Palo Alto Networks Knowledgebase: NTLM Captive Portal is Redirected to the Host but Does Not Load Webpage

NTLM Captive Portal is Redirected to the Host but Does Not Load Webpage

Created On 02/07/19 23:47 PM - Last Updated 02/07/19 23:47 PM


The Palo Alto Networks firewall is configured for NTLM Captive Portal to authenticate users. An unknown user attempts to access a web page and the Captive Portal policy brings up the authentication page. However, once authenticated, the original user-intended destination site does not load. Instead, a connection timeout message appears:

Note: In PAN-OS 5.0, the NTLM action is labeled 'browser-challenge'. In PAN-OS 4.0, 4.1 the same action is labeled 'ntlm-auth'.



Though NTLM method of Captive portal authentication does not need any user intervention, it requires Response Pages to be enabled on the firewall redirected interface.

1. Go to Network > Network Profiles > Interface Mgmt.

2. Select the interface management profile applied to the captive portal redirected interface.

3. Enable Response Pages.

Screen Shot 2013-04-10 at 3.27.55 PM.png



Tips to troubleshoot NTLM Captive Portal:

  • A User-ID Agent should be running in the network.
  • Web browser client should support NTLM, else it has to be enabled if applicable. The IE browser should not have issues.
  • Make sure that Enable User Identification is checked on the applicable zone (on the Network > Zone page).
  • Redirect method is recommended for NTLM Authentication.
  • Ensure that Captive Portal rules are created and allow the source users.
    For example, test cp-policy-match source destination
  • CLI commands to view applicable logs:
    # debug l3svc on debug
    # less mp-log appweb3-l3svc.log
    # debug l3svc on info
  • CLI commands to clear the username in the firewall if already detected
    > clear user-cache all
    > clear user-cache-mp all
  • The user should be identified as authenticated through "NTLM" with the following command:
    > show user ip-user-mapping ip


See Also

Troubleshooting Captive Portal Redirect Page Issues


owner: ssunku

  • Print
  • Copy Link

Choose Language