Captive Portal Authentication

L2 Linker

Captive Portal Authentication

Hi, I've PA-500 with 4.1.1 and I've configured Captive Portal with AD Authentication. Pan-agenty seems to work fine and I can select the AD groups when I configure Securtiy Policy.

I've created an authentication profile only for Captive Portal with Kerberos authentication and my Domain controller as Server profile but I cannot see the groups in allow list, only can see local users. Although with all in allow list, Captive Portal authentication works fine

I'm not sure if I need to configure Group Mappings but as I've read in Administrator Guide of 4.1 group mapping is configured as LDAP server, is it correct?, do I need to configure Group mapping only to have my AD groups in allow list of authentication Profile?.

Thank you in advance.


L3 Networker

Re: Captive Portal Authentication


With PANOS 4.1.x, you need to configure Group Mapping Settings for PAN to get the user-group mappings.  You would need to create an LDAP server profile first and then apply that to the Group Mapping Settings.  With this configured, you will be able to reference groups in your policies.



L2 Linker

Re: Captive Portal Authentication

Hi, thanks for your reply. I supossed that, but the strange think is that I can select my groups in security policy but not in allow list of authentication Profile. Do I need to configure LDAP profile to have user-group mappings in allow list of Authentication Profile?.

It seems strange to have groups in policies without LDAP profile and need it to use groups in Authentication Profile.

EDIT: Hi, I've configured LDAP server profile and install User-ID (not pan-agent) in domain controller. All seems to work fine, I can create policies with users and make the filter of groups in firewall (Device, User Identification, Group Mappings), BUT I cannot select the active directory groups in Authentication Profile.

How could I filter the users of Active Directory that can login in captive portal?, at the moment I only can select my local users.



L4 Transporter

Re: Captive Portal Authentication


I may be misunderstanding your question.

Captive portal is part of the "User Identification" feature. If a user is identified by his AD login he will never see the the portal. Only unknown users, Linux devices and guest users, will be "Unknown" and the portal will present itself to the user to force authentication and use this as the identification method. You do not pick groups or users for Portal usage.

Steve Krall

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!