Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How to authenticate users using captive portal for non-http/htt... - Knowledge Base - Palo Alto Networks

How to authenticate users using captive portal for non-http/https traffic

36864
Created On 01/11/21 14:00 PM - Last Modified 02/07/25 22:32 PM


Objective



This article is to discuss available configuration options that we can implement on Palo Alto Networks firewall if we want to have an authentication mechanism while users are trying to access resources behind the firewall via non-http/https protocols. 

 

Procedure


We have the following options to achieve the goal: 
  1. We can use authentication policy with MFA (Multi Factor Authentication), and the MFA can be used in conjunction with GP (Global Protect). GP client would present the user with a link which would be the MFA login page.

    You can refer to the following links for more info on how to make necessary configuration:

           Configure GlobalProtect to Facilitate Multi-Factor Authentication Notifications

           Duo Multi-Factor Authentication (MFA)

           GlobalProtect: Authentication Policy with MFA

           Configure Multi-Factor Authentication

       2. Another option is to have the end users going manually to the captive portal page and authenticating themselves. After authentication they will be granted
       access based on their user/group name.
     
           This works as below:

  • The users should access the captive portal by typing the URL https://1.1.1.1:6082/php/uid.php?vsys=1&rule=0; where:
    1.1.1.1 => IP address of the captive portal is 1.1.1.1
    vsys=1 => The id of the vsys is 1 where the authentication policy is configured
    rule=0 => The id of the rule is 0 which is the first policy (index = 1) under Policies > Authentication using to the web-form authentication method.
     
  • They will then try to access necessary resource and the traffic will be allowed or denied per user/group based policies. 

          Notes: 
          - If we don’t assign an SSL/TLS Service Profile, the firewall uses port 6081 and the firewall's default certificate. The firewall uses TLS 1.2 by default. In order
          to use a different TLS version, we need to configure an SSL/TLS Service Profile and select the TLS version we want to use.
          - If we assign an SSL/TLS Service Profile, the firewall uses port 6082. That is the port captive portal uses while sending the first 302 redirect message.
 

Additional Troubleshooting Step:

If you encounter issues with inbound authentication, ensure that the local Windows firewall on the client machine is not inadvertently blocking the traffic. Specifically, check the Domain Firewall Profile settings on the machine.

Adding a rule or exception for inbound authentication under the Domain Firewall Profile may resolve the issue
Other users also viewed:
How to download GlobalProtect from the Customer Support Portal
Download and Install the GlobalProtect App for Windows
Resource List: GlobalProtect Configuring and Troubleshooting
PAN-OS Software Updates
Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)
Results 1-5 of 238,865
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCEzCAO&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language