Captive Portal with VASCO SMS OTP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Captive Portal with VASCO SMS OTP

Not applicable

Hello folks,

I hope everyone is doing well, I have been stumped over this issue that I am trying to find an effective solution for. One of our customers have requested the need to verify Guest Wireless Users that connect to the network via a Cisco Wireless LAN Controller. What they want to do is force the Guest Wireless users to register their Phone Number so that they may receive a One Time Password so that they can use the companies Internet, and most importantly have the users name set to the phone number so that it may be logged on the Palo Alto.

I have some ideas that may have some flaws so if someone could point me in the right direction it would be much appreciated. I have setup User-ID so all Domain Users access the internet depending on their user-id. This is working flawlessly at the moment along with global protect. So obviously any of the wireless guest users that access the internet will not have a user-id as they do not have domain accounts. So I would be able to force them through to the captive portal, and have the Captive Portal authenticate with the Vasco SMS OTP server.

However from what I have seen I am unable to add additional fields to captive portal other than User/Password, is there any possibility of adding a custom-attribute so that it may be relayed to the Vasco Server. Is there anyway this can be done with only the PA and VASCO Radius server?

So basically is there anyway that I can force users through captive portal and have the Palo Alto send User-Attributes to the radius server so that a challenge-response can be initiated back to the user?

Or is the only solution to configure 802.1x on the switch and configure Dynamic VLAN Assignment on the WLC and have them authenticate with the Vasco directly before accessing the PA?

If anyone could provide me with their two cents I would forever be in debt.

Best Regards

1 REPLY 1

Not applicable

Hi Barghouthi,

If you want SMS OTP sent by Vasco to your guest users, somehow you should have already created your user database on the Vasco database (or users should already reside Identikey's backend database). Therefore just passing some User-Attributes from Captive Portal page to Vasco's Identikey won't be enough. There is the question of who manages the guest users provisioning process.

For those purposed, Vasco’s RADIUS solution Identikey offers a mini web site called “OTP Request Site”, available during the installation. When you deploy Identikey at your customer, you can modify Captive Portal response page to include some descriptive text instructing guest users to visit that particular URL, letting them to do their self-service account creation (if this is their first use of the customer network), enter their mobile number, request OTP over SMS  etc. (from Guest-Zone; to OTP-Request-Server; application web-browsing; should be allowed by the policy on your fw). Then, guest users can submit their own-created username and SMS OTP to our Captive Portal prompt and get authenticated by Identikey over RADIUS. FW admins of your customer never deals with creating/deleting users.


Attached is a sample code for modified Captive Portal page. I modified an existing sample. I don't have much expertise on HTML code, therefore you'd better get it formatted more elegantly by someone who knows HTML better than me.

Rgrds,

Hakan Unsal

  • 2592 Views
  • 1 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!