This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Captive Portal pop-ups for AD users

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Captive Portal pop-ups for AD users

Go to solution
ZEBIT
L3 Networker

‎01-13-2017 02:58 AM

We have a huge problem with the captive portal.

There is a connection between our PA500 and two Active Directory servers through the user-id agent.

In a day our employees (who use AD credentials on there computers) get 3 - 5 pop-ups to fill in there credentials in the captive portal in there browser. We don't have a clue why and our partner can't find any solutions.

The moment they get this captive-portal I checked through CLI that our firewall knows who is behind the IP and there we see unknown.

We have a policy that an unknown user can't access the internet without authenticating with there Active Directory account.

 

I hope the community van help me out.

 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
reaper
Cyber Elite
Cyber Elite
In response to ZEBIT

‎01-16-2017 12:35 AM

@ZEBIT wrote:

My two AD servers have the User-Id agents installed

Where I can find that caching? Does it need to be enabled?

Where can I find probing?

Screenshot of the User-ID settings on my AD servers

 

image.png

as displayed in your screenshot, your timeout is set to 45 minutes which means that the mapping is removed unless a new logon event is detected within the 45 minute timeframe

 

in a normal environment a user will log on in the morning and may not require another logon event for a long time, so those 45 minutes may be a little too short. Unless you have many roaming users and several access levels i'd recommend setting the timeout to 540 minutes, which is an average working day. that way your users log on in the morning and have access throughout the day. additionally you can enable probing which will verify every x minutes if a user is still logged on, and remove the mapping if the user is logged off or the IP is no longer used by the workstation

 

2017-01-16_09-34-37.png2017-01-16_09-36-02.png

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

0 Likes Likes
9 REPLIES 9

Go to solution
reaper
Cyber Elite
Cyber Elite

‎01-13-2017 04:45 AM

Hi There

 

how is the AD UserID set up? are you using agents or agentless

did you enable User Identification Timeout (on the cache tab)? this will remove a mapping after x minutes, if you have this set up, you will want to increase the idle time (in an average office environment with not a lot of 'roaming' clients, a timeout of 9 hours is recommended)

 

is probing enabled ?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

Go to solution
ZEBIT
L3 Networker
In response to reaper

‎01-13-2017 07:02 AM - edited ‎01-13-2017 07:11 AM

My two AD servers have the User-Id agents installed

Where I can find that caching? Does it need to be enabled?

Where can I find probing?

Screenshot of the User-ID settings on my AD servers

 

image.png

0 Likes Likes

Go to solution
JDominguez
L2 Linker
In response to ZEBIT

‎01-13-2017 07:32 AM

Open up you agent, that on the AD server changes these settings in the "Setup"uidagent.JPG

 

0 Likes Likes

Go to solution
JDominguez
L2 Linker
In response to JDominguez

‎01-13-2017 07:34 AM

Also do you have just one agent instance and that one agent "talks" to the secondary AD?

 

or do you have two seperate Agents running individually on the respective AD's and those 2 Agents talk back to the PANW fw?

0 Likes Likes

Go to solution
ZEBIT
L3 Networker
In response to JDominguez

‎01-15-2017 11:05 PM

Each AD has its own agent and talks with the PAN fw.

0 Likes Likes

Go to solution
reaper
Cyber Elite
Cyber Elite
In response to ZEBIT

‎01-16-2017 12:35 AM

@ZEBIT wrote:

My two AD servers have the User-Id agents installed

Where I can find that caching? Does it need to be enabled?

Where can I find probing?

Screenshot of the User-ID settings on my AD servers

 

image.png

as displayed in your screenshot, your timeout is set to 45 minutes which means that the mapping is removed unless a new logon event is detected within the 45 minute timeframe

 

in a normal environment a user will log on in the morning and may not require another logon event for a long time, so those 45 minutes may be a little too short. Unless you have many roaming users and several access levels i'd recommend setting the timeout to 540 minutes, which is an average working day. that way your users log on in the morning and have access throughout the day. additionally you can enable probing which will verify every x minutes if a user is still logged on, and remove the mapping if the user is logged off or the IP is no longer used by the workstation

 

2017-01-16_09-34-37.png2017-01-16_09-36-02.png

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

Go to solution
ZEBIT
L3 Networker
In response to reaper

‎01-16-2017 03:24 AM

I configured my settings like you example on the user-id agents.

It is not any problem that every ad server runs his own user-id agent and connect with the firewall?

0 Likes Likes

Go to solution
reaper
Cyber Elite
Cyber Elite
In response to ZEBIT

‎01-16-2017 05:20 AM

for the probing to work you need to make sure your clients accept the probes, make sure the client firewalls are set to allow netbios/wmi

 

it is not a problem that you set up 2 agents, I would even recommend having 2 just in case one fails. You may want to consider having both agents read from both AD's so they have overlapping information, also in case one agent were to fail (so there is full redundancy), the firewall will automatically use one agent as primary and keep the second as backup

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

Go to solution
MRosloniec
L3 Networker

‎01-17-2017 09:17 AM

There's some great comments here on this thread.  One additional comment I can make that I personally get value out of is the session monitoring feature.  I would suggest enabling that as well.  

 

Also, I am no kerberos / windows / AD authentication expert, but processing this through my mind, I would think you would want to make sure that there is a regular cadence of a client/server exchange that takes place on a shorter time interval than your User-ID timeout.  I believe this would register an authentication event on the AD server thus transparently renewing the User/IP mapping in the client.

 

Another thing you could try is doing NTLM authentication through Captive Portal.  I tested this a bit in my infrastructure and got mixed results in regards to transparency, but it was on older versions of PanOS so that may have been the problem.  Of my positive results in testing NTLM, the captive portal page displayed momentarily but then NTLM passed the user's credentials through and automatically mapped the users.

 

Lastly, if you have PKI in your environment, you could use those certs to identify users through captive portal as well.  I really like this method of doing captive portal, however the one major drawback is that there is no fail-safe or manual login option should a client fail to have the proper cert for one reason or another.  We actually floated the idea of not using the UserID agents at all, and strictly forcing Captive Portal for all users, using cert base authentication.  Unfortunately it was that lack of having a manual authentication option that forced us to pull the plug on that initiative.  It may be more sensible in a smaller organization though.  We have 25,000+ clients that connect to our network so that introduced it's own host of problems.

  • 1 accepted solution
  • 5401 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks