How to configure Captive Portal NTLM auth?

Reply
Highlighted
Not applicable

How to configure Captive Portal NTLM auth?

I have a customer who has AD and is using the UserAgent sucessfully.

However, many users are not always logged in, or are using corporate hardware, so aren't logged in.

I want to configure Captive Portal for non-logged in users that uses NTLM to authenticate users from the AD.


I've found a few KnowledgePoint articles that come close (using RADIUS), but I just want to call the AD to authenticate (maybe using the existing User Agent?).

I can't figure out the settings for the Authentication Profile...none of LocalDb/RADIUS/LDAP seem to fit..

Can someone let me know the steps for doing this?

L6 Presenter

Re: How to configure Captive Portal NTLM auth?

captive portal using NTLM auth with redirect mode to an L3 interface of the firewall will do this for you.

don't forget to create a captive portal policy that uses the NTLM auth method!!!

-Benjamin

L6 Presenter

Re: How to configure Captive Portal NTLM auth?

LDAP server profile for AD should work with the authentication profile you'll need for Captive Portal. It's the same as the Radius with the exception of an additional 'Logon Attribute' field. For AD, you'll utilize 'sAMaccountName.'

Check your Captive Portal Settings:

NTLM authentication agent: One User Agent is used to proxy request to AD and it should be chosen based on its proximity to the PAN FW

Auth Profile - Choose the Auth Profile previously created

You'll eventually configure the Captive Portal Policy which specifies what form of user detection should be used for a given unknown user session:

1) no-captive-portal: the session remains unknown

2) captive-portal: Use Web Form based user detection

3) ntlm-auth: attempt NTLM authentication. If that fails, attempt web form based mapping.

I'm not sure if you've found these already but just to be sure. The Radius setup doc is similar to what you can do for LDAP over AD.

https://live.paloaltonetworks.com/docs/DOC-1410

https://live.paloaltonetworks.com/docs/DOC-1040

Hope this helps.

-Renato    

Not applicable

Re: How to configure Captive Portal NTLM auth?

Thanks Guys...

Re this part..

"Check your Captive Portal Settings:

NTLM authentication agent: One User Agent is used to proxy request to AD and it should be chosen based on its proximity to the PAN FW"

I understand pointing at the existing PAN Agent, but what should I use as the Hostname? I don't get what this part does.

L6 Presenter

Re: How to configure Captive Portal NTLM auth?

It relies on an http 302 redirect to a host in the client computers local zone. This is the host name used in the 302 reply. It is not in the form of a FQDN. This host name must resolve to an IP on an L3 interface or the mgt interface of the PAN firewall.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!