I have a customer who has AD and is using the UserAgent sucessfully.
However, many users are not always logged in, or are using corporate hardware, so aren't logged in.
I want to configure Captive Portal for non-logged in users that uses NTLM to authenticate users from the AD.
I've found a few KnowledgePoint articles that come close (using RADIUS), but I just want to call the AD to authenticate (maybe using the existing User Agent?).
I can't figure out the settings for the Authentication Profile...none of LocalDb/RADIUS/LDAP seem to fit..
Can someone let me know the steps for doing this?
captive portal using NTLM auth with redirect mode to an L3 interface of the firewall will do this for you.
don't forget to create a captive portal policy that uses the NTLM auth method!!!
LDAP server profile for AD should work with the authentication profile you'll need for Captive Portal. It's the same as the Radius with the exception of an additional 'Logon Attribute' field. For AD, you'll utilize 'sAMaccountName.'
Check your Captive Portal Settings:
NTLM authentication agent: One User Agent is used to proxy request to AD and it should be chosen based on its proximity to the PAN FW
Auth Profile - Choose the Auth Profile previously created
You'll eventually configure the Captive Portal Policy which specifies what form of user detection should be used for a given unknown user session:
1) no-captive-portal: the session remains unknown
2) captive-portal: Use Web Form based user detection
3) ntlm-auth: attempt NTLM authentication. If that fails, attempt web form based mapping.
I'm not sure if you've found these already but just to be sure. The Radius setup doc is similar to what you can do for LDAP over AD.
Hope this helps.
Re this part..
"Check your Captive Portal Settings:
NTLM authentication agent: One User Agent is used to proxy request to AD and it should be chosen based on its proximity to the PAN FW"
I understand pointing at the existing PAN Agent, but what should I use as the Hostname? I don't get what this part does.
It relies on an http 302 redirect to a host in the client computers local zone. This is the host name used in the 302 reply. It is not in the form of a FQDN. This host name must resolve to an IP on an L3 interface or the mgt interface of the PAN firewall.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!