Can a Captive Portal Page be Triggered by a Value in the User Agent String?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Can a Captive Portal Page be Triggered by a Value in the User Agent String?

L3 Networker

Hello,

   I am working on setting up URL Filtering on a PAN-5020 as part of converting away from a Proxy. 

   One of our requirements is to authenticate the user on generic login workstations by providing their credentials when they attempt to view a website that is external to us.

    I would like to force a Captive Portal Page to be displayed when a user attempts to access an external website.  Is this doable?

Thanks

Art

8 REPLIES 8

Retired Member
Not applicable

If I understand you correctly, you basically have some sort of terminal server where login users can access resources and Internet. Such scenarios would mean all user sessions no matter the login user would use same source IP. Normally TS-agent can identify such users by allocating source port range for users. Unfortunately Captive Portal can only identify user based on source IP unknown and not source port unknown. So unless you can somehow have users use different source IPs then CP won't know the difference between users.

-Richard

Hi Richard,

    Your answer sounds like the right track, but I may not have explained the situration correctly -

    We are trying to make sure that if any of the workstations (PC's) in our shared areas (exam rooms, operatories, nursing stations and such) is used to go to an internet site (such as www.nascar.com) the PAN's would display the Captive Portal Page to allow the user to supply their network credentials - we would then have the PAN validate via the user agent the credentials.

   We do this currently on our BlueCoat ProxySG's by detecting a string in the User Agent string that the BlueCoat's look for and trigger an authentication dialogue from.  The 'trigger string' is set up in the workstation's registry.

Thanks

Art

L4 Transporter

I assume your shared area PC's are not member of your windows domain , right ?

Hi Roland,

   Yes, these devices are part of our domains.    They have 'autologon' ID's that are severely limited - which is part of why we require authentication of the person who's fingers are typing.

Thanks

Art

L4 Transporter

Hi Art,

do they all have the same logon username domain accounts ? If yes you could use that information to trigger the Captive Portal login process.

Just trying to find the lowest common denominator ...

Hi Roland,

    Each machine has it's own User ID and associated credentials...

Thanks

Art

L4 Transporter

Hello Art,

if you put all these accounts into a dedicated AD Group, you could possibly trigger the CP authentication for this AD Group.

Is this for a VWire or L3 setup ?

L4 Transporter

Hmmm but then again

Unfortunately Captive Portal can only identify user based on source IP unknown and not source port unknown

I believe this is also true for (source) user unknown only and not for a particular AD Group....

How to make the PA to look at known AD users as unknown users ...?

You could configure your UserID Agent to ignore the accounts through the ignore_user_list.txt file.

This way the users are unknown for the firewall and then you can trigger the CP auth.

What do you think ?

  • 4149 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!