02-10-2011 04:04 PM
Hi,
We've implemented a PA4020 box in a v-wire configuration with another jack on the box configured as an L3 in order to have captive portal functionality. The reason is that there are multiple computers that are logged in to with generic accounts, and we want to track individual users web traffic. Captive portal is being used as a redirect with no cookie retention to force authentication (user id and password) on these generic machines.The method of authentication this is done with is via AD group memberships. There are a list of groups in the "Filter Groups" of the user id agent for computers that are logged in to using individual accounts to ensure "transparent" tracking of Internet use, and all of the generic logins being used are part of another group in the "ignore groups" within user id agent. This is a multiple AD domain environment, so all captive portal authentication is in the form of domain\userid.
The problem we're seeing is that captive portal is letting people go through without entering in a password for captive portal. Instead of putting in (domain\userid and the password) it will allow people to authenticate using just domain\userid without a password. Additionally, on Windows machines that are not part of the domains, or machines that are part of the domain but being logged onto locally, the last known authentication via captive portal is cached and no re-authentication via captive portal is being done - this was discovered trying to duplicate the no password error, it's been "cached" for 2 days.
Netbios/WMI is disabled in the environment, and captive portal is set to a 10 minute inactivity or 60 minute with activity timeout.
Any ideas?
02-10-2011 04:36 PM
Just to clarify, sounds like you are using NTLM with redirect mode, correct? Do you also have session cookie enabled?
The authentication process when using NTLM is typically that when the user puts in their credentials, the credentials go to the PAN device, then to the user ID agent specified in the captive portal configuration, then the agent sends to the domain controller for authentication, then the User ID agent reports back to the PAN device, and permission is granted or denied. In light of this, it may or may not help to check your domain controller's logs to see if the authentication requests are getting there and denied or accepted.
If the authentication is denied, then the user continues to be "unknown" and if you have forced captive portal policy for unknown users, then they shouldn't get allowed through. I believe you may also be able to see the captive portal denial in the System Log (Monitor tab).
>>> Additionally, on Windows machines that are not part of the domains, or machines that are part of the domain but being logged onto locally, the last known authentication via captive portal is cached and no re-authentication via captive portal is being done - this was discovered trying to duplicate the no password error, it's been "cached" for 2 days.
On this one I think you might need to check your session cookie. I'm wondering if you have your session cookie set to time out after 2 days.
I think there are a few moving parts here to work through... You might want to call support and have them take a peek?
02-11-2011 10:22 AM
Hi,
The NTLM authentication drop-downs selection boxes in Device \ User Identification \ Captive Portal properties are blank. Whether or not this indicates NTLM is being used, I am not sure - though it would seem to be not being used.
Captive portal denials when people fail to put in the domain their user id resides in or incorrect passwords (when they put it in) are showing in the monitor tab as failed captive portal authentication attempts.
Session cookies (via the PA device settings) are not enabled.
Thanks.
02-14-2011 12:26 PM
You say you don't have Netbios/WMI probing enabled. Have you set enable-full-expire in the pan-agent config? What are all your different age-out timers and idle-timers?
Your captive portal policy, does it use method: NTLM or Captive Portal?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
