I have a question regarding captive portal user identification.
As everybody know user like Mac, iPhone, Android are difficult to identify and manage without insert credential in captive portal.
For wireless policy in all my company device I've installed a user certificate who grant wireless access. i would like to use it for user identification in captive portal.
I've tried to configure my PA-2050 4.0.5 like "How to configure captive portal" guide scenario 3.
The problem is:
I've got an internal CA. I've imported the ca certificate on PA and created the client certificate profile.
How can help me?
Solved! Go to Solution.
This is a document for utilizing client cert for ssl-vpn authentication but should be good for CP as well. Hope it helps but feel free to update this thread if you need further assistance.
Can you please elaborate on the errors that you receive? Also, have you tried using a different browser with the captive portal?
"If a client doesn't have a cert" ---> Could you please clarify? I am under the assumption, the client has the cert and thus should get the two-factor authentication from the PAN.
I think the problem he is having is the same as me... I want to use the captive portal with username/password for devices WITHOUT a certificate. Example: say we have a presenter/visitor come into our building and they need internet access - they will hit the portal where we can give them a username and password. But we want our other corporate devices like ipads, iphones, androids, etc to get on automatically by having the cert... so they don't have to enter their credentials each day. Is there a way to do this?
As per the current design, you cannot have both configured and still use only one of them. If you have certificates and an auth profile, it will be a 2-form authentication: you authenticate using a cert and also need to authenticate using username/password. If you want to use only certificates, leave the auth profile empty.
If you need the functionality of able to configure both and use only one form of authentication, please contact your SE to file a feature request. Hope this information was helpful.
Cannot one setup two interfaces (connected to each zone) where one interface is the regular captive portal (and default gw) and the other is ssl-vpn which your own devices (ipads etc) will connect directly to?
And then in the security rules you set this as srczone: zone_portal, zone_vpn
Yes, make two different VLANs... one for guests, and the other for employees... You can use captive portal for the guest network/subnet/vlan, and then use something different on your internal network.
jvalentine, Our school district's networking equipment is ancient - the Palo Alto is one of two L3 devices on our network. I have very little experience with vlans, given our 15+ year old cisco switches as the majority of our network. I'm all ears if you want to let me know how to set it up though :smileyhappy:
Mikand - I don't know what you mean... I would plug in two cables from my network into the Palo Alto and have two separate gateways? I'd love to hear more...
Thanks for the responses... sorry to hijack a thread. :smileyhappy:
I started my own thread about this here: https://live.paloaltonetworks.com/message/18846#18846
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!