external captive portal

Reply
Highlighted
L1 Bithead

external captive portal

I'm thinking about trying something a little out of the square with user-id and captive portal. Let me start with the context and business goal:

  • The PAN is deployed as a data centre firewall.
  • I'd like to use some policies that permit clients access to an application only if the user is known.
  • I'd like to use some policies that permit clients access to an application for specific users only if they have used strong authentication, specifically a Yubico one time password.
  • Clients platforms are a mixed environment, BYOD, some active directory but not universal.

Here is how I propose solving the problem:

  • use XML-API for the user-id stuff, gather user to IP associations from various authentication logs in close enough to real time.
  • Build an authentication portal with business logic to know when to prompt for a one time password in addition to username and password.
  • Have the PAN redirect HTTP(S) to this portal when necessary.

So far I've proved the following can work:

  • The XML-API user-id stuff.
  • Set the 'Redirect Host' parameter in Captive Portal Settings to an IP of a web server.
  • Use an appropriate Captive Portal and Security policies to redirect the client and permit the traffic to the web server.

I have not yet coded the user authentication and subsequent redirection back to the intended web page but will be pretty straight forward.

It seems Paloalto have not intended (thought about) captive portal being used in this way. Has anyone else attempted this?

What do you think of this idea? Can you think of a better way to achieve the same goal?

thanks,

Scott

Tags (2)
L1 Bithead

Re: external captive portal

A follow-up question.

It's not clear to me how to configure the PAN so it redirects the client to the captive portal only when the user is not known. Is this possible?

Scott

Community Manager

Re: external captive portal

Hi Scott

In regards to your followup question. A session should only be redirected to captive portal if there is no user/IP mapping yet, if such mapping exists CP should not get triggered. are you seeing the opposite ?

your first post should work just fine if you are able to write the redirect after authentication to the original host to facilitate the user and make the authentication trigger the API which should add a user/IP mapping near instantaneously, it should go beautifully


Help the community: Like helpful comments and mark solutions
Reaper out
L4 Transporter

Re: external captive portal

Scott,

You also define a Captive portal rule to identify what source and destination address space you want captive portal to be applied to.  Remembering that the traffic needs to traverse a firewall interface and only kicks in if there is no user-id to IP address mapping already in the firewall (as tpiens mentions).  It works quite well.

Phil

L0 Member

Re: external captive portal

Hi Scott,

You could use a PBF rule for "unknown" users. (just not mapped IP with any user) to IP where CP is configured.

Then "your captive portal" have to redirect  all incomming traffic to destination 80/tcp or 443/tcp to local address.

The CP shall be in DMZ (traffic to CP shall pass over firewall) - only then PBF works.

Also CP shall be connected to the different L3 interface than LAN  and External.

ex. I have:

e1/1 - Internet/External

e1/2 - LAN

e1/3 - CP

PBF have to change a routing for unknown users from default:

User->PAN->Internet

to:

User->PAN->Captive Portal

Rule on PAN:

CP_redirect.png

IPtables redirect/DNAT on Linux:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination <IP of Captive Portal>:80

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination <IP of Captive Portal>:443

Note: HTTPS redirect could generate SSL warning.

After this you could user XML-API to adding users with timeout value.

There is no idle time as in generic PAN CP, only a timeout.

Setting the Timeout for User to IP mapping Created Using User-ID XML-API

T.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!