topic Re: Captive Portal w/2FA in Azure in General Topics

Captive Portal w/2FA in Azure

RobertShawver — Tue, 11 May 2021 13:21:37 GMT

Hi All -

Hopefully I make this clear.

What I'm looking to do is set up Captive Portal with a push notification in Azure AD. I can't seem to find any documentation around this, can someone give me the general steps or point me to existing documentation?

Thanks in advance.

Re: Captive Portal w/2FA in Azure

MP18 — Tue, 11 May 2021 18:23:42 GMT

@RobertShawver

Please read below document.

https://azureadminblog.azurewebsites.net/index.php/2020/06/21/palo-alto-captive-portal-using-azure-ad/

Regards

Re: Captive Portal w/2FA in Azure

RobertShawver — Tue, 11 May 2021 19:26:06 GMT

@MP18 I found that one, but there are parts that don't make sense to me.

"Next lets create an authentication profile that will be used in our captive portal, navigate to Objects > Authentication and press “Add”:"

Set the following values and press ok:

Name: Anything you like!
Authentication Method: Browser-challenge (doesn’t really matter here as the request will be redirected to Azure-AD anyway)
Authentication Profile: The Azure-AD authenticaiton profile we setup in the previous section
Message: Leave default- users will not see this anyway.

But then I don't see how that ties into anything???

Re: Captive Portal w/2FA in Azure

RobertShawver — Tue, 11 May 2021 21:48:26 GMT

@MP18 It also says:

n our case we want to that to a FQDN that users using an internal DNS server will point to an internal interface on the firewall. For example https://internal.azureadmin.co.uk:6082/SAML20/SP which would resolve to an internal interface on the firewall (such as 192.168.100.1). The port number here is the port the Palo Alto hosts its captive portal service when enabled.

Reply URL (Assertion Consumer Service URL):
This is the URL that Azure will send the user back to after the SAML authentication processs completes, in our case we can use the same URL as the Identifier- for example- https://internal.azureadmin.co.uk:6082/SAML20/SP

Use the same reply URL? That doesn't seem right?

Re: Captive Portal w/2FA in Azure

OtakarKlier — Thu, 13 May 2021 17:51:04 GMT

Hello,

One thing to remember with Captive portal is that its used only for matching a user to and IP address for mapping. If a use is already known, the portal will not be presented to the user.

https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/user-id/user-id-concepts/user-mapping/captive-portal

Hope that makes sense.

Re: Captive Portal w/2FA in Azure

MP18 — Thu, 13 May 2021 18:55:28 GMT

@RobertShawver

For CP you export the cert from the Azure to PA.

Yes URL for Identity Provider SSO URL it is same as in Azure.

Regards

Re: Captive Portal w/2FA in Azure

RobertShawver — Thu, 13 May 2021 20:21:00 GMT

@MP18 @OtakarKlier

Here is what I'm hoping will happen. User crosses from zone to another and is presented with the CP. User puts in username and password and then gets a push notification to there phone via Microsoft Authenticator. User clicks "approve" and the CP process completes. All internal.

Currently, I have CP set up so that User crosses from zone to another and is presented with the CP. User puts in username and password and the CP process completes.

Is what I'm hoping for possible? Am I explaining it correctly?

Re: Captive Portal w/2FA in Azure

MP18 — Thu, 13 May 2021 20:25:14 GMT

@RobertShawver

Yes you are sharing correctly.

Regards

Re: Captive Portal w/2FA in Azure

RobertShawver — Thu, 13 May 2021 20:26:23 GMT

Now the question is how 🙂

Re: Captive Portal w/2FA in Azure

MP18 — Thu, 13 May 2021 20:32:25 GMT

@RobertShawver

If you have not done any CP config then you can also check with your SE How to do it?

Are you the one who will do configuration in Azure?

Also see this

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/paloaltonetworks-captiveportal-tutorial

Regards

Re: Captive Portal w/2FA in Azure

RobertShawver — Thu, 13 May 2021 20:46:03 GMT

So the Azure guy set it up, but then made me the owner so I can edit as needed. I think the part that isn't clicking in my head is right now I have the CP running through GlobalProtect.

If I click on Test in Azure, I get the push notification on my phone, I click approve and then browser opens a new tab with the Palo logo on the tab and it says 502 Bad gateway and the URL is https://website:6082/SAML20/SP/ACS

The link listed in Network > GlobalProtect > Portals > MY_Portal > Agent is https://website:6082

I think this is doable, I just haven't found any good instructions on how to do this.

