This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Captive Portal

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Captive Portal

Go to solution
djrodb
L3 Networker

‎01-09-2013 11:34 AM

has anyone got configuration for captive portal on and incoming untrusted public ip  nat to private internal address.

i need to authenticate incoming connections before they reach the internal server address.

under captive portal I have the source as the public nat address and the destination as the internal server address and it does seem to work. The server can be reached from the Internet without any prompt for authentication?

thanks

rod

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
jteetsel
L3 Networker

‎01-09-2013 05:31 PM

Hi Rod, If your intention is to prompt a CP login page for inbound connections from the internet to a system that you have created a destination nat for you Captive Portal policy would like like this:

source zone = Untrusted zone

source address = blank or whatever the public IP the traffic is comming from (if you want to be specific)

Destination Address = The Public IP for your server on the inside (not the private address)

Service = the service you are exposing (http,https)

This will force any connections coming from the outside to that public address to be faced with a CP login. If the public address is shared between other systems on the inside be careful to be specific with the Service on the CP policy

Hope this helps

John

View solution in original post

0 Likes Likes
10 REPLIES 10

Go to solution
jteetsel
L3 Networker

‎01-09-2013 05:31 PM

Hi Rod, If your intention is to prompt a CP login page for inbound connections from the internet to a system that you have created a destination nat for you Captive Portal policy would like like this:

source zone = Untrusted zone

source address = blank or whatever the public IP the traffic is comming from (if you want to be specific)

Destination Address = The Public IP for your server on the inside (not the private address)

Service = the service you are exposing (http,https)

This will force any connections coming from the outside to that public address to be faced with a CP login. If the public address is shared between other systems on the inside be careful to be specific with the Service on the CP policy

Hope this helps

John

0 Likes Likes

Go to solution
djrodb
L3 Networker
In response to jteetsel

‎01-10-2013 01:41 AM

John, Thanks. That cleared things up.

I still can't get the system to present the redirected authentication login page. The documentation for Captive Portal hasn't been updated to PANOS 5 yet.

Rod

0 Likes Likes

Go to solution
jteetsel
L3 Networker
In response to djrodb

‎01-10-2013 03:11 PM

Below is a pretty good document with some details regarding Captive Portal, it has not changed very much since 4.0:

Starting on page 19 is how to configure. Use your traffic monitor to see which source and destination zones are used for the incoming connections for the server in question. Make sure your source and destination zones in your CP policy match what you see in the traffic log. Also, check the following:

  • Make sure captive portal is 'enabled' under Device > User Identification > Captive Portal Settings
  • Make sure that User ID is enabled on the source zone under Network > Zones (should be your untrusted zone in your case)
  • Make sure the host name or IP address you specify for the "Redirect Host" is accessible to the public. If you use a host name make sure it has a resolvable public DNS record
  • Make sure that the interface being used for the Redirect host is using a management profile that has response pages turned on ( Network > Interface Mgmt > Profile Name ) The interface profile is configured under Network > Interfaces > Interface Name > Advanced > Network Management Profile

Hope this helps

Go to solution
djrodb
L3 Networker
In response to jteetsel

‎01-11-2013 02:35 AM

John

Thanks for your help so far. I'm strugling with the concept of CP redirect and how the following statement translates to a working example.

Make sure the host name or IP address you specify for the "Redirect Host" is accessible to the public. If you use a host name make sure it has a resolvable public DNS record


Does this imply that the redirect host has to be an internal web server? or does it mean an interface on the firwewall - say for example the main firewall inside (trust) L3 interface?


If it's an internal web server do I need to go through the normal procedure of creating a static nat from the out side to the inside server IP for the captive portal bit?


I've added my current config to see if you or anyone else can clear this up? thanks.



Preview file
101 KB
0 Likes Likes

Go to solution
jteetsel
L3 Networker
In response to djrodb

‎01-11-2013 04:51 PM

The redirect host will be an L3 interface on the firewall. Weather its a trusted or untrusted interface depends on where the CP clients are coming from. If your case you want to use an untrusted interface since your CP clients are coming from the outside. Also, in your CP policy should have 'outside' for both your source and destination zones since the destination address is your public IP.

Go to solution
znlwin
Not applicable

‎07-18-2013 11:58 PM

Hi Support,

Regarding Captive Portal , my Wifi clients can use Skype & GTalk application without authenticated to Captive Portal.  But when to browse http (or) https, the captive port login page kicked in.

What I want is, every users have to authenticate at Captive Portal login page first, then can use internet accordingly even Skype or Gtalk applications.

regards,

zn

0 Likes Likes

Go to solution
zarina
L5 Sessionator
In response to znlwin

‎07-20-2013 06:40 AM

Captive portal will only with with web based traffic: http and https (with decryption enabled).

0 Likes Likes

Go to solution
jteetsel
L3 Networker
In response to znlwin

‎07-21-2013 09:30 AM

That’s correct, the CP intercept\logon page can only be displayed via a browser. You would need to deny Skype\Gtalk for unknown users in your security policy and force the users to hit a http\https page before expecting any internet dependent applications to function, this would force them to authenticate via CP before doing any web based type activity . This is usually how hotels do it.

0 Likes Likes

Go to solution
znlwin
Not applicable
In response to jteetsel

‎07-21-2013 09:06 PM

Thanks zarina and jteetsel.

Hi jteetsel, how to implement unknown users t force them to authenticate via CP before expecting any internet dependent applications to function.  I would like to implement like hotels scenario.

My one is PA3020 & ver 5.0

rgds,

zn

0 Likes Likes

Go to solution
jteetsel
L3 Networker
In response to znlwin

‎07-22-2013 05:29 PM

Hi Zn, the Palo Alto cannot force a user to open a browser and visit a site. We can only redirect the user to the CP login page if they do. You would need to inform the users to open a browser and sign in to CP.

Thanks

John

0 Likes Likes
  • 1 accepted solution
  • 11611 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks