01-02-2020 08:08 AM
I've a requirement to validate users from Internet (untrust) when connecting to Internal (trust) network. I followed all steps marked in Admin guide and elsewhere for setting up captive portal, but somehow it is not working. Just to be sure i followed same steps for Trust to Untrust and it is working as expected. So i'm perplexed if this is possible at all for my requirement (Untrust to Trust) or i'm missing something. Any help or suggestion will be greatly appreciated.
01-02-2020 09:18 AM
Do you have an "Interface Management Profile" applied to your "Untrust" Zone? Without this being applied captive portal won't kick-off.
I pulled this from the contextual help menu:
"Response Pages—Use to enable response pages for:
Captive Portal—The ports used to serve Captive Portal response pages are left open on Layer 3 interfaces: port 6080 for NTLM, 6081 for Captive Portal without an SSL/TLS Server Profile, and 6082 for Captive Portal with an SSL/TLS Server Profile. For details, see Device > User Identification > Captive Portal Settings.URL Admin Override—For details, see Device > Setup > Content-ID."
01-03-2020 07:35 AM
Thanks alot for your response. I was missing User-ID check on the untrust zone. After enabling the same it is working like a charm. Appreciate your help on this. Have a good one !!!!
01-03-2020 12:52 PM
@sbaghel wrote:Thanks alot for your response. I was missing User-ID check on the untrust zone. After enabling the same it is working like a charm. Appreciate your help on this. Have a good one !!!!
I'd be careful with this setting:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVPCA0
"Resolution
By only enabling User-ID on internal and trusted zones, there is no exposure of these services to the Internet, which helps to keep this service protected from any potential attacks. If User-ID and WMI probing are enabled on an external untrusted zone (such as the Internet), probes could be sent outside your protected network, resulting in an information disclosure of the User-ID Agent service account name, domain name, and encrypted password hash. This information has the potential to be cracked and exploited by an attacker to gain unauthorized access to protected resources. For this important reason, User-ID should never be enabled on an untrusted zone."
01-03-2020 01:48 PM
The attack surface that @Brandon_Wertz's pointed out is drastically reduced if you disabling WMI probing, which probing really isn't recommended to have enabled anymore anyways unless it's actually needed within your environment.
01-03-2020 11:36 PM
Thanks alot for bringing this risk to my notice. So to understand this correctly am looking at wrong solution (captive portal) for authenticating external users on Palo Alto firewalls. If not then, is CP suppose to work without enabling user-id on Untrust interface.
01-03-2020 11:39 PM
@BPry Thanks for the suggestion. Can you help me with setting to disable or check WMI probing status on the interface.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
