I am working on setting up URL Filtering on a PAN-5020 as part of converting away from a Proxy.
One of our requirements is to authenticate the user on generic login workstations by providing their credentials when they attempt to view a website that is external to us.
I would like to force a Captive Portal Page to be displayed when a user attempts to access an external website. Is this doable?
If I understand you correctly, you basically have some sort of terminal server where login users can access resources and Internet. Such scenarios would mean all user sessions no matter the login user would use same source IP. Normally TS-agent can identify such users by allocating source port range for users. Unfortunately Captive Portal can only identify user based on source IP unknown and not source port unknown. So unless you can somehow have users use different source IPs then CP won't know the difference between users.
Your answer sounds like the right track, but I may not have explained the situration correctly -
We are trying to make sure that if any of the workstations (PC's) in our shared areas (exam rooms, operatories, nursing stations and such) is used to go to an internet site (such as www.nascar.com) the PAN's would display the Captive Portal Page to allow the user to supply their network credentials - we would then have the PAN validate via the user agent the credentials.
We do this currently on our BlueCoat ProxySG's by detecting a string in the User Agent string that the BlueCoat's look for and trigger an authentication dialogue from. The 'trigger string' is set up in the workstation's registry.
Yes, these devices are part of our domains. They have 'autologon' ID's that are severely limited - which is part of why we require authentication of the person who's fingers are typing.
do they all have the same logon username domain accounts ? If yes you could use that information to trigger the Captive Portal login process.
Just trying to find the lowest common denominator ...
if you put all these accounts into a dedicated AD Group, you could possibly trigger the CP authentication for this AD Group.
Is this for a VWire or L3 setup ?
Hmmm but then again
Unfortunately Captive Portal can only identify user based on source IP unknown and not source port unknown
I believe this is also true for (source) user unknown only and not for a particular AD Group....
How to make the PA to look at known AD users as unknown users ...?
You could configure your UserID Agent to ignore the accounts through the ignore_user_list.txt file.
This way the users are unknown for the firewall and then you can trigger the CP auth.
What do you think ?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!