Captive portal authentication with Radius/AD

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Captive portal authentication with Radius/AD

L1 Bithead


     I try PAN-OS 4.1.3, I use captive portal authentication with Radius/AD. I config user in WiFi zone access to any zone must authentication with captive portal. It work normally. But I try set Proxy server and user in WiFi Zone config Proxy IP into Internet Option. After that the user in WiFi zone can't access to any web becasue of the broswer doesn't redirect to captive portal authentication. Then I try to remove Proxy IP from Internet  Option and test access web site. It redirect to captive portal page for authentication. Then I set Proxy IP into  Internet Option. It can access to website pass through Proxy server normally.

     Why I remove Proxy IP from Internet Option before authentication with captive portal?

     How to config for this issue ?


L6 Presenter

what device is acting as your proxy server?  Are you trying to configure the PAN device as the proxy server?

Hi rmonvon

     I use Ubuntu server install squid3 for my proxy server.


Manaschai S.

Thank you for the info.  It sounds like your configuration is sendding all traffic to the proxy server, including the captive portal session.  I suggest that you defining a proxy bypass for the captive portal session such that the traffic is going direct.  You can try using the captive portal 'redirect' option to a host and set the proxy bypass for this host.


     I set the captive portal 'redirect' on Palo Alto network firewall and on squid3 I config

          acl server src  <-- my server zone and Palo Alto firewall management interface

          always_direct allow server

     but it still not work. I found address of browser is "". That change after I set above command on squid3 software but the broswer not show login page.

I am sorry but I don't understand what you mean by configuring 'redirect' on the proxy server and the 'acl server ...'.

My suggestion was to use 'redirect' on the PA device instead of 'transparent'.  Once you select 'redirect', you also must define the 'redirect host' under the captive portal setting.  When captive portal authenticates, the user will be forwarded to this 'redirect host' and this traffic should be direct (not going to your proxy server).  So in the IE/FireFox browser, you will configure a proxy bypass for this 'redirect host'.  The 'redirect host' should resolve to an IP address on the PA device but it should not be mgmt IP address.

  • 5 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!