NTML authentcation for Captive Portal

Showing results for 
Search instead for 
Did you mean: 

NTML authentcation for Captive Portal

Not applicable

Hi All,

I am looking for ways to configure Captive portal policy with NTLM authentication.

I have read a good number of PDFs from Palo alto but still unable to understand how do i configure it.

In short i need to know how do we configure NTLM authentication for captive portal for both Palo alto integreted hardware user agent and software user agent.

The last revision that are available on the net is "how to configure captive portal portal" is for PAN OS 4.0 and we are using PAN OS 6.0 and some of the settings are missing in PAN OS 6.0.

Anybody knows how to do it ?




Cyber Elite
Cyber Elite

Hi Arjun

First you will need to enable captive portal under Device > user identification > captive portal settings

- please note the authentication method does not matter as this is NOT used for the ntlm authentication


secondly you will need to configure a captive portal policy that dictates which traffic can/needs to be intercepted to perform ntlm authentication, and set it to browser-challenge


and third, make sure the "enable user identification" is enabled on the source zone:


Then, depending on the choice of a software agent or agentless deployment you need to add some additional configuration

In the case of a software agent you need to enable the ntlm authentication option, this proxies the ntlm request to the software agent


and that should be it for this option

In the case of an agentless deployment more settings are required:

1. The deviceconfig needs to be set so the PA has it's domain configured in device > setup > general settings, and is using the internal DNS in Device > setup > services

2. There needs to be a server added to the "server monitoring" section of device > user identification > user mapping


3. In the Palo Alto Network User ID Agent Setup, a valid WMI authentication account needs to be added and the NTLM section needs to be filled out (please not "username" is simply the username, no domain). All the other tabs can be disabled



that should do it, hope this helps


Tom Piens

Hi Tpiens,

Thank you very much for the reply.

One question though.

"The deviceconfig needs to be set so the PA has it's domain configured in device > setup > general settings"

what does the device domain name  got to do with agentless deployment for NTLM authentication.



In the configuration, a valid WMI authentication account needs to be added.

Device should be in a domain, to go for WMI authentication (domain\wmi_user)


Rahul Singh

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!