NTML authentcation for Captive Portal

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

NTML authentcation for Captive Portal

Not applicable

Hi All,

I am looking for ways to configure Captive portal policy with NTLM authentication.

I have read a good number of PDFs from Palo alto but still unable to understand how do i configure it.

In short i need to know how do we configure NTLM authentication for captive portal for both Palo alto integreted hardware user agent and software user agent.

The last revision that are available on the net is "how to configure captive portal portal" is for PAN OS 4.0 and we are using PAN OS 6.0 and some of the settings are missing in PAN OS 6.0.

Anybody knows how to do it ?

regards,

ARJUN DAS

3 REPLIES 3

Cyber Elite
Cyber Elite

Hi Arjun

First you will need to enable captive portal under Device > user identification > captive portal settings

- please note the authentication method does not matter as this is NOT used for the ntlm authentication

2015-04-13_15-20-05.png

secondly you will need to configure a captive portal policy that dictates which traffic can/needs to be intercepted to perform ntlm authentication, and set it to browser-challenge

2015-04-13_15-23-41.png

and third, make sure the "enable user identification" is enabled on the source zone:

2015-04-13_15-39-06.png

Then, depending on the choice of a software agent or agentless deployment you need to add some additional configuration

In the case of a software agent you need to enable the ntlm authentication option, this proxies the ntlm request to the software agent

2015-04-13_15-25-54.png

and that should be it for this option

In the case of an agentless deployment more settings are required:

1. The deviceconfig needs to be set so the PA has it's domain configured in device > setup > general settings, and is using the internal DNS in Device > setup > services


2. There needs to be a server added to the "server monitoring" section of device > user identification > user mapping

2015-04-13_15-35-39.png

3. In the Palo Alto Network User ID Agent Setup, a valid WMI authentication account needs to be added and the NTLM section needs to be filled out (please not "username" is simply the username, no domain). All the other tabs can be disabled

2015-04-13_15-31-32.png

2015-04-13_15-31-04.png

that should do it, hope this helps

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi Tpiens,

Thank you very much for the reply.

One question though.

"The deviceconfig needs to be set so the PA has it's domain configured in device > setup > general settings"

what does the device domain name  got to do with agentless deployment for NTLM authentication.

regards,

ARJUN DAS

In the configuration, a valid WMI authentication account needs to be added.

Device should be in a domain, to go for WMI authentication (domain\wmi_user)

Regards,

Rahul Singh

  • 2802 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!