FYI, I really appreciate your time in speaking with me.

Re: Captive Portal w/2FA in Azure

MP18 — Thu, 13 May 2021 20:58:10 GMT

@RobertShawver

You use GP for CP when destination port is not 443.

We use the CP for any traffic on port 3389.

Re: Captive Portal w/2FA in Azure

RobertShawver — Fri, 14 May 2021 08:41:41 GMT

Apologies, but I don't know how that helps me.

Re: Captive Portal w/2FA in Azure

OtakarKlier — Fri, 14 May 2021 17:04:29 GMT

Hello,

While i do not know if this is possible, I do find it intriguing. I know the captive portal page can be modified, not sure if to the extent of what you are looking for however. Perhaps an SSO or SAML solution would work if you already have one?

Just throwing out ideas.

Regards,

Re: Captive Portal w/2FA in Azure

Someonesomeone — Thu, 17 Jun 2021 18:56:21 GMT

@RobertShawver Did you ever get success with this? I am trying to set this up as well.

Re: Captive Portal w/2FA in Azure

RobertShawver — Mon, 21 Jun 2021 11:13:29 GMT

This should get you pretty close:

Set up GlobalProtect
Add the new captive portal to the portal agent configuration - Network > GlobalProtect > Portals > GP_Portal > Agent
Alias to point to VLAN 961 Example: server.mfa.company.com 10.10.10.10

Set up Azure
Basic SAML Configuration

Example
Identifier (Entity ID) https://server.mfa.company.com:6082/SAML20/SP
Reply URL (Assertion Consumer Service URL) https://server.mfa.company.com:6082/SAML20/SP/ACS
Federation Metadata XML Download

Set up Palo Alto:
SAML Identity Provider
Device > Server Profiles > SAML Identity Provider > Import
Authentication Profile
Device > Authentication Profile > Add
Type = SAML
IDP Server Profile = SAML Identity Provider created above
Username Attribute = username
Advanced Tab > Allow List = all
Authentication
Objects > Authentication > Add
Authentication Method = web-form
Authentication Profile = Authentication Profile created above
Policy
Policies > Authentication > Pre Rules > Add
Action Tab > Authentication Enforcement > Authentication Object created above

Let me know if you have any questions.

Re: Captive Portal w/2FA in Azure

Someonesomeone — Mon, 21 Jun 2021 13:44:24 GMT

Thank you RobertShawver! I appreciate the help. When you mentioned adding new captive portal to portal agent configuration, where do i put that? Is that under the App tab of the portal agent configuration? My guess is under trusted MFA Gateways as described in Step 6, item 3, from the following document: Configure GlobalProtect to Facilitate Multi-Factor Authenti... (paloaltonetworks.com) Piecing things from different places.

Another question: server.mfa.company.com, does that have to externally resolve? The azureadminblog post seemed to indicate you only need internal, but someone told me it needs to be external for azure to talk to it.

Thanks

Re: Captive Portal w/2FA in Azure

RobertShawver — Mon, 21 Jun 2021 18:44:34 GMT

"Is that under the App tab of the portal agent configuration?" - You got it.

"server.mfa.company.com, does that have to externally resolve? " - Mine does not, but your mileage may vary. I'd say try it internal first.

Re: Captive Portal w/2FA in Azure

Someonesomeone — Tue, 22 Jun 2021 20:00:45 GMT

@RobertShawver getting close, but not there yet. Browser based applications I get redirected over http to azure, but after trying to authenticate i get AADSTS700016 Application with identifier 'https://cp.domain.com:6082/saml20/sp' was not found in the directory... Also, not getting the notification from GlobalProtect when attempting non-browser based. Appreciate any help.

Thanks, Chris

Re: Captive Portal w/2FA in Azure

RobertShawver — Wed, 23 Jun 2021 11:10:19 GMT

Hey Chris -

I'll admit that troubleshooting without seeing your setup is a bit of a challenge.

Configure Multi-Factor Authentication (paloaltonetworks.com)

What I did was follow these instructions but with these caveats:

Step 2: Add a SAML IDP

Step 3: Skip this step (this is why it took me so long to get this going, it took me awhile to figure out that I needed to skip step 3.)

I suspect you may have the same issue as I seem to remember that error you spoke about.