I am looking for ways to configure Captive portal policy with NTLM authentication.
I have read a good number of PDFs from Palo alto but still unable to understand how do i configure it.
In short i need to know how do we configure NTLM authentication for captive portal for both Palo alto integreted hardware user agent and software user agent.
The last revision that are available on the net is "how to configure captive portal portal" is for PAN OS 4.0 and we are using PAN OS 6.0 and some of the settings are missing in PAN OS 6.0.
Anybody knows how to do it ?
First you will need to enable captive portal under Device > user identification > captive portal settings
- please note the authentication method does not matter as this is NOT used for the ntlm authentication
secondly you will need to configure a captive portal policy that dictates which traffic can/needs to be intercepted to perform ntlm authentication, and set it to browser-challenge
and third, make sure the "enable user identification" is enabled on the source zone:
Then, depending on the choice of a software agent or agentless deployment you need to add some additional configuration
In the case of a software agent you need to enable the ntlm authentication option, this proxies the ntlm request to the software agent
and that should be it for this option
In the case of an agentless deployment more settings are required:
1. The deviceconfig needs to be set so the PA has it's domain configured in device > setup > general settings, and is using the internal DNS in Device > setup > services
2. There needs to be a server added to the "server monitoring" section of device > user identification > user mapping
3. In the Palo Alto Network User ID Agent Setup, a valid WMI authentication account needs to be added and the NTLM section needs to be filled out (please not "username" is simply the username, no domain). All the other tabs can be disabled
that should do it, hope this helps
Thank you very much for the reply.
One question though.
"The deviceconfig needs to be set so the PA has it's domain configured in device > setup > general settings"
what does the device domain name got to do with agentless deployment for NTLM authentication.
In the configuration, a valid WMI authentication account needs to be added.
Device should be in a domain, to go for WMI authentication (domain\wmi_user)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!