Captive Portal - identify user with certificate

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Captive Portal - identify user with certificate

L1 Bithead

Hello everybody.

I have a question regarding captive portal user identification.

As everybody know user like Mac, iPhone, Android are difficult to identify and manage without insert credential in captive portal.

For wireless policy in all my company device I've installed a user certificate who grant wireless access. i would like to use it for user identification in captive portal.

I've tried to configure my PA-2050 4.0.5  like "How to configure captive portal" guide scenario 3.

The problem is:

  1. if I set under User identification the client cerficate and the authentication profile (if a client don't have certificate can insert credential in captive portal) the browser goes wrong.
  2. if i set only authentication profile everything is well.

I've got an internal CA. I've imported the ca certificate on PA and created the client certificate profile.

How can help me?

1 accepted solution

Accepted Solutions

Erik,

As per the current design, you cannot have both configured and still use only one of them. If you have certificates and an auth profile, it will be a 2-form authentication: you authenticate using a cert and also need to authenticate using username/password. If you want to use only certificates, leave the auth profile empty.

If you need the functionality of able to configure both and use only one form of authentication, please contact your SE to file a feature request. Hope this information was helpful.

Thanks,

Sri

View solution in original post

10 REPLIES 10

L6 Presenter

This is a document for utilizing client cert for ssl-vpn authentication but should be good for CP as well. Hope it helps but feel free to update this thread if you need further assistance.

https://live.paloaltonetworks.com/docs/DOC-1934

Regards,

Renato    

Seen it. Unfortunately I get the error described above.

L4 Transporter

Can you please elaborate on the errors that you receive?  Also, have you tried using a different browser with the captive portal?

"If a client doesn't have a cert" ---> Could you please clarify? I am under the assumption, the client has the cert and thus should get the two-factor authentication from the PAN.

Not applicable

I think the problem he is having is the same as me... I want to use the captive portal with username/password for devices WITHOUT a certificate.  Example: say we have a presenter/visitor come into our building and they need internet access - they will hit the portal where we can give them a username and password.  But we want our other corporate devices like ipads, iphones, androids, etc to get on automatically by having the cert... so they don't have to enter their credentials each day.  Is there a way to do this?

Erik,

As per the current design, you cannot have both configured and still use only one of them. If you have certificates and an auth profile, it will be a 2-form authentication: you authenticate using a cert and also need to authenticate using username/password. If you want to use only certificates, leave the auth profile empty.

If you need the functionality of able to configure both and use only one form of authentication, please contact your SE to file a feature request. Hope this information was helpful.

Thanks,

Sri

Cannot one setup two interfaces (connected to each zone) where one interface is the regular captive portal (and default gw) and the other is ssl-vpn which your own devices (ipads etc) will connect directly to?

And then in the security rules you set this as srczone: zone_portal, zone_vpn

Yes, make two different VLANs... one for guests, and the other for employees...  You can use captive portal for the guest network/subnet/vlan, and then use something different on your internal network. 

jvalentine,  Our school district's networking equipment is ancient - the Palo Alto is one of two L3 devices on our network.  I have very little experience with vlans, given our 15+ year old cisco switches as the majority of our network.  I'm all ears if you want to let me know how to set it up though Smiley Happy

Mikand - I don't know what you mean... I would plug in two cables from my network into the Palo Alto and have two separate gateways?  I'd love to hear more...

Thanks for the responses... sorry to hijack a thread.  Smiley Happy

I started my own thread about this here: https://live.paloaltonetworks.com/message/18846#18846

Thanks,

Erik

Since you dont have any vlans at all (just a physical lan) and probably wont be able to change how the access network looks like my idea was something like:

1) A regular interface, for example 192.168.0.254/24 (which you add in dhcp as default gw so regular clients will use 192.168.0.254 as default gw to reach Internet or whatever and before they are let out they must use the captive portal).

2) A subinterface (or another physical interface), 192.168.0.253/??, which the ssl-vpn clients would connect to.

Its the last part which im not sure if its possible to accomplish on a PA (due to ip range collissions and such).

As sdarapuneni said if you enable both captive portal and ssl-vpn on the same interface then the PA will force both to be valid (meaning ssl-vpn users would still get a captive portal).

Im thinking if it would be possible to trick PA into this support by using vrouter and/or dnat/snat in combination?

A workaround could be if you setup something like:

1) 192.168.0.254/24 for regular clients (captive portal) on int1.

2) 10.0.0.254/24 for ssl-vpn clients on int2.

Connect both to your access network and in the dhcp put up static leases based on mac address.

This way a regular client will get a 192.168.0.x ip and 192.168.0.254 as default gw and your known ipad (etc) clients gets a 10.0.0.x ip and 10.0.0.254 as default gw. Because this ip "separation" isnt a true separation (they are all on the same vlan anyway) the only way for a client who gets a 10-ip to reach internet is either to auth using ssl-vpn OR go through 192.168.0.254 and use the captive portal - either way they must authenticate in order to leave your access network.

Of course this doesnt fulfill any demands regarding strong auth (since you use captive portal) but your case doesnt seem to involve being 100% sure of who did what (because in order to use captive portal your access network must be secured/hardedened aswell like using protected vlan so clients cannot steal each other ip/mac addresses and such but also since if a user gets hold of another users login/pass they will use that instead of their own) but rather make it easier for your trusted clients to use your access network.

  • 1 accepted solution
  • 6546 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!