Using an explicit L3 interface for captive portal web form in PAN-OS 3.1.2

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Using an explicit L3 interface for captive portal web form in PAN-OS 3.1.2

L3 Networker

Hello,

I noticed this in the PAN-OS 3.1.2 release notes :

Captive Portal Session Enhancements – The captive portal web forms method of authenticating
and identifying a user’s IP address has been modified to include a session cookie. This session
cookie is used to maintain the user to IP mapping as long as the users’ browser remains
running. In addition, an option to use an explicit L3 interface for the captive portal web form
can now be used to avoid certificate mismatch issues when presenting the form via SSL.

Does this mean that we can directly connect to captive portal web form without having the need to be redirected? If yes, i have installed the 3.1.2 version of PAN-OS, but i don't find any option to slect this kind of function. Any idea?

Regrd's.

4 REPLIES 4

L4 Transporter

Hello Asia,

we still need to have sessions redirected to the Paloalto device to inject the captive portal form.

thanks,

Stephen

Thanks stephen,

In this case, can you telle me the meaning of this point in the release notes.

Regards

Hi Stephen,

Can we make this a feature request?  The ability to have non AD users go to a webforms page and authenticate without needing the be redirected first would be awesome.

thanks,

Andrew

One way to get this behavior would be to setup a hostname in DNS that resolves to any IP address that would be routed through the firewall and would hit a captive portal rule. For example, if you added a DNS entry for login.mycompany.com that resolved to 1.1.1.1 and 1.1.1.1 was routed through an interface on the firewall with a CP rule for 1.1.1.1, they would get the login page. The DNS part isn't actually required for this. You could simply tell people to go to 1.1.1.1 if you wanted. 1.1.1.1 just needs to be some IP address that will get routed through the firewall. Could be a public IP or a private IP.

Mike

  • 2915 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!