topic Re: Captive Portal - identify user with certificate in General Topics

Captive Portal - identify user with certificate

LCMember317 — Fri, 21 Oct 2011 14:07:08 GMT

Hello everybody.

I have a question regarding captive portal user identification.

As everybody know user like Mac, iPhone, Android are difficult to identify and manage without insert credential in captive portal.

For wireless policy in all my company device I've installed a user certificate who grant wireless access. i would like to use it for user identification in captive portal.

I've tried to configure my PA-2050 4.0.5 like "How to configure captive portal" guide scenario 3.

The problem is:

if I set under User identification the client cerficate and the authentication profile (if a client don't have certificate can insert credential in captive portal) the browser goes wrong.
if i set only authentication profile everything is well.

I've got an internal CA. I've imported the ca certificate on PA and created the client certificate profile.

How can help me?

Re: Captive Portal - identify user with certificate

gswcowboy — Sat, 22 Oct 2011 05:29:17 GMT

This is a document for utilizing client cert for ssl-vpn authentication but should be good for CP as well. Hope it helps but feel free to update this thread if you need further assistance.

https://live.paloaltonetworks.com/docs/DOC-1934

Regards,

Renato

Re: Captive Portal - identify user with certificate

LCMember317 — Tue, 25 Oct 2011 09:31:01 GMT

Seen it. Unfortunately I get the error described above.

Re: Captive Portal - identify user with certificate

ggarrison — Tue, 25 Oct 2011 12:38:57 GMT

Can you please elaborate on the errors that you receive? Also, have you tried using a different browser with the captive portal?

Re: Captive Portal - identify user with certificate

gswcowboy — Tue, 25 Oct 2011 13:27:17 GMT

"If a client doesn't have a cert" ---> Could you please clarify? I am under the assumption, the client has the cert and thus should get the two-factor authentication from the PAN.

Re: Captive Portal - identify user with certificate

etank — Thu, 13 Sep 2012 22:21:42 GMT

I think the problem he is having is the same as me... I want to use the captive portal with username/password for devices WITHOUT a certificate. Example: say we have a presenter/visitor come into our building and they need internet access - they will hit the portal where we can give them a username and password. But we want our other corporate devices like ipads, iphones, androids, etc to get on automatically by having the cert... so they don't have to enter their credentials each day. Is there a way to do this?

Re: Captive Portal - identify user with certificate

zarina — Thu, 13 Sep 2012 23:40:05 GMT

Erik,

As per the current design, you cannot have both configured and still use only one of them. If you have certificates and an auth profile, it will be a 2-form authentication: you authenticate using a cert and also need to authenticate using username/password. If you want to use only certificates, leave the auth profile empty.

If you need the functionality of able to configure both and use only one form of authentication, please contact your SE to file a feature request. Hope this information was helpful.

Thanks,

Sri

Re: Captive Portal - identify user with certificate

mikand — Fri, 14 Sep 2012 06:57:18 GMT

Cannot one setup two interfaces (connected to each zone) where one interface is the regular captive portal (and default gw) and the other is ssl-vpn which your own devices (ipads etc) will connect directly to?

And then in the security rules you set this as srczone: zone_portal, zone_vpn

Re: Captive Portal - identify user with certificate

jvalentine — Fri, 14 Sep 2012 07:21:18 GMT

Yes, make two different VLANs... one for guests, and the other for employees... You can use captive portal for the guest network/subnet/vlan, and then use something different on your internal network.

Re: Captive Portal - identify user with certificate

etank — Fri, 14 Sep 2012 07:49:59 GMT

jvalentine, Our school district's networking equipment is ancient - the Palo Alto is one of two L3 devices on our network. I have very little experience with vlans, given our 15+ year old cisco switches as the majority of our network. I'm all ears if you want to let me know how to set it up though

Mikand - I don't know what you mean... I would plug in two cables from my network into the Palo Alto and have two separate gateways? I'd love to hear more...

Thanks for the responses... sorry to hijack a thread.

I started my own thread about this here: https://live.paloaltonetworks.com/message/18846#18846

Thanks,

Erik

Re: Captive Portal - identify user with certificate

mikand — Fri, 14 Sep 2012 08:25:26 GMT

Since you dont have any vlans at all (just a physical lan) and probably wont be able to change how the access network looks like my idea was something like:

1) A regular interface, for example 192.168.0.254/24 (which you add in dhcp as default gw so regular clients will use 192.168.0.254 as default gw to reach Internet or whatever and before they are let out they must use the captive portal).

2) A subinterface (or another physical interface), 192.168.0.253/??, which the ssl-vpn clients would connect to.

Its the last part which im not sure if its possible to accomplish on a PA (due to ip range collissions and such).

As sdarapuneni said if you enable both captive portal and ssl-vpn on the same interface then the PA will force both to be valid (meaning ssl-vpn users would still get a captive portal).

Im thinking if it would be possible to trick PA into this support by using vrouter and/or dnat/snat in combination?

A workaround could be if you setup something like:

1) 192.168.0.254/24 for regular clients (captive portal) on int1.

2) 10.0.0.254/24 for ssl-vpn clients on int2.

Connect both to your access network and in the dhcp put up static leases based on mac address.

This way a regular client will get a 192.168.0.x ip and 192.168.0.254 as default gw and your known ipad (etc) clients gets a 10.0.0.x ip and 10.0.0.254 as default gw. Because this ip "separation" isnt a true separation (they are all on the same vlan anyway) the only way for a client who gets a 10-ip to reach internet is either to auth using ssl-vpn OR go through 192.168.0.254 and use the captive portal - either way they must authenticate in order to leave your access network.

Of course this doesnt fulfill any demands regarding strong auth (since you use captive portal) but your case doesnt seem to involve being 100% sure of who did what (because in order to use captive portal your access network must be secured/hardedened aswell like using protected vlan so clients cannot steal each other ip/mac addresses and such but also since if a user gets hold of another users login/pass they will use that instead of their own) but rather make it easier for your trusted clients to use your access network.