11-26-2024 02:14 PM
We are in an environment where we have captive portal (with MS SSO) but users are able to get around the authentication redirects via VPN.
We'd like to ensure that the only traffic that is allowed by unauthenticated users on this network is traffic that is redirected to captive portal and cannot be bypassed.
Would we just be looking at placing 2 rules higher up
1 - Desired network + unknown user + web-browsing = allowed
2 - Desired network + unknown user + all = block
?
11-27-2024 10:14 AM
Hello,
Not sure on the answer, however the captive portal is used for User-ID to IP mapping. If the PAN already knows the mapping, it will not prompt the user for a captive portal.
I used to have an environment where I used USER-ID on all my policies, and if the users didnt have a mapping, they got a very restrictive URL filtering policy applied to them. This was done by security policies however.
Hope this helps.
11-27-2024 10:22 AM
Thanks, I do know that and it's only being applied to unknown users. They do currently hit a restrictive URL policy as well when unknown, but this does not stop them from being able to bypass captive portal as that only applies to HTTP(S). Going to give the 2 rules a try to ensure only HTTP is allowed until the user is known, which should be enough to ensure only captive portal can trigger without other traffic.
11-27-2024 11:16 AM
Hello,
You could put in another policy that blocks traffic not related to http(s) and DNS since its required for those unknown users.
Just a thought.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
