976 <HTML><HEAD></HEAD><BODY><P>I'm thinking about trying something a little out of the square with user-id and captive portal. Let me start with the context and business goal:</P><P></P><UL><LI>The PAN is deployed as a data centre firewall.</LI><LI>I'd like to use some policies that permit clients access to an application only if the user is known.</LI><LI>I'd like to use some policies that permit clients access to an application for specific users only if they have used strong authentication, specifically a Yubico one time password.</LI><LI>Clients platforms are a mixed environment, BYOD, some active directory but not universal.</LI></UL><P></P><P>Here is how I propose solving the problem:</P><UL><LI>use XML-API for the user-id stuff, gather user to IP associations from various authentication logs in close enough to real time.</LI><LI>Build an authentication portal with business logic to know when to prompt for a one time password in addition to username and password.</LI><LI>Have the PAN redirect HTTP(S) to this portal when necessary.</LI></UL><P></P><P>So far I've proved the following can work:</P><UL><LI>The XML-API user-id stuff.</LI><LI>Set the 'Redirect Host' parameter in Captive Portal Settings to an IP of a web server.</LI><LI>Use an appropriate Captive Portal and Security policies to redirect the client and permit the traffic to the web server.</LI></UL><P></P><P>I have not yet coded the user authentication and subsequent redirection back to the intended web page but will be pretty straight forward.</P><P></P><P>It seems Paloalto have not intended (thought about) captive portal being used in this way. Has anyone else attempted this?</P><P></P><P>What do you think of this idea? Can you think of a better way to achieve the same goal?</P><P></P><P>thanks,</P><P>Scott</P></BODY></HTML> Fri, 28 Feb 2014 02:23:10 GMT ScottHamilton 2014-02-28T02:23:10Z https://live.paloaltonetworks.com/t5/general-topics/external-captive-portal/m-p/50219#M36976 <HTML><HEAD></HEAD><BODY><P>I'm thinking about trying something a little out of the square with user-id and captive portal. Let me start with the context and business goal:</P><P></P><UL><LI>The PAN is deployed as a data centre firewall.</LI><LI>I'd like to use some policies that permit clients access to an application only if the user is known.</LI><LI>I'd like to use some policies that permit clients access to an application for specific users only if they have used strong authentication, specifically a Yubico one time password.</LI><LI>Clients platforms are a mixed environment, BYOD, some active directory but not universal.</LI></UL><P></P><P>Here is how I propose solving the problem:</P><UL><LI>use XML-API for the user-id stuff, gather user to IP associations from various authentication logs in close enough to real time.</LI><LI>Build an authentication portal with business logic to know when to prompt for a one time password in addition to username and password.</LI><LI>Have the PAN redirect HTTP(S) to this portal when necessary.</LI></UL><P></P><P>So far I've proved the following can work:</P><UL><LI>The XML-API user-id stuff.</LI><LI>Set the 'Redirect Host' parameter in Captive Portal Settings to an IP of a web server.</LI><LI>Use an appropriate Captive Portal and Security policies to redirect the client and permit the traffic to the web server.</LI></UL><P></P><P>I have not yet coded the user authentication and subsequent redirection back to the intended web page but will be pretty straight forward.</P><P></P><P>It seems Paloalto have not intended (thought about) captive portal being used in this way. Has anyone else attempted this?</P><P></P><P>What do you think of this idea? Can you think of a better way to achieve the same goal?