Palo Alto Networks Knowledgebase: NTLM Captive Portal is Redirected to the Host but Does Not Load Webpage
NTLM Captive Portal is Redirected to the Host but Does Not Load Webpage
Created On 02/07/19 23:47 PM - Last Updated 02/07/19 23:47 PM
The Palo Alto Networks firewall is configured for NTLM Captive Portal to authenticate users. An unknown user attempts to access a web page and the Captive Portal policy brings up the authentication page. However, once authenticated, the original user-intended destination site does not load. Instead, a connection timeout message appears:
Note: In PAN-OS 5.0, the NTLM action is labeled 'browser-challenge'. In PAN-OS 4.0, 4.1 the same action is labeled 'ntlm-auth'.
Though NTLM method of Captive portal authentication does not need any user intervention, it requires Response Pages to be enabled on the firewall redirected interface.
1. Go to Network > Network Profiles > Interface Mgmt.
2. Select the interface management profile applied to the captive portal redirected interface.
3. Enable Response Pages.
Tips to troubleshoot NTLM Captive Portal:
A User-ID Agent should be running in the network.
Web browser client should support NTLM, else it has to be enabled if applicable. The IE browser should not have issues.
Make sure that Enable User Identification is checked on the applicable zone (on the Network > Zone page).
Redirect method is recommended for NTLM Authentication.
Ensure that Captive Portal rules are created and allow the source users. For example, test cp-policy-match source 192.168.10.1 destination 126.96.36.199
CLI commands to view applicable logs: # debug l3svc on debug # less mp-log appweb3-l3svc.log # debug l3svc on info
CLI commands to clear the username in the firewall if already detected > clear user-cache all > clear user-cache-mp all
The user should be identified as authenticated through "NTLM" with the following command: > show user ip-user-mapping ip 192.168.10.1