How to Configure Captive Portal

How to Configure Captive Portal

301778
Created On 07/18/22 22:57 PM - Last Modified 05/06/26 18:20 PM


Objective


To Configure Captive Portal (Authentication Portal ) Using Redirect Mode And Local Authentication

Environment


  • Palo Alto Firewalls.
  • PAN-OS 9.1 and above.
  • Captive Portal (Authentication Portal).


Procedure


Configuring Captive Portal is documented here . This article provides an example using the following Network Diagram.
1.Topology.PNG

  1. Enable user identification on the internal zone.
Go to Network > Zones > Select the zone > Enable User Identification.
2. enable user identification on zone.PNG
  1. Configure an interface management profile with response pages enable and associate it to the internal interface. Note: Do not attach the interface management profile (with Response Pages enabled) to internet facing interfaces.
Go to Network > Interface > Select the interface > Advanced Tab > Create Management Interface Profile.
image.png
  1. Create the users and user group.
Go to Device > Users >  Add Users/User Group.
image.png
  1. Configure the certificates.
Go to  Device > Certificates > Generate
image.png
  1. Create SSL Profile and attach the certificate.
Go to Device > SSL/TLS Service Profile > Add
image.png
  1. Configure an authentication profile and add the created group.
Go to Device > Authentication Profile > Add
image.png
  1. Enable captive portal (Authentication Portal).
    Note: The Captive Portal redirect host must be an IP address or FQDN assigned to a trusted firewall interface. It must be reachable only from your internal network and strictly isolated from the untrust/internet zone.
Go to Device > User Identification > Captive Portal
image.png
  1. Create an authentication policy.

Go to Policies > Authentication > Add

​​​​image.png
  1. Configure decryption policies.
Go to Policies > Decryption > Add
image.png
  1.  Create a security policy to allow DNS and Captive portal traffic.
Go to Policies > Security > Add
image.png
  1. Import the certificates into the trusted root CA from the clients.
Go to Device > Certificates > Select the certificate > Export Certificate
Once the certificates were added to the trusted root CA on the clients, open a web browser. Trying to connect to web sites will display the captive portal box.
image.png
 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CqbiCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language