Captive Portal w/2FA in Azure

cancel
Showing results for 
Search instead for 
Did you mean: 

Captive Portal w/2FA in Azure

L3 Networker

Hi All -

Hopefully I make this clear.  

 

What I'm looking to do is set up Captive Portal with a push notification in Azure AD.  I can't seem to find any documentation around this, can someone give me the general steps or point me to existing documentation?

 

Thanks in advance. 

1 ACCEPTED SOLUTION

Accepted Solutions

This should get you pretty close:

Set up GlobalProtect
Add the new captive portal to the portal agent configuration - Network > GlobalProtect > Portals > GP_Portal > Agent
Alias to point to VLAN 961 Example: server.mfa.company.com 10.10.10.10

Set up Azure
Basic SAML Configuration

Example
Identifier (Entity ID) https://server.mfa.company.com:6082/SAML20/SP
Reply URL (Assertion Consumer Service URL) https://server.mfa.company.com:6082/SAML20/SP/ACS
Federation Metadata XML Download

Set up Palo Alto:
SAML Identity Provider
Device > Server Profiles > SAML Identity Provider > Import
Authentication Profile
Device > Authentication Profile > Add
Type = SAML
IDP Server Profile = SAML Identity Provider created above
Username Attribute = username
Advanced Tab > Allow List = all
Authentication
Objects > Authentication > Add
Authentication Method = web-form
Authentication Profile = Authentication Profile created above
Policy
Policies > Authentication > Pre Rules > Add
Action Tab > Authentication Enforcement > Authentication Object created above

 

Let me know if you have any questions.

View solution in original post

25 REPLIES 25

Cyber Elite
Cyber Elite

@MP18 I found that one, but there are parts that don't make sense to me.

Like

"Next lets create an authentication profile that will be used in our captive portal, navigate to Objects > Authentication and press “Add”:"

Set the following values and press ok:

Name: Anything you like!
Authentication Method: Browser-challenge (doesn’t really matter here as the request will be redirected to Azure-AD anyway)
Authentication Profile: The Azure-AD authenticaiton profile we setup in the previous section
Message: Leave default- users will not see this anyway.

 

But then I don't see how that ties into anything???

@MP18 It also says:

n our case we want to that to a FQDN that users using an internal DNS server will point to an internal interface on the firewall. For example https://internal.azureadmin.co.uk:6082/SAML20/SP which would resolve to an internal interface on the firewall (such as 192.168.100.1). The port number here is the port the Palo Alto hosts its captive portal service when enabled.

Reply URL (Assertion Consumer Service URL):
This is the URL that Azure will send the user back to after the SAML authentication processs completes, in our case we can use the same URL as the Identifier- for example- https://internal.azureadmin.co.uk:6082/SAML20/SP

 

Use the same reply URL? That doesn't seem right?

Hello,

One thing to remember with Captive portal is that its used only for matching a user to and IP address for mapping. If a use is already known, the portal will not be presented to the user.

https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/user-id/user-id-concepts/user-mapping/capt...

Hope that makes sense.

@RobertShawver 

 

For CP you export the cert from the Azure to PA.

Yes URL for Identity Provider SSO URL it is same as in Azure.

 

Regards

MP

L3 Networker

@MP18 @OtakarKlier 

Here is what I'm hoping will happen.  User crosses from zone to another and is presented with the CP.  User puts in username and password and then gets a push notification to there phone via Microsoft Authenticator.  User clicks "approve" and the CP process completes.  All internal.

 

Currently, I have CP set up so that User crosses from zone to another and is presented with the CP. User puts in username and password and the CP process completes.

 

Is what I'm hoping for possible?  Am I explaining it correctly?

@RobertShawver 

Yes you are sharing correctly.

 

Regards

MP

Now the question is how

@RobertShawver 

 

If you have not done any CP config then you can also check with your SE How to do it?

Are you the one who will do configuration in Azure?

 

Also see this 

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/paloaltonetworks-captiveportal-tut...

 

 

Regards

MP
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!