Authentication of Users through Captive portal query

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Authentication of Users through Captive portal query

L3 Networker

Hi Team,

 

We had configured captive portal on the firewall recently.

 

In Authentication policy we had selected source users as any and we are using Active Directory for Authentication.

 

Also we had configured agentless user-id mapping on the firewall and server monitoring to fetch details from AD server for User-IP mapping to feed onto the firewall.

 

When an unknown user tries to access internet we are getting captive portal re-direction but for devices which have user-ip mapping fetched from AD server Captive portal redirection is not happening.

 

Is this an expected behaviour for users who are already got user-IP mapped through AD source to not get Captive portal redirection.

 

I had seen previously it works for Global Protect users but not sure about AD users.

 

Done troubleshooting as per below doc also:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZiCAK#:~:text=Verify%20C....

 

Also SSL forward proxy decryption is configured on the firewall.

 

Thanks in advance

 

2 REPLIES 2

Cyber Elite
Cyber Elite

Thank you for the post @tamilvanan

 

I am running similar setup in multiple Firewalls. I just tried to reproduce the scenario you mentioned and I got the same result. For the session that has already user-ip mapping from user-id agent, I was not getting redirection to captive portal despite fact that I configured in authentication policy source as "any" and Authentication Enforcement: default-web-form. Based on my test I would say what you are experiencing is expected, however I could not find any reference in documentation to back this up.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

@tamilvanan,

This is expected behavior. Captive Portal only triggers on unknown users and doesn't trigger for IPs that already have a user-id mapping. 

  • 2433 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!