Can a Captive Portal Page be Triggered by a Value in the User Agent String?

Reply
Highlighted
Art
L3 Networker

Can a Captive Portal Page be Triggered by a Value in the User Agent String?

Hello,

   I am working on setting up URL Filtering on a PAN-5020 as part of converting away from a Proxy. 

   One of our requirements is to authenticate the user on generic login workstations by providing their credentials when they attempt to view a website that is external to us.

    I would like to force a Captive Portal Page to be displayed when a user attempts to access an external website.  Is this doable?

Thanks

Art

Tags (2)
L5 Sessionator

Re: Can a Captive Portal Page be Triggered by a Value in the User Agent String?

If I understand you correctly, you basically have some sort of terminal server where login users can access resources and Internet. Such scenarios would mean all user sessions no matter the login user would use same source IP. Normally TS-agent can identify such users by allocating source port range for users. Unfortunately Captive Portal can only identify user based on source IP unknown and not source port unknown. So unless you can somehow have users use different source IPs then CP won't know the difference between users.

-Richard

Art
L3 Networker

Re: Can a Captive Portal Page be Triggered by a Value in the User Agent String?

Hi Richard,

    Your answer sounds like the right track, but I may not have explained the situration correctly -

    We are trying to make sure that if any of the workstations (PC's) in our shared areas (exam rooms, operatories, nursing stations and such) is used to go to an internet site (such as www.nascar.com) the PAN's would display the Captive Portal Page to allow the user to supply their network credentials - we would then have the PAN validate via the user agent the credentials.

   We do this currently on our BlueCoat ProxySG's by detecting a string in the User Agent string that the BlueCoat's look for and trigger an authentication dialogue from.  The 'trigger string' is set up in the workstation's registry.

Thanks

Art

L4 Transporter

Re: Can a Captive Portal Page be Triggered by a Value in the User Agent String?

I assume your shared area PC's are not member of your windows domain , right ?

Art
L3 Networker

Re: Can a Captive Portal Page be Triggered by a Value in the User Agent String?

Hi Roland,

   Yes, these devices are part of our domains.    They have 'autologon' ID's that are severely limited - which is part of why we require authentication of the person who's fingers are typing.

Thanks

Art

L4 Transporter

Re: Can a Captive Portal Page be Triggered by a Value in the User Agent String?

Hi Art,

do they all have the same logon username domain accounts ? If yes you could use that information to trigger the Captive Portal login process.

Just trying to find the lowest common denominator ...

Art
L3 Networker

Re: Can a Captive Portal Page be Triggered by a Value in the User Agent String?

Hi Roland,

    Each machine has it's own User ID and associated credentials...

Thanks

Art

L4 Transporter

Re: Can a Captive Portal Page be Triggered by a Value in the User Agent String?

Hello Art,

if you put all these accounts into a dedicated AD Group, you could possibly trigger the CP authentication for this AD Group.

Is this for a VWire or L3 setup ?

L4 Transporter

Re: Can a Captive Portal Page be Triggered by a Value in the User Agent String?

Hmmm but then again

Unfortunately Captive Portal can only identify user based on source IP unknown and not source port unknown

I believe this is also true for (source) user unknown only and not for a particular AD Group....

How to make the PA to look at known AD users as unknown users ...?

You could configure your UserID Agent to ignore the accounts through the ignore_user_list.txt file.

This way the users are unknown for the firewall and then you can trigger the CP auth.

What do you think ?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!