Palo Alto Networks Knowledgebase: NTLM Captive Portal is Redirected to the Host but Does Not Load Webpage

NTLM Captive Portal is Redirected to the Host but Does Not Load Webpage

3458
Created On 02/07/19 23:47 PM - Last Updated 02/07/19 23:47 PM
User-ID
Resolution

Issue

The Palo Alto Networks firewall is configured for NTLM Captive Portal to authenticate users. An unknown user attempts to access a web page and the Captive Portal policy brings up the authentication page. However, once authenticated, the original user-intended destination site does not load. Instead, a connection timeout message appears:
CP11.PNG

Note: In PAN-OS 5.0, the NTLM action is labeled 'browser-challenge'. In PAN-OS 4.0, 4.1 the same action is labeled 'ntlm-auth'.

 

Resolution

Though NTLM method of Captive portal authentication does not need any user intervention, it requires Response Pages to be enabled on the firewall redirected interface.

1. Go to Network > Network Profiles > Interface Mgmt.

2. Select the interface management profile applied to the captive portal redirected interface.

3. Enable Response Pages.

Screen Shot 2013-04-10 at 3.27.55 PM.png

 

Troubleshooting

Tips to troubleshoot NTLM Captive Portal:

  • A User-ID Agent should be running in the network.
  • Web browser client should support NTLM, else it has to be enabled if applicable. The IE browser should not have issues.
  • Make sure that Enable User Identification is checked on the applicable zone (on the Network > Zone page).
  • Redirect method is recommended for NTLM Authentication.
  • Ensure that Captive Portal rules are created and allow the source users.
    For example, test cp-policy-match source 192.168.10.1 destination 4.2.2.2
  • CLI commands to view applicable logs:
    # debug l3svc on debug
    # less mp-log appweb3-l3svc.log
    # debug l3svc on info
  • CLI commands to clear the username in the firewall if already detected
    > clear user-cache all
    > clear user-cache-mp all
  • The user should be identified as authenticated through "NTLM" with the following command:
    > show user ip-user-mapping ip 192.168.10.1

 

See Also

Troubleshooting Captive Portal Redirect Page Issues

 

owner: ssunku



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsMCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language