Captive Portal - identify user with certificate

Showing results for 
Search instead for 
Did you mean: 

Captive Portal - identify user with certificate

L1 Bithead

Hello everybody.

I have a question regarding captive portal user identification.

As everybody know user like Mac, iPhone, Android are difficult to identify and manage without insert credential in captive portal.

For wireless policy in all my company device I've installed a user certificate who grant wireless access. i would like to use it for user identification in captive portal.

I've tried to configure my PA-2050 4.0.5  like "How to configure captive portal" guide scenario 3.

The problem is:

  1. if I set under User identification the client cerficate and the authentication profile (if a client don't have certificate can insert credential in captive portal) the browser goes wrong.
  2. if i set only authentication profile everything is well.

I've got an internal CA. I've imported the ca certificate on PA and created the client certificate profile.

How can help me?


Since you dont have any vlans at all (just a physical lan) and probably wont be able to change how the access network looks like my idea was something like:

1) A regular interface, for example (which you add in dhcp as default gw so regular clients will use as default gw to reach Internet or whatever and before they are let out they must use the captive portal).

2) A subinterface (or another physical interface),, which the ssl-vpn clients would connect to.

Its the last part which im not sure if its possible to accomplish on a PA (due to ip range collissions and such).

As sdarapuneni said if you enable both captive portal and ssl-vpn on the same interface then the PA will force both to be valid (meaning ssl-vpn users would still get a captive portal).

Im thinking if it would be possible to trick PA into this support by using vrouter and/or dnat/snat in combination?

A workaround could be if you setup something like:

1) for regular clients (captive portal) on int1.

2) for ssl-vpn clients on int2.

Connect both to your access network and in the dhcp put up static leases based on mac address.

This way a regular client will get a 192.168.0.x ip and as default gw and your known ipad (etc) clients gets a 10.0.0.x ip and as default gw. Because this ip "separation" isnt a true separation (they are all on the same vlan anyway) the only way for a client who gets a 10-ip to reach internet is either to auth using ssl-vpn OR go through and use the captive portal - either way they must authenticate in order to leave your access network.

Of course this doesnt fulfill any demands regarding strong auth (since you use captive portal) but your case doesnt seem to involve being 100% sure of who did what (because in order to use captive portal your access network must be secured/hardedened aswell like using protected vlan so clients cannot steal each other ip/mac addresses and such but also since if a user gets hold of another users login/pass they will use that instead of their own) but rather make it easier for your trusted clients to use your access network.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!