- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
12-13-2018 12:19 PM
Hi! First of all sorry if this question is explained anywhere else; I've dedicated a few hours to browse docs and posts but I cannot find a proper answer. I work for a company that deploys hotspot solutions over premises using different hardware solutions. It turns out to be that we need to integrate Paloalto appliance in our solution. Our approach is basically this:
So here there are my questions:
Thanks a lot in advanced for your help.
Kind Regards
Fernando E.
12-13-2018 12:51 PM
Hi @fenriquez
This is possible with 2 different ways, but not with point 3 of your list:
@fenriquez wrote:Paloalto firewall should try to authenticate now the user with the credentials provided before in point (3) via Radius
The authentication needs to be done on your portal only, otherwise if the firewall has to authenticate the user also, he needs to log in again on the captive portal of the firewall which is not really possible as you redirect the user first to your portal.
But thats not a problem. The ways it will work are the following:
For both ways, your captive portal needs to be placed in the internal network or at least before any NAT is applied because otherwise your captive portal cannot send the actual client IP to the firewall and the whole situation will not work. In addition when the syslog is sent or the API call is made, you need to check if there is a small delay required before your captive portal redirects the user to the actual URL that the user tried to open.
Regards,
Remo
PS: Sorry for this question, but if this works like that and in the background the authentication is done with RADIUS, why should a paloalto customer pay for your solution when the firewall already has this capability out of the box?
12-13-2018 08:50 PM
ok, I see the picture, once you send the syslog trace then the PaloAlto firewall allows the user to access the Internet.
Regarding why using our solution instead of the integrated portal: the picture I depicted it's a simplified one. Our client wants a "complicated" authorization mechanism which involves sending an email to someone that must allow another one with an SMS.
Thanks a lot for your help.
12-13-2018 09:56 PM
@fenriquez wrote:Regarding why using our solution instead of the integrated portal: the picture I depicted it's a simplified one. Our client wants a "complicated" authorization mechanism which involves sending an email to someone that must allow another one with an SMS.
Now I understand 😉
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!