has anyone got configuration for captive portal on and incoming untrusted public ip nat to private internal address.
i need to authenticate incoming connections before they reach the internal server address.
under captive portal I have the source as the public nat address and the destination as the internal server address and it does seem to work. The server can be reached from the Internet without any prompt for authentication?
Solved! Go to Solution.
Hi Rod, If your intention is to prompt a CP login page for inbound connections from the internet to a system that you have created a destination nat for you Captive Portal policy would like like this:
source zone = Untrusted zone
source address = blank or whatever the public IP the traffic is comming from (if you want to be specific)
Destination Address = The Public IP for your server on the inside (not the private address)
Service = the service you are exposing (http,https)
This will force any connections coming from the outside to that public address to be faced with a CP login. If the public address is shared between other systems on the inside be careful to be specific with the Service on the CP policy
Hope this helps
John, Thanks. That cleared things up.
I still can't get the system to present the redirected authentication login page. The documentation for Captive Portal hasn't been updated to PANOS 5 yet.
Below is a pretty good document with some details regarding Captive Portal, it has not changed very much since 4.0:
Starting on page 19 is how to configure. Use your traffic monitor to see which source and destination zones are used for the incoming connections for the server in question. Make sure your source and destination zones in your CP policy match what you see in the traffic log. Also, check the following:
Hope this helps
Thanks for your help so far. I'm strugling with the concept of CP redirect and how the following statement translates to a working example.
Make sure the host name or IP address you specify for the "Redirect Host" is accessible to the public. If you use a host name make sure it has a resolvable public DNS record
Does this imply that the redirect host has to be an internal web server? or does it mean an interface on the firwewall - say for example the main firewall inside (trust) L3 interface?
If it's an internal web server do I need to go through the normal procedure of creating a static nat from the out side to the inside server IP for the captive portal bit?
I've added my current config to see if you or anyone else can clear this up? thanks.
The redirect host will be an L3 interface on the firewall. Weather its a trusted or untrusted interface depends on where the CP clients are coming from. If your case you want to use an untrusted interface since your CP clients are coming from the outside. Also, in your CP policy should have 'outside' for both your source and destination zones since the destination address is your public IP.
Regarding Captive Portal , my Wifi clients can use Skype & GTalk application without authenticated to Captive Portal. But when to browse http (or) https, the captive port login page kicked in.
What I want is, every users have to authenticate at Captive Portal login page first, then can use internet accordingly even Skype or Gtalk applications.
That’s correct, the CP intercept\logon page can only be displayed via a browser. You would need to deny Skype\Gtalk for unknown users in your security policy and force the users to hit a http\https page before expecting any internet dependent applications to function, this would force them to authenticate via CP before doing any web based type activity . This is usually how hotels do it.
Thanks zarina and jteetsel.
Hi jteetsel, how to implement unknown users t force them to authenticate via CP before expecting any internet dependent applications to function. I would like to implement like hotels scenario.
My one is PA3020 & ver 5.0
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!