How to configure Captive Portal NTLM auth?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to configure Captive Portal NTLM auth?

Not applicable

I have a customer who has AD and is using the UserAgent sucessfully.

However, many users are not always logged in, or are using corporate hardware, so aren't logged in.

I want to configure Captive Portal for non-logged in users that uses NTLM to authenticate users from the AD.


I've found a few KnowledgePoint articles that come close (using RADIUS), but I just want to call the AD to authenticate (maybe using the existing User Agent?).

I can't figure out the settings for the Authentication Profile...none of LocalDb/RADIUS/LDAP seem to fit..

Can someone let me know the steps for doing this?

4 REPLIES 4

L6 Presenter

captive portal using NTLM auth with redirect mode to an L3 interface of the firewall will do this for you.

don't forget to create a captive portal policy that uses the NTLM auth method!!!

-Benjamin

L6 Presenter

LDAP server profile for AD should work with the authentication profile you'll need for Captive Portal. It's the same as the Radius with the exception of an additional 'Logon Attribute' field. For AD, you'll utilize 'sAMaccountName.'

Check your Captive Portal Settings:

NTLM authentication agent: One User Agent is used to proxy request to AD and it should be chosen based on its proximity to the PAN FW

Auth Profile - Choose the Auth Profile previously created

You'll eventually configure the Captive Portal Policy which specifies what form of user detection should be used for a given unknown user session:

1) no-captive-portal: the session remains unknown

2) captive-portal: Use Web Form based user detection

3) ntlm-auth: attempt NTLM authentication. If that fails, attempt web form based mapping.

I'm not sure if you've found these already but just to be sure. The Radius setup doc is similar to what you can do for LDAP over AD.

https://live.paloaltonetworks.com/docs/DOC-1410

https://live.paloaltonetworks.com/docs/DOC-1040

Hope this helps.

-Renato    

Thanks Guys...

Re this part..

"Check your Captive Portal Settings:

NTLM authentication agent: One User Agent is used to proxy request to AD and it should be chosen based on its proximity to the PAN FW"

I understand pointing at the existing PAN Agent, but what should I use as the Hostname? I don't get what this part does.

It relies on an http 302 redirect to a host in the client computers local zone. This is the host name used in the 302 reply. It is not in the form of a FQDN. This host name must resolve to an IP on an L3 interface or the mgt interface of the PAN firewall.

  • 5175 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!