Captive Portal w/2FA in Azure

cancel
Showing results for 
Search instead for 
Did you mean: 

Captive Portal w/2FA in Azure

L3 Networker

Hi All -

Hopefully I make this clear.  

 

What I'm looking to do is set up Captive Portal with a push notification in Azure AD.  I can't seem to find any documentation around this, can someone give me the general steps or point me to existing documentation?

 

Thanks in advance. 

25 REPLIES 25

So the Azure guy set it up, but then made me the owner so I can edit as needed.  I think the part that isn't clicking in my head is right now I have the CP running through GlobalProtect.

 

If I click on Test in Azure, I get the push notification on my phone, I click approve and then browser opens a new tab with the Palo logo on the tab and it says 502 Bad gateway and the URL is https://website:6082/SAML20/SP/ACS

 

The link listed in Network > GlobalProtect > Portals > MY_Portal > Agent is https://website:6082

 

I think this is doable, I just haven't found any good instructions on how to do this.

 

FYI, I really appreciate your time in speaking with me.

@RobertShawver 

 

You use GP for CP when destination port is not 443.

We use the CP for any traffic on port 3389.

MP

Apologies, but I don't know how that helps me.

Hello,

While i do not know if this is possible, I do find it intriguing. I know the captive portal page can be modified, not sure if to the extent of what you are looking for however. Perhaps an SSO or SAML solution would work if you already have one?

 

Just throwing out ideas.

 

Regards,

L1 Bithead

@RobertShawver Did you ever get success with this?  I am trying to set this up as well.

This should get you pretty close:

Set up GlobalProtect
Add the new captive portal to the portal agent configuration - Network > GlobalProtect > Portals > GP_Portal > Agent
Alias to point to VLAN 961 Example: server.mfa.company.com 10.10.10.10

Set up Azure
Basic SAML Configuration

Example
Identifier (Entity ID) https://server.mfa.company.com:6082/SAML20/SP
Reply URL (Assertion Consumer Service URL) https://server.mfa.company.com:6082/SAML20/SP/ACS
Federation Metadata XML Download

Set up Palo Alto:
SAML Identity Provider
Device > Server Profiles > SAML Identity Provider > Import
Authentication Profile
Device > Authentication Profile > Add
Type = SAML
IDP Server Profile = SAML Identity Provider created above
Username Attribute = username
Advanced Tab > Allow List = all
Authentication
Objects > Authentication > Add
Authentication Method = web-form
Authentication Profile = Authentication Profile created above
Policy
Policies > Authentication > Pre Rules > Add
Action Tab > Authentication Enforcement > Authentication Object created above

 

Let me know if you have any questions.

View solution in original post

Thank you RobertShawver!  I appreciate the help.  When you mentioned adding new captive portal to portal agent configuration, where do i put that?  Is that under the App tab of the portal agent configuration?  My guess is under trusted MFA Gateways as described in Step 6, item 3,  from the following document:  Configure GlobalProtect to Facilitate Multi-Factor Authenti... (paloaltonetworks.com)      Piecing things from different places.

 

Another question:     server.mfa.company.com, does that have to externally resolve?  The azureadminblog post seemed to indicate you only need internal, but someone told me it needs to be external for azure to talk to it.

 

Thanks

"Is that under the App tab of the portal agent configuration?" - You got it.

"server.mfa.company.com, does that have to externally resolve? " - Mine does not, but your mileage may vary.  I'd say try it internal first.

L1 Bithead

@RobertShawver getting close, but not there yet.  Browser based applications I get redirected over http to azure, but after trying to authenticate i get AADSTS700016 Application with identifier 'https://cp.domain.com:6082/saml20/sp' was not found in the directory...   Also, not getting the notification from GlobalProtect when attempting non-browser based.   Appreciate any help. 

 

Thanks,  Chris

Hey Chris -

I'll admit that troubleshooting without seeing your setup is a bit of a challenge.

 

Configure Multi-Factor Authentication (paloaltonetworks.com)

What I did was follow these instructions but with these caveats:

Step 2: Add a SAML IDP

Step 3: Skip this step (this is why it took me so long to get this going, it took me awhile to figure out that I needed to skip step 3.)

 

I suspect you may have the same issue as I seem to remember that error you spoke about.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!