https://live.paloaltonetworks.com/t5/general-topics/web-authentication/m-p/190781#M57582 <P>You can do this on the Palo Alto too, it might work a little different than your Juniper setup however</P> <P>&nbsp;</P> <P>create an authentication profile, enable captive portal, set a captive portal policy to intercept connections going to your server, set security policy to only allow access to identified users</P> <P>&nbsp;</P> <P>here's <A title="Configure Captive Portal" href="https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/map-ip-addresses-to-users/map-ip-addresses-to-usernames-using-captive-portal/configure-captive-portal" target="_blank">how to setup captive portal</A></P> <P>a little more info on <A title="How to Configure Captive Portal " href="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Captive-Portal/ta-p/60455" target="_blank">the different modes</A> (you'll need web-form)</P> <P>and the "<A title="Getting Started: User-ID " href="https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-User-ID/ta-p/69321" target="_self">getting started: User-ID</A>" guide if you'd like to know more about how it all works</P> <P>&nbsp;</P> Fri, 08 Dec 2017 08:48:50 GMT reaper 2017-12-08T08:48:50Z https://live.paloaltonetworks.com/t5/general-topics/web-authentication/m-p/190688#M57566 <P>On our juniper firewalls we are using web authentication to restrict access to certain hosts and I would like to know if this is possible and how to on PA.</P><P>&nbsp;</P><P>The user hits a captive portal(webauth in juniper) that is boudn to an interface:</P><P>set interfaces reth0 unit xxxx family inet address x.x.x.x/24 web-authentication https<BR /><BR />This presents a simple login page that requries two factor authentication wich then puts an entry into a local database. A policy then allows the traffic based on this.</P><P>set security policies from-zone aaaa to-zone bbbb policy test match source-address subnetx<BR />set security policies from-zone aaaa to-zone bbbb policy test match destination-address web-auth-hosts<BR />set security policies from-zone aaaa to-zone bbbb policy test match application junos-https<BR />set security policies from-zone aaaa to-zone bbbb policy test then permit firewall-authentication web-authentication</P><P>&nbsp;</P><P>Authentication Profile</P><P>set access profile TEST-ACCESS authentication-order radius<BR />set access profile TEST-ACCESS session-options client-idle-timeout 10<BR />set access profile TEST-ACCESS session-options client-session-timeout 120<BR />set access profile TEST-ACCESS radius-server x.x.x.x port 1812<BR />set access firewall-authentication web-authentication default-profile TEST-ACCESS<BR />set access firewall-authentication web-authentication banner success "TEST Access Login Successful"</P> Thu, 07 Dec 2017 20:30:44 GMT https://live.paloaltonetworks.com/t5/general-topics/web-authentication/m-p/190688#M57566 r24481 2017-12-07T20:30:44Z https://live.paloaltonetworks.com/t5/general-topics/web-authentication/m-p/190781#M57582 <P>You can do this on the Palo Alto too, it might work a little different than your Juniper setup however</P> <P>&nbsp;</P> <P>create an authentication profile, enable captive portal, set a captive portal policy to intercept connections going to your server, set security policy to only allow access to identified users</P> <P>&nbsp;</P> <P>here's <A title="Configure Captive Portal" href="https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/map-ip-addresses-to-users/map-ip-addresses-to-usernames-using-captive-portal/configure-captive-portal" target="_blank">how to setup captive portal</A></P> <P>a little more info on <A title="How to Configure Captive Portal " href="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Captive-Portal/ta-p/60455" target="_blank">the different modes</A> (you'll need web-form)</P> <P>and the "<A title="Getting Started: User-ID " href="https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-User-ID/ta-p/69321" target="_self">getting started: User-ID</A>" guide if you'd like to know more about how it all works</P> <P>&nbsp;</P> Fri, 08 Dec 2017 08:48:50 GMT https://live.paloaltonetworks.com/t5/general-topics/web-authentication/m-p/190781#M57582 reaper 2017-12-08T08:48:50Z