https://live.paloaltonetworks.com/t5/general-topics/ntml-authentcation-for-captive-portal/m-p/10755#M7928 <HTML><HEAD></HEAD><BODY><P>Hi Tpiens,</P><P></P><P>Thank you very much for the reply.</P><P>One question though.</P><P>"The deviceconfig needs to be set so the PA has it's domain configured in device &gt; setup &gt; general settings"</P><P>what does the device domain name&nbsp; got to do with agentless deployment for NTLM authentication.</P><P></P><P>regards,</P><P>ARJUN DAS</P></BODY></HTML> Tue, 14 Apr 2015 14:27:58 GMT ArjunDAS 2015-04-14T14:27:58Z https://live.paloaltonetworks.com/t5/general-topics/ntml-authentcation-for-captive-portal/m-p/10753#M7926 <HTML><HEAD></HEAD><BODY><P>Hi All,</P><P></P><P>I am looking for ways to configure Captive portal policy with NTLM authentication.</P><P></P><P>I have read a good number of PDFs from Palo alto but still unable to understand how do i configure it.</P><P></P><P>In short i need to know how do we configure NTLM authentication for captive portal for both Palo alto integreted hardware user agent and software user agent.</P><P></P><P>The last revision that are available on the net is "how to configure captive portal portal" is for PAN OS 4.0 and we are using PAN OS 6.0 and some of the settings are missing in PAN OS 6.0.</P><P></P><P>Anybody knows how to do it ?</P><P></P><P>regards,</P><P></P><P>ARJUN DAS</P></BODY></HTML> Thu, 09 Apr 2015 14:05:58 GMT https://live.paloaltonetworks.com/t5/general-topics/ntml-authentcation-for-captive-portal/m-p/10753#M7926 ArjunDAS 2015-04-09T14:05:58Z https://live.paloaltonetworks.com/t5/general-topics/ntml-authentcation-for-captive-portal/m-p/10754#M7927 <HTML><HEAD></HEAD><BODY><P>Hi Arjun</P><P></P><P>First you will need to enable captive portal under Device &gt; user identification &gt; captive portal settings</P><P>- please note the authentication method does not matter as this is NOT used for the ntlm authentication</P><P><IMG alt="2015-04-13_15-20-05.png" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/19159_2015-04-13_15-20-05.png" style="height: 506px; width: 620px;" /></P><P>secondly you will need to configure a captive portal policy that dictates which traffic can/needs to be intercepted to perform ntlm authentication, and set it to browser-challenge</P><P><IMG alt="2015-04-13_15-23-41.png" class="image-1 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/19160_2015-04-13_15-23-41.png" style="height: 211px; width: 620px;" /></P><P>and third, make sure the "enable user identification" is enabled on the source zone:</P><P><IMG alt="2015-04-13_15-39-06.png" class="jive-image image-7" src="https://live.paloaltonetworks.com/legacyfs/online/19167_2015-04-13_15-39-06.png" style="height: 451px; width: 620px;" /></P><P></P><P>Then, depending on the choice of a software agent or agentless deployment you need to add some additional configuration</P><P></P><P>In the case of a software agent you need to enable the ntlm authentication option, this proxies the ntlm request to the software agent </P><P><IMG alt="2015-04-13_15-25-54.png" class="jive-image image-2" src="https://live.paloaltonetworks.com/legacyfs/online/19161_2015-04-13_15-25-54.png" style="height: 194px; width: 620px;" /></P><P>and that should be it for this option</P><P></P><P>In the case of an agentless deployment more settings are required:</P><P></P><P>1. The deviceconfig needs to be set so the PA has it's domain configured in device &gt; setup &gt; general settings, and is using the internal DNS in Device &gt; setup &gt; services</P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">2. There needs to be a server added to the "server monitoring" section of device &gt; user identification &gt; user mapping</SPAN></P><P><IMG alt="2015-04-13_15-35-39.png" class="jive-image image-5" src="https://live.paloaltonetworks.com/legacyfs/online/19165_2015-04-13_15-35-39.png" style="height: 75px; width: 620px;" /></P><P>3. In the Palo Alto Network User ID Agent Setup, a valid WMI authentication account needs to be added and the NTLM section needs to be filled out (please not "username" is simply the username, no domain). All the other tabs can be disabled</P><P><IMG alt="2015-04-13_15-31-32.png" class="jive-image image-3" src="https://live.paloaltonetworks.com/legacyfs/online/19163_2015-04-13_15-31-32.png" style="height: 194px; width: 620px;" /></P><P><IMG alt="2015-04-13_15-31-04.png" class="jive-image image-4" src="https://live.paloaltonetworks.com/legacyfs/online/19164_2015-04-13_15-31-04.png" style="font-size: 10pt; line-height: 1.5em; height: 241px; width: 620px;" /></P><P></P><P>that should do it, hope this helps</P><P></P><P>Tom</P></BODY></HTML> Mon, 13 Apr 2015 13:44:43 GMT https://live.paloaltonetworks.com/t5/general-topics/ntml-authentcation-for-captive-portal/m-p/10754#M7927 reaper 2015-04-13T13:44:43Z https://live.paloaltonetworks.com/t5/general-topics/ntml-authentcation-for-captive-portal/m-p/10755#M7928 <HTML><HEAD></HEAD><BODY><P>Hi Tpiens,</P><P></P><P>Thank you very much for the reply.</P><P>One question though.</P><P>"The deviceconfig needs to be set so the PA has it's domain configured in device &gt; setup &gt; general settings"</P><P>what does the device domain name&nbsp; got to do with agentless deployment for NTLM authentication.</P><P></P><P>regards,</P><P>ARJUN DAS</P></BODY></HTML> Tue, 14 Apr 2015 14:27:58 GMT https://live.paloaltonetworks.com/t5/general-topics/ntml-authentcation-for-captive-portal/m-p/10755#M7928 ArjunDAS 2015-04-14T14:27:58Z https://live.paloaltonetworks.com/t5/general-topics/ntml-authentcation-for-captive-portal/m-p/10756#M7929 <HTML><HEAD></HEAD><BODY><P>In the configuration, a valid WMI authentication account needs to be added.</P><P></P><P>Device should be in a domain, to go for WMI authentication (domain\wmi_user)</P><P></P><P>Regards,</P><P>Rahul Singh</P></BODY></HTML> Tue, 14 Apr 2015 15:27:00 GMT https://live.paloaltonetworks.com/t5/general-topics/ntml-authentcation-for-captive-portal/m-p/10756#M7929 rsingh 2015-04-14T15:27:00Z