Captive Portal - identify user with certificate

Reply
Highlighted
L0 Member

Captive Portal - identify user with certificate

Hello everybody.

I have a question regarding captive portal user identification.

As everybody know user like Mac, iPhone, Android are difficult to identify and manage without insert credential in captive portal.

For wireless policy in all my company device I've installed a user certificate who grant wireless access. i would like to use it for user identification in captive portal.

I've tried to configure my PA-2050 4.0.5  like "How to configure captive portal" guide scenario 3.

The problem is:

  1. if I set under User identification the client cerficate and the authentication profile (if a client don't have certificate can insert credential in captive portal) the browser goes wrong.
  2. if i set only authentication profile everything is well.

I've got an internal CA. I've imported the ca certificate on PA and created the client certificate profile.

How can help me?

L6 Presenter

Re: Captive Portal - identify user with certificate

This is a document for utilizing client cert for ssl-vpn authentication but should be good for CP as well. Hope it helps but feel free to update this thread if you need further assistance.

https://live.paloaltonetworks.com/docs/DOC-1934

Regards,

Renato    

L0 Member

Re: Captive Portal - identify user with certificate

Seen it. Unfortunately I get the error described above.

L4 Transporter

Re: Captive Portal - identify user with certificate

Can you please elaborate on the errors that you receive?  Also, have you tried using a different browser with the captive portal?

L6 Presenter

Re: Captive Portal - identify user with certificate

"If a client doesn't have a cert" ---> Could you please clarify? I am under the assumption, the client has the cert and thus should get the two-factor authentication from the PAN.

Not applicable

Re: Captive Portal - identify user with certificate

I think the problem he is having is the same as me... I want to use the captive portal with username/password for devices WITHOUT a certificate.  Example: say we have a presenter/visitor come into our building and they need internet access - they will hit the portal where we can give them a username and password.  But we want our other corporate devices like ipads, iphones, androids, etc to get on automatically by having the cert... so they don't have to enter their credentials each day.  Is there a way to do this?

L5 Sessionator

Re: Captive Portal - identify user with certificate

Erik,

As per the current design, you cannot have both configured and still use only one of them. If you have certificates and an auth profile, it will be a 2-form authentication: you authenticate using a cert and also need to authenticate using username/password. If you want to use only certificates, leave the auth profile empty.

If you need the functionality of able to configure both and use only one form of authentication, please contact your SE to file a feature request. Hope this information was helpful.

Thanks,

Sri

L6 Presenter

Re: Captive Portal - identify user with certificate

Cannot one setup two interfaces (connected to each zone) where one interface is the regular captive portal (and default gw) and the other is ssl-vpn which your own devices (ipads etc) will connect directly to?

And then in the security rules you set this as srczone: zone_portal, zone_vpn

L7 Applicator

Re: Captive Portal - identify user with certificate

Yes, make two different VLANs... one for guests, and the other for employees...  You can use captive portal for the guest network/subnet/vlan, and then use something different on your internal network. 

Not applicable

Re: Captive Portal - identify user with certificate

jvalentine,  Our school district's networking equipment is ancient - the Palo Alto is one of two L3 devices on our network.  I have very little experience with vlans, given our 15+ year old cisco switches as the majority of our network.  I'm all ears if you want to let me know how to set it up though :smileyhappy:

Mikand - I don't know what you mean... I would plug in two cables from my network into the Palo Alto and have two separate gateways?  I'd love to hear more...

Thanks for the responses... sorry to hijack a thread.  :smileyhappy:

I started my own thread about this here: https://live.paloaltonetworks.com/message/18846#18846

Thanks,

Erik

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!