This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

How to configure Captive Portal NTLM auth?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to configure Captive Portal NTLM auth?

randomcamden
Not applicable

‎02-07-2011 12:37 PM

I have a customer who has AD and is using the UserAgent sucessfully.

However, many users are not always logged in, or are using corporate hardware, so aren't logged in.

I want to configure Captive Portal for non-logged in users that uses NTLM to authenticate users from the AD.


I've found a few KnowledgePoint articles that come close (using RADIUS), but I just want to call the AD to authenticate (maybe using the existing User Agent?).

I can't figure out the settings for the Authentication Profile...none of LocalDb/RADIUS/LDAP seem to fit..

Can someone let me know the steps for doing this?

Labels:
0 Likes Likes
4 REPLIES 4

bpappas
L6 Presenter

‎02-07-2011 12:48 PM

captive portal using NTLM auth with redirect mode to an L3 interface of the firewall will do this for you.

don't forget to create a captive portal policy that uses the NTLM auth method!!!

-Benjamin

gswcowboy
L6 Presenter

‎02-07-2011 12:59 PM

LDAP server profile for AD should work with the authentication profile you'll need for Captive Portal. It's the same as the Radius with the exception of an additional 'Logon Attribute' field. For AD, you'll utilize 'sAMaccountName.'

Check your Captive Portal Settings:

NTLM authentication agent: One User Agent is used to proxy request to AD and it should be chosen based on its proximity to the PAN FW

Auth Profile - Choose the Auth Profile previously created

You'll eventually configure the Captive Portal Policy which specifies what form of user detection should be used for a given unknown user session:

1) no-captive-portal: the session remains unknown

2) captive-portal: Use Web Form based user detection

3) ntlm-auth: attempt NTLM authentication. If that fails, attempt web form based mapping.

I'm not sure if you've found these already but just to be sure. The Radius setup doc is similar to what you can do for LDAP over AD.

https://live.paloaltonetworks.com/docs/DOC-1410

https://live.paloaltonetworks.com/docs/DOC-1040

Hope this helps.

-Renato    

randomcamden
Not applicable
In response to gswcowboy

‎02-07-2011 01:10 PM

Thanks Guys...

Re this part..

"Check your Captive Portal Settings:

NTLM authentication agent: One User Agent is used to proxy request to AD and it should be chosen based on its proximity to the PAN FW"

I understand pointing at the existing PAN Agent, but what should I use as the Hostname? I don't get what this part does.

0 Likes Likes

gswcowboy
L6 Presenter
In response to randomcamden

‎02-07-2011 01:21 PM

It relies on an http 302 redirect to a host in the client computers local zone. This is the host name used in the 302 reply. It is not in the form of a FQDN. This host name must resolve to an IP on an L3 interface or the mgt interface of the PAN firewall.

  • 5166 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks