This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Captive Portal With SSO Breaks All Rules

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Captive Portal With SSO Breaks All Rules

Go to solution
Phil_Throumoulos
L1 Bithead

‎09-19-2017 11:37 AM

Hello ALL - 

 

This is my second post here regarding Captive Portal. I enabled Captive Portal in my environment the other day thinking it would be for webaccess for my users in the event the User ID tool did not work. Upon enabling this feature other rules on my firewall stopped processing since there was no users associated with those rules. 

 

Is this really the way that Captive Portal is supposed to work? I have a rule that allows a certain IPA to ping an external resource, when captive portal is enabled the rule stops working till I authenticate through the captive portal and there is a user to IP mapping regadless if my rule has an associated user listed in it. 

 

That seems like a huge flaw to me especially since I have service like DNS that do not run as any user.

 

Just so you are all aware,  I am currenlty running 2 850's in HA on 8.0.3

 

I really need a way for users to authenticate for web access if User ID fails without breaking all my other firewall rules.  I thought that enabling the captive portal would allow them to authenticate that way. My SSO rule covers my entire subnet as my network environment is flat network with no segregation between servers and clients(this could be changed if needed to get things to work) as I think this might be causing part of the issue.

 

 

 

Any help would be appreicated.

 

Thanks!  

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to Phil_Throumoulos

‎09-21-2017 06:40 AM

@Phil_Throumoulos,

That's going to be your issue as you are making everyone authenticate. For anything that you don't want to be presented the captive portal you need to configure a rule to proceed without a broswer challenge, the default-no-captive-portal Authentication Enforment should work for that. 

Alternatively modify the source address to just exclude your server IP range should work perfectly fine as well. 

View solution in original post

6 REPLIES 6

Go to solution
BPry
Cyber Elite
Cyber Elite

‎09-20-2017 07:11 AM

@Phil_Throumoulos,

Can you send a screenshot of your Authentication policy list. If you have not made exceptions to allow the traffic to pass without authentication for the required source/destination on the proper app/service you will be presented with the captive portal page if that is how you have things configured. So in essence yes, this is how it will work until you tell it how to handle the traffic. 

Go to solution
Phil_Throumoulos
L1 Bithead
In response to BPry

‎09-20-2017 11:21 AM - edited ‎09-20-2017 11:24 AM

 

ScreenShot1318.jpg

 

 What you are saying makes sense. I am not sure how I would add the exception to say do not authenticate everyone. I have a group of users in AD that should be the only ones effected by the captive portal. Maybe I should put thier group in the SSO rule instead of Domain Users.?

 

0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to Phil_Throumoulos

‎09-20-2017 02:07 PM

@Phil_Throumoulos,

That appears to be your authentification profile. You should have a policy within the Policies tab on either Authentication Policy or It could be called Captive Portal policy depending on what version you are running. 

0 Likes Likes

Go to solution
Phil_Throumoulos
L1 Bithead
In response to BPry

‎09-21-2017 05:50 AM

Ahh, yes. Sorry, I guess I misunderstood what you were looking for. Here is the screenshot of what you want. ScreenShot1320.jpg

 

0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to Phil_Throumoulos

‎09-21-2017 06:40 AM

@Phil_Throumoulos,

That's going to be your issue as you are making everyone authenticate. For anything that you don't want to be presented the captive portal you need to configure a rule to proceed without a broswer challenge, the default-no-captive-portal Authentication Enforment should work for that. 

Alternatively modify the source address to just exclude your server IP range should work perfectly fine as well. 

Go to solution
Phil_Throumoulos
L1 Bithead
In response to BPry

‎09-21-2017 10:52 AM

Ahhhh, yes. What you are saying now makes complete sense to me! I am requiring that everyone authenticate which I do not need. I just need certain users in certain subnets to authenticate. I will create another auth rule and put my servers in it and also change it to no captive portal. Thanks for the extra set of eyes on this BPry!!

0 Likes Likes
  • 1 accepted solution
  • 3043 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks