Captive Portal

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Captive Portal

L3 Networker

has anyone got configuration for captive portal on and incoming untrusted public ip  nat to private internal address.

i need to authenticate incoming connections before they reach the internal server address.

under captive portal I have the source as the public nat address and the destination as the internal server address and it does seem to work. The server can be reached from the Internet without any prompt for authentication?

thanks

rod

1 accepted solution

Accepted Solutions

L3 Networker

Hi Rod, If your intention is to prompt a CP login page for inbound connections from the internet to a system that you have created a destination nat for you Captive Portal policy would like like this:

source zone = Untrusted zone

source address = blank or whatever the public IP the traffic is comming from (if you want to be specific)

Destination Address = The Public IP for your server on the inside (not the private address)

Service = the service you are exposing (http,https)

This will force any connections coming from the outside to that public address to be faced with a CP login. If the public address is shared between other systems on the inside be careful to be specific with the Service on the CP policy

Hope this helps

John

View solution in original post

10 REPLIES 10

L3 Networker

Hi Rod, If your intention is to prompt a CP login page for inbound connections from the internet to a system that you have created a destination nat for you Captive Portal policy would like like this:

source zone = Untrusted zone

source address = blank or whatever the public IP the traffic is comming from (if you want to be specific)

Destination Address = The Public IP for your server on the inside (not the private address)

Service = the service you are exposing (http,https)

This will force any connections coming from the outside to that public address to be faced with a CP login. If the public address is shared between other systems on the inside be careful to be specific with the Service on the CP policy

Hope this helps

John

John, Thanks. That cleared things up.

I still can't get the system to present the redirected authentication login page. The documentation for Captive Portal hasn't been updated to PANOS 5 yet.

Rod

Below is a pretty good document with some details regarding Captive Portal, it has not changed very much since 4.0:

Starting on page 19 is how to configure. Use your traffic monitor to see which source and destination zones are used for the incoming connections for the server in question. Make sure your source and destination zones in your CP policy match what you see in the traffic log. Also, check the following:

  • Make sure captive portal is 'enabled' under Device > User Identification > Captive Portal Settings
  • Make sure that User ID is enabled on the source zone under Network > Zones (should be your untrusted zone in your case)
  • Make sure the host name or IP address you specify for the "Redirect Host" is accessible to the public. If you use a host name make sure it has a resolvable public DNS record
  • Make sure that the interface being used for the Redirect host is using a management profile that has response pages turned on ( Network > Interface Mgmt > Profile Name ) The interface profile is configured under Network > Interfaces > Interface Name > Advanced > Network Management Profile

Hope this helps

John

Thanks for your help so far. I'm strugling with the concept of CP redirect and how the following statement translates to a working example.

Make sure the host name or IP address you specify for the "Redirect Host" is accessible to the public. If you use a host name make sure it has a resolvable public DNS record


Does this imply that the redirect host has to be an internal web server? or does it mean an interface on the firwewall - say for example the main firewall inside (trust) L3 interface?


If it's an internal web server do I need to go through the normal procedure of creating a static nat from the out side to the inside server IP for the captive portal bit?


I've added my current config to see if you or anyone else can clear this up? thanks.



The redirect host will be an L3 interface on the firewall. Weather its a trusted or untrusted interface depends on where the CP clients are coming from. If your case you want to use an untrusted interface since your CP clients are coming from the outside. Also, in your CP policy should have 'outside' for both your source and destination zones since the destination address is your public IP.

Not applicable

Hi Support,

Regarding Captive Portal , my Wifi clients can use Skype & GTalk application without authenticated to Captive Portal.  But when to browse http (or) https, the captive port login page kicked in.

What I want is, every users have to authenticate at Captive Portal login page first, then can use internet accordingly even Skype or Gtalk applications.

regards,

zn

Captive portal will only with with web based traffic: http and https (with decryption enabled).

That’s correct, the CP intercept\logon page can only be displayed via a browser. You would need to deny Skype\Gtalk for unknown users in your security policy and force the users to hit a http\https page before expecting any internet dependent applications to function, this would force them to authenticate via CP before doing any web based type activity . This is usually how hotels do it.

Thanks zarina and jteetsel.

Hi jteetsel, how to implement unknown users t force them to authenticate via CP before expecting any internet dependent applications to function.  I would like to implement like hotels scenario.

My one is PA3020 & ver 5.0

rgds,

zn

Hi Zn, the Palo Alto cannot force a user to open a browser and visit a site. We can only redirect the user to the CP login page if they do. You would need to inform the users to open a browser and sign in to CP.

Thanks

John

  • 1 accepted solution
  • 10449 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!