PAN-OS Web Interface Reference
    : Device > User Identification > Captive Portal Settings
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. PAN-OS Web Interface Reference
    4. User Identification
    5. Device > User Identification > Captive Portal Settings
    Download PDF

    PAN-OS Web Interface Reference

    Device > User Identification > Captive Portal Settings

    Table of Contents
    End-of-Life (EoL)

    Device > User Identification > Captive Portal Settings

    Edit (
    ) the Captive Portal
    Settings to configure the firewall to authenticate users whose traffic matches an Authentication policy rule.
    If Captive Portal uses an SSL/TLS Service profile (Device > Certificate Management > SSL/TLS Service Profile), authentication profile (Device > Authentication Profile), or Certificate Profile (Device > Certificate Management > Certificate Profile), then configure the profile before you begin. The complete procedure
    to configure Captive Portal requires additional tasks in addition to configuring these profiles.
    You must Enable Captive Portal to enforce Authentication policy (see Policies > Authentication).
    Field
    Description
    Enable Captive Portal
    Select this option to enable Captive Portal.
    Idle Timer (min)
    Enter the user time-to-live (TTL) value in minutes for a Captive Portal session (range is 1 to 1,440; default is 15). This timer resets every time there is activity from a Captive Portal user. If idle time for a user exceeds the Idle Timer value, PAN-OS removes the Captive Portal user mapping and the user must log in again.
    Timer (min)
    This is the maximum TTL in minutes, which is the maximum time that any Captive Portal session can remain mapped (range is 1 to 1,440; default is 60). After this duration elapses, PAN-OS removes the mapping and users must re-authenticate even if the session is active. This timer prevents stale mappings and overrides the Idle Timer value.
    You should always set the expiration Timer higher than the Idle Timer.
    SSL/TLS Service Profile
    To specify a firewall server certificate and the allowed protocols for securing redirect requests, select an SSL/TLS service profile (Device > Certificate Management > SSL/TLS Service Profile). If you select None, the firewall uses its local default certificate for SSL/TLS connections.
    In the SSL/TLS Service Profile, set the Min Version to TLSv1.2 and set the Max Version to Max to provide the strongest security against SSL/TLS protocol vulnerabilities. Setting the Max Version to Max ensures that as stronger protocols become available, the firewall always uses the latest version.
    To transparently redirect users without displaying certificate errors, assign a profile associated with a certificate that matches the IP address of the interface to which you are redirecting web requests.
    Authentication Profile
    You can select an authentication profile (Device > Authentication Profile) to authenticate users when their traffic matches an Authentication policy rule (Policies > Authentication). However, the authentication profile you select in the Captive Portal Settings applies only to rules that reference one of the default authentication enforcement objects (Objects > Authentication). This is typically the case right after an upgrade to PAN-OS 8.0 because all Authentication rules initially reference the default objects. For rules that reference custom authentication enforcement objects, select the authentication profile when you create the object.
    GlobalProtect Network Port for Inbound Authentication Prompts (UDP)
    Specify the port that GlobalProtect™ uses to receive inbound authentication prompts from multi-factor (MFA) gateways. (range is 1 to 65,536; default is 4,501). To support multi-factor authentication, a GlobalProtect endpoint must receive and acknowledge UDP prompts that are inbound from the MFA gateway. When a GlobalProtect endpoint receives a UDP message on the specified network port and the UDP message comes from a trusted firewall or gateway, GlobalProtect displays the authentication message (seeCustomize the GlobalProtect App
    ).
    Mode
    Select how the firewall captures web requests for authentication:
    • Transparent—The firewall intercepts web requests according to the Authentication rule and impersonates the original destination URL, issuing an HTTP 401 message to prompt the user to authenticate. However, because the firewall does not have the real certificate for the destination URL, the browser displays a certificate error to users attempting to access a secure site. Therefore, only use this mode when absolutely necessary, such as in Layer 2 or virtual wire deployments.
    • Redirect—The firewall intercepts web requests according to the Authentication rule and redirects them to the specified Redirect Host. The firewall uses an HTTP 302 redirect to prompt the user to authenticate. The best practice is to use Redirect because it provides a better end-user experience (displays no certificate errors and allows session cookies that make browsing seamless because Redirect doesn’t remap when timeouts expire). However, it requires that you enable response pages on the Interface Management profile assigned to the ingress Layer 3 interface (for details, see Network > Network Profiles > Interface Mgmt and PA-7000 Series Layer 3 Interface).
