User-id and re-identifying auto logon users

Reply
Highlighted
L2 Linker

User-id and re-identifying auto logon users

We have a fairly large group of thin clients that auto logon to a user account that is used for launching their Citrix desktop. We are also using the PAN firewall to use NTLM (browser-challenge) for captive portal for internet access for all users. What this means is that we have over a 1000 machines that all have an ip to user mapping to the same user and this means that all web browsing on these machines are under the auto logon user. What I am trying to figure out is how do I get the firewall to prompt with a web-form captive portal for all of these auto logon machines so that we can capture the actual user at these machines. This would be easy if all of these machines were is the same network but they are mixed in with other users too. If I could write a rule that said “if you are the auto logon account then prompt for a web form” that would do it but I cannot figure out how to do that. What option might I have here? If I remove the auto logon account from being in the allowed internet access group then the firewall will do an ntlm challenge to the browser and then just be given the auto logon account again, so I don’t think that would work. I would think that it needs to be a web-form.

L7 Applicator

Re: User-id and re-identifying auto logon users

Hello,

Are you refering to captive portal?

 

Captive Portal
If the firewall or the User-ID agent are unable to map an IP address to a user—for example if the user is not
logged in or is using an operating system such as Linux that is not supported by your domain servers—you can
configure Captive Portal. When configured, any web traffic (HTTP or HTTS) matching your Captive Portal
policy requires user authentication, either transparently via an NT LAN Manager (NTLM) challenge to the
browser, or actively by redirecting the user to a web authentication form for authentication against a RADIUS,
LDAP, Kerberos, or local authentication database or using client certificate authentication. See Map IP
Addresses to User Names Using Captive Portal for details.

 

 

This is in the admin guide:

https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/user-id/map-ip-addresses-to-user-nam...

 

Hope this helps!

 

 

L2 Linker

Re: User-id and re-identifying auto logon users

Thanks for the reply, but we have captive portal up and running for most of our users. That is not the issue. What I am trying to accomplish is to write a rule that tells the firewall "if I have an IP mapped to the userid of "auto_logon" then display a captive portal to prompt the actaull user to enter their domain credentials. Is there a way to do this?

L3 Networker

Re: User-id and re-identifying auto logon users

If an IP-user mapping is known to the firewall, a captive portal rule will not fire. Reauthentication is not currently an option, but there are a couple of other approaches to achieve what you are looking for.

 

Do you have a method of identifying the machines using the auto login user?

 

Placing them in one or more address groups would allow you to create an additional captive portal policy of type web-form to trigger before your policy for browser-challenge. 

 

Alternately, if these machines can have a unified group policy applied, remove the redirect hostname of the captive portal from the Intranet / Trusted Sites zones to prevent the browser from participating in the NTLM authentication. This should also allow the user to enter their own credentials. 

 

 

 

 

L2 Linker

Re: User-id and re-identifying auto logon users

These are great suggestions and gives me something to test and work with, thank you!


@asilliker wrote:

If an IP-user mapping is known to the firewall, a captive portal rule will not fire. Reauthentication is not currently an option, but there are a couple of other approaches to achieve what you are looking for.

 

Do you have a method of identifying the machines using the auto login user?

 

Placing them in one or more address groups would allow you to create an additional captive portal policy of type web-form to trigger before your policy for browser-challenge. 

 

Alternately, if these machines can have a unified group policy applied, remove the redirect hostname of the captive portal from the Intranet / Trusted Sites zones to prevent the browser from participating in the NTLM authentication. This should also allow the user to enter their own credentials. 

 

 

 

 


 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!