Device > User Identification > Captive Portal Settings
Table of Contents
Expand all | Collapse all
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > GTP Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Decryption > Forwarding Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Device Block List
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Scheduled Config Export
End-of-Life (EoL)
Device > User Identification > Captive Portal Settings
Edit (
) the Captive Portal
Settings
to configure the firewall to authenticate users whose traffic matches
an Authentication policy rule.
If Captive Portal uses an SSL/TLS Service profile (Device
> Certificate Management > SSL/TLS Service Profile), authentication
profile (Device
> Authentication Profile), or Certificate Profile (Device
> Certificate Management > Certificate Profile), then configure
the profile before you begin. The complete procedure
to configure Captive
Portal requires additional tasks in addition to configuring these
profiles.
You must Enable Captive Portal to
enforce Authentication policy (see Policies
> Authentication).
Field | Description |
---|---|
Enable Captive Portal | Select this option to enable Captive Portal. |
Idle Timer (min) | Enter the user time-to-live (TTL) value
in minutes for a Captive Portal session (range is 1 to 1,440; default
is 15). This timer resets every time there is activity from a Captive
Portal user. If idle time for a user exceeds the Idle
Timer value, PAN-OS removes the Captive Portal user
mapping and the user must log in again. |
Timer (min) | This is the maximum TTL in minutes, which
is the maximum time that any Captive Portal session can remain mapped
(range is 1 to 1,440; default is 60). After this duration elapses,
PAN-OS removes the mapping and users must re-authenticate even if
the session is active. This timer prevents stale mappings and overrides
the Idle Timer value. You
should always set the expiration Timer higher
than the Idle Timer. |
SSL/TLS Service Profile | To specify a firewall server certificate
and the allowed protocols for securing redirect requests, select
an SSL/TLS service profile (Device
> Certificate Management > SSL/TLS Service Profile). If you
select None, the firewall uses its local
default certificate for SSL/TLS connections. In
the SSL/TLS Service Profile, set the Min Version to TLSv1.2 and set
the Max Version to Max to
provide the strongest security against SSL/TLS protocol vulnerabilities. Setting
the Max Version to Max ensures
that as stronger protocols become available, the firewall always
uses the latest version. To transparently redirect
users without displaying certificate errors, assign a profile associated
with a certificate that matches the IP address of the interface
to which you are redirecting web requests. |
Authentication Profile | You can select an authentication profile
(Device
> Authentication Profile) to authenticate users when their
traffic matches an Authentication policy rule (Policies
> Authentication). However, the authentication profile you
select in the Captive Portal Settings applies only to rules that
reference one of the default authentication enforcement objects
(Objects
> Authentication). This is typically the case right after
an upgrade to PAN-OS 8.0 because all Authentication rules initially
reference the default objects. For rules that reference custom authentication
enforcement objects, select the authentication profile when you
create the object. |
GlobalProtect Network Port for Inbound Authentication Prompts (UDP) | Specify the port that GlobalProtect™ uses
to receive inbound authentication prompts from multi-factor (MFA)
gateways. (range is 1 to 65,536; default is 4,501). To support multi-factor
authentication, a GlobalProtect endpoint must receive and acknowledge
UDP prompts that are inbound from the MFA gateway. When a GlobalProtect
endpoint receives a UDP message on the specified network port and
the UDP message comes from a trusted firewall or gateway, GlobalProtect
displays the authentication message (seeCustomize the GlobalProtect App |
Mode | Select how the firewall captures web requests
for authentication:
Redirect mode is
required if Captive Portal uses Kerberos SSO or NTLM authentication
because the browser provides credentials only to trusted sites. Redirect mode
is also required if Captive Portal uses multi-factor authentication (MFA). |
Session Cookie (Redirect mode only) |
|
Redirect Host (Redirect
mode only) | Specify the intranet hostname that resolves
to the IP address of the Layer 3 interface to which the
firewall redirects web requests. If users authenticate
through Kerberos single sign-on (SSO), the Redirect Host must
be the same as the hostname specified in the Kerberos keytab. |
Certificate Profile | You can select a Certificate Profile (Device
> Certificate Management > Certificate Profile) to authenticate
users when their traffic matches any Authentication policy rule
(Policies
> Authentication). For this authentication type, Captive
Portal prompts the endpoint browser of the user to present a client
certificate. Therefore, you must deploy client certificates to each
user system. Furthermore, on the firewall, you must install the
certificate authority (CA) certificate that issued the client certificates and
assign the CA certificate to the Certificate Profile. This is the
only authentication method that enables Transparent authentication
for macOS and Linux endpoints. |
NTLM Authentication | When you configure Captive Portal for NT LAN Manager (NTLM) authentication To
invoke NTLM authentication, Authentication policy rules must specify an Authentication
Enforcement object with the Authentication
Method set to browser-challenge or default-browser-challenge (Objects
> Authentication). If the object specifies an Authentication Profile with
Kerberos single sign-on (SSO) enabled, the firewall first attempts
Kerberos authentication before falling back to NTLM. If the browser
cannot perform NTLM or if NTLM authentication fails, the firewall
falls back to web-form or default-web-form as
the Authentication Method. By default,
Internet Explorer supports NTLM. You can configure Firefox and Chrome
to use it, as well, but you cannot use NTLM to authenticate non-Windows
endpoints. Choose Kerberos SSO These options apply
only to the Windows-based User-ID agents. When using the PAN-OS
integrated User-ID agent, the firewall must be able to successfully
resolve the DNS name of your domain controller to join the domain.
You can then enable NTLM
Authentication in the PAN-OS integrated User-ID agent setup
and provide the credentials for the firewall to join the domain.
NTLM is available only for Windows Server version 2003 and earlier
versions. To configure NTLM for use with Windows-based
User-ID agents, define the following:
|