Captive Portal not working for Untrust to Trust connection

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Captive Portal not working for Untrust to Trust connection

L1 Bithead

I've a requirement to validate users from Internet (untrust) when connecting to Internal (trust) network. I followed all steps marked in Admin guide and elsewhere for setting up captive portal, but somehow it is not working. Just to be sure i followed same steps for Trust to Untrust and it is working as expected. So i'm perplexed if this is possible at all for my requirement (Untrust to Trust) or i'm missing something. Any help or suggestion will be greatly appreciated. 

6 REPLIES 6

L6 Presenter

Do you have an "Interface Management Profile" applied to your "Untrust" Zone?  Without this being applied captive portal won't kick-off.

 

I pulled this from the contextual help menu:

 

"Response Pages—Use to enable response pages for:

Captive Portal—The ports used to serve Captive Portal response pages are left open on Layer 3 interfaces: port 6080 for NTLM, 6081 for Captive Portal without an SSL/TLS Server Profile, and 6082 for Captive Portal with an SSL/TLS Server Profile. For details, see Device > User Identification > Captive Portal Settings.URL Admin Override—For details, see Device > Setup > Content-ID."

Thanks alot for your response. I was missing User-ID check on the untrust zone. After enabling the same it is working like a charm. Appreciate your help on this. Have a good one !!!!


@sbaghel wrote:

Thanks alot for your response. I was missing User-ID check on the untrust zone. After enabling the same it is working like a charm. Appreciate your help on this. Have a good one !!!!


I'd be careful with this setting:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVPCA0

 

"Resolution

  • Only enable User-ID on trusted zones

By only enabling User-ID on internal and trusted zones, there is no exposure of these services to the Internet, which helps to keep this service protected from any potential attacks.  If User-ID and WMI probing are enabled on an external untrusted zone (such as the Internet), probes could be sent outside your protected network, resulting in an information disclosure of the User-ID Agent service account name, domain name, and encrypted password hash.  This information has the potential to be cracked and exploited by an attacker to gain unauthorized access to protected resources.  For this important reason, User-ID should never be enabled on an untrusted zone."

@sbaghel,

The attack surface that @Brandon_Wertz's pointed out is drastically reduced if you disabling WMI probing, which probing really isn't recommended to have enabled anymore anyways unless it's actually needed within your environment. 

Thanks alot for bringing this risk to my notice. So to understand this correctly am looking at wrong solution (captive portal) for authenticating external users on Palo Alto firewalls. If not then, is CP suppose to work without enabling user-id on Untrust interface.

@BPry Thanks for the suggestion. Can you help me with setting to disable or check WMI probing status on the interface.

  • 5061 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!