    Another benefit of the Redirect mode is that it allows for session cookies, which enable the user to continue browsing to authenticated sites without requiring re-mapping each time the timeouts expire. This is especially useful for users who roam from one IP address to another (for example, from the corporate LAN to the wireless network) because they don’t need to re-authenticate when their IP address changes as long as the session stays open.
    Redirect mode is required if Captive Portal uses Kerberos SSO or NTLM authentication because the browser provides credentials only to trusted sites. Redirect mode is also required if Captive Portal uses multi-factor authentication (MFA).
    Session Cookie
    (Redirect mode only)
    • Enable—Select this option to enable session cookies.
    • Timeout—If you Enable session cookies, this timer specifies the number of minutes for which the cookie is valid (range is 60–10,080; default is 1,440).
      Set the timeout value short enough so that it doesn’t lead to stale user mapping entries in cookies but long enough to promote a good user experience by not prompting users to log in multiple times during a session. Start with a value less than or equal to 480 minutes (8 hours) and adjust the value as necessary.
    • Roaming—Select this option to retain the cookie if the IP address changes while the session is active (such as when the endpoint moves from a wired to a wireless network). The user must re-authenticate only if the cookie times out or the user closes the browser.
    Redirect Host
    (Redirect mode only)
    Specify the intranet hostname that resolves to the IP address of the Layer 3 interface to which the firewall redirects web requests.
    If users authenticate through Kerberos single sign-on (SSO), the Redirect Host must be the same as the hostname specified in the Kerberos keytab.
    Certificate Profile
    You can select a Certificate Profile (Device > Certificate Management > Certificate Profile) to authenticate users when their traffic matches any Authentication policy rule (Policies > Authentication).
    For this authentication type, Captive Portal prompts the endpoint browser of the user to present a client certificate. Therefore, you must deploy client certificates to each user system. Furthermore, on the firewall, you must install the certificate authority (CA) certificate that issued the client certificates and assign the CA certificate to the Certificate Profile. This is the only authentication method that enables Transparent authentication for macOS and Linux endpoints.
    NTLM Authentication
    When you configure Captive Portal for NT LAN Manager (NTLM) authentication
    , the firewall uses an encrypted challenge-response mechanism to transparently obtain user credentials from the browser without prompting the user.
    To invoke NTLM authentication, Authentication policy rules must specify an Authentication Enforcement object with the Authentication Method set to browser-challenge or default-browser-challenge (Objects > Authentication). If the object specifies an Authentication Profile with Kerberos single sign-on (SSO) enabled, the firewall first attempts Kerberos authentication before falling back to NTLM. If the browser cannot perform NTLM or if NTLM authentication fails, the firewall falls back to web-form or default-web-form as the Authentication Method.
    By default, Internet Explorer supports NTLM. You can configure Firefox and Chrome to use it, as well, but you cannot use NTLM to authenticate non-Windows endpoints.
    Choose Kerberos SSO
    transparent authentication over NTLM authentication when configuring Captive Portal. Kerberos is a stronger, more robust authentication method than NTLM and it does not require the firewall to have an administrative account to join the domain.
    These options apply only to the Windows-based User-ID agents. When using the PAN-OS integrated User-ID agent, the firewall must be able to successfully resolve the DNS name of your domain controller to join the domain. You can then enable NTLM Authentication in the PAN-OS integrated User-ID agent setup and provide the credentials for the firewall to join the domain. NTLM is available only for Windows Server version 2003 and earlier versions.
    To configure NTLM for use with Windows-based User-ID agents, define the following:
    • Attempts—The number of attempts after which NTLM authentication fails (range is 1–60; default is 1).
    • Timeout—The number of seconds after which NTLM authentication times out (range is 1–60; default is 2).
    • Reversion Time—The number of seconds after which the firewall will retry contacting the first User-ID agent listed (in DeviceUser IdentificationUser-ID Agents) after that agent becomes unavailable (range is 60–3,600; default is 300).

    © 2024 Palo Alto Networks, Inc. All rights reserved.