</P><P></P><P>thanks,</P><P>Scott</P></BODY></HTML> Fri, 28 Feb 2014 02:23:10 GMT https://live.paloaltonetworks.com/t5/general-topics/external-captive-portal/m-p/50219#M36976 ScottHamilton 2014-02-28T02:23:10Z https://live.paloaltonetworks.com/t5/general-topics/external-captive-portal/m-p/50220#M36977 <HTML><HEAD></HEAD><BODY><P>A follow-up question.</P><P></P><P>It's not clear to me how to configure the PAN so it redirects the client to the captive portal only when the user is not known. Is this possible?</P><P></P><P>Scott</P></BODY></HTML> Fri, 28 Feb 2014 02:31:06 GMT https://live.paloaltonetworks.com/t5/general-topics/external-captive-portal/m-p/50220#M36977 ScottHamilton 2014-02-28T02:31:06Z https://live.paloaltonetworks.com/t5/general-topics/external-captive-portal/m-p/50221#M36978 <HTML><HEAD></HEAD><BODY><P>Hi Scott</P><P></P><P>In regards to your followup question. A session should only be redirected to captive portal if there is no user/IP mapping yet, if such mapping exists CP should not get triggered. are you seeing the opposite ?</P><P>your first post should work just fine if you are able to write the redirect after authentication to the original host to facilitate the user and make the authentication trigger the API which should add a user/IP mapping near instantaneously, it should go beautifully</P></BODY></HTML> Thu, 06 Mar 2014 11:15:12 GMT https://live.paloaltonetworks.com/t5/general-topics/external-captive-portal/m-p/50221#M36978 reaper 2014-03-06T11:15:12Z https://live.paloaltonetworks.com/t5/general-topics/external-captive-portal/m-p/50222#M36979 <HTML><HEAD></HEAD><BODY><P>Scott,</P><P></P><P>You also define a Captive portal rule to identify what source and destination address space you want captive portal to be applied to.&nbsp; Remembering that the traffic needs to traverse a firewall interface and only kicks in if there is no user-id to IP address mapping already in the firewall (as tpiens mentions).&nbsp; It works quite well.</P><P></P><P>Phil</P></BODY></HTML> Fri, 07 Mar 2014 01:46:29 GMT https://live.paloaltonetworks.com/t5/general-topics/external-captive-portal/m-p/50222#M36979 HITSSEC 2014-03-07T01:46:29Z https://live.paloaltonetworks.com/t5/general-topics/external-captive-portal/m-p/50223#M36980 <HTML><HEAD></HEAD><BODY><P>Hi Scott,</P><P></P><P>You could use a PBF rule for "unknown" users. (just not mapped IP with any user) to IP where CP is configured.</P><P></P><P>Then "your captive portal" have to redirect&nbsp; all incomming traffic to destination 80/tcp or 443/tcp to local address.</P><P></P><P>The CP shall be in DMZ (traffic to CP shall pass over firewall) - only then PBF works.</P><P>Also CP shall be connected to the different L3 interface than LAN&nbsp; and External.</P><P></P><P>ex. I have:</P><P>e1/1 - Internet/External</P><P>e1/2 - LAN</P><P>e1/3 - CP</P><P></P><P>PBF have to change a routing for unknown users from default:</P><P>User-&gt;PAN-&gt;Internet</P><P>to:</P><P>User-&gt;PAN-&gt;Captive Portal</P><P></P><P>Rule on PAN:</P><P><IMG __jive_id="12947" alt="CP_redirect.png" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/12947_CP_redirect.png" style="width: 620px; height: 37px;" /></P><P></P><P>IPtables redirect/DNAT on Linux:</P><P></P><P>iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination &lt;IP of Captive Portal&gt;:80</P><P>iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination &lt;IP of Captive Portal&gt;:443</P><P></P><P>Note: HTTPS redirect could generate SSL warning.</P><P></P><P>After this you could user XML-API to adding users with timeout value.</P><P>There is no idle time as in generic PAN CP, only a timeout.</P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-4968">Setting the Timeout for User to IP mapping Created Using User-ID XML-API</A></P><P></P><P>T.</P></BODY></HTML> Sat, 19 Apr 2014 21:16:59 GMT https://live.paloaltonetworks.com/t5/general-topics/external-captive-portal/m-p/50223#M36980 tomasz.niewdana 2014-04-19T21:16:59Z