This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

PaloAlto 3rd party captive portal integration

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PaloAlto 3rd party captive portal integration

fenriquez
L0 Member

‎12-13-2018 12:19 PM

Hi! First of all sorry if this question is explained anywhere else; I've dedicated a few hours to browse docs and posts but I cannot find a proper answer. I work for a company that deploys hotspot solutions over premises using different hardware solutions. It turns out to be that we need to integrate Paloalto appliance in our solution. Our approach is basically this: 

 

  1. Firewall intercepts traffic for non authenticatrd users
  2. User is redirected via a 302 http redirect to our portal (it can be placed on the wan zone so it can be reached by the Paloalto firewall) 
  3. Web form is presented so the user validates himself. If credentials are valid (they are internally located on a Radius server)  then control must be returned to Paloalto firewall 
  4. Paloalto firewall should try to authenticate now the user with the credentials provided before in point (3) via Radius 
  5. Radius replies with an Access-Accept so a Session-Start should be send from Paloalto to the Radius server (accounting starts) 

So here there are my questions: 

  1. Is this approach feasible? I understand that points (1) and (2) are easily configurable as a Redirect Captive Portal with web form authentication.... 
  2. How must our captive portal inform to Paloalto that credentials are valid so Paloalto starts with Radius authentication? Some manufacturers implement a special login URL, other ones use a propietary protocol, but I cannot find detailed information about the whole workflow. 

Thanks a lot in advanced for your help. 

 

Kind Regards 

Fernando E. 

0 Likes Likes
3 REPLIES 3

Remo
L7 Applicator

‎12-13-2018 12:51 PM

Hi @fenriquez

 

This is possible with 2 different ways, but not with point 3 of your list:

@fenriquez wrote:

Paloalto firewall should try to authenticate now the user with the credentials provided before in point (3) via Radius

The authentication needs to be done on your portal only, otherwise if the firewall has to authenticate the user also, he needs to log in again on the captive portal of the firewall which is not really possible as you redirect the user first to your portal.

 

But thats not a problem. The ways it will work are the following:

  1. Syslog: your captive portal server sends syslog messages containing the source IP and the username to the firewall. The firewall then parses these messages and adds these ip-user mappings to the local usertable.
  2. API: as soon as a user successfully logged in your captive portal server adds the ip-user-mapping over an API call to the firewall.

For both ways, your captive portal needs to be placed in the internal network or at least before any NAT is applied because otherwise your captive portal cannot send the actual client IP to the firewall and the whole situation will not work. In addition when the syslog is sent or the API call is made, you need to check if there is a small delay required before your captive portal redirects the user to the actual URL that the user tried to open.

 

Regards,

Remo

 

PS: Sorry for this question, but if this works like that and in the background the authentication is done with RADIUS, why should a paloalto customer pay for your solution when the firewall already has this capability out of the box?

0 Likes Likes

fenriquez
L0 Member
In response to Remo

‎12-13-2018 08:50 PM

ok, I see the picture, once you send the syslog trace then the PaloAlto firewall allows the user to access the Internet. 

 

Regarding why using our solution instead of the integrated portal: the picture I depicted it's a simplified one. Our client wants a "complicated" authorization mechanism which involves sending an email to someone that must allow another one with an SMS. 

 

Thanks a lot for your help. 

Remo
L7 Applicator
In response to fenriquez

‎12-13-2018 09:56 PM

@fenriquez wrote:

Regarding why using our solution instead of the integrated portal: the picture I depicted it's a simplified one. Our client wants a "complicated" authorization mechanism which involves sending an email to someone that must allow another one with an SMS. 

Now I understand 😉

0 Likes Likes
  • 2764 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks