Using an explicit L3 interface for captive portal web form in PAN-OS 3.1.2

Reply
L3 Networker

Using an explicit L3 interface for captive portal web form in PAN-OS 3.1.2

Hello,

I noticed this in the PAN-OS 3.1.2 release notes :

Captive Portal Session Enhancements – The captive portal web forms method of authenticating
and identifying a user’s IP address has been modified to include a session cookie. This session
cookie is used to maintain the user to IP mapping as long as the users’ browser remains
running. In addition, an option to use an explicit L3 interface for the captive portal web form
can now be used to avoid certificate mismatch issues when presenting the form via SSL.

Does this mean that we can directly connect to captive portal web form without having the need to be redirected? If yes, i have installed the 3.1.2 version of PAN-OS, but i don't find any option to slect this kind of function. Any idea?

Regrd's.

Tags (1)
Highlighted
L4 Transporter

Re: Using an explicit L3 interface for captive portal web form in PAN-OS 3.1.2

Hello Asia,

we still need to have sessions redirected to the Paloalto device to inject the captive portal form.

thanks,

Stephen

Highlighted
L3 Networker

Re: Using an explicit L3 interface for captive portal web form in PAN-OS 3.1.2

Thanks stephen,

In this case, can you telle me the meaning of this point in the release notes.

Regards

Highlighted
L0 Member

Re: Using an explicit L3 interface for captive portal web form in PAN-OS 3.1.2

Hi Stephen,

Can we make this a feature request?  The ability to have non AD users go to a webforms page and authenticate without needing the be redirected first would be awesome.

thanks,

Andrew

Highlighted
L4 Transporter

Re: Using an explicit L3 interface for captive portal web form in PAN-OS 3.1.2

One way to get this behavior would be to setup a hostname in DNS that resolves to any IP address that would be routed through the firewall and would hit a captive portal rule. For example, if you added a DNS entry for login.mycompany.com that resolved to 1.1.1.1 and 1.1.1.1 was routed through an interface on the firewall with a CP rule for 1.1.1.1, they would get the login page. The DNS part isn't actually required for this. You could simply tell people to go to 1.1.1.1 if you wanted. 1.1.1.1 just needs to be some IP address that will get routed through the firewall. Could be a public IP or a private IP.

Mike

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!