How to authenticate users using captive portal for non-http/https traffic

How to authenticate users using captive portal for non-http/https traffic

Created On 01/11/21 14:00 PM - Last Modified 01/25/21 16:45 PM


This article is to discuss available configuration options that we can implement on Palo Alto Networks firewall if we want to have an authentication mechanism while users are trying to access resources behind the firewall via non-http/https protocols. 


We have the following options to achieve the goal: 
  1. We can use authentication policy with MFA (Multi Factor Authentication), and the MFA can be used in conjunction with GP (Global Protect). GP client would present the user with a link which would be the MFA login page.

    You can refer to the following links for more info on how to make necessary configuration:

           Configure GlobalProtect to Facilitate Multi-Factor Authentication Notifications

           Duo Multi-Factor Authentication (MFA)

           GlobalProtect: Authentication Policy with MFA

           Configure Multi-Factor Authentication

       2. Another option is to have the end users going manually to the captive portal page and authenticating themselves. After authentication they will be granted
       access based on their user/group name.
           This works as below:

  • The users should access the captive portal by typing the URL; where: => IP address of the captive portal is
    vsys=1 => The id of the vsys is 1 where the authentication policy is configured
    rule=0 => The id of the rule is 0 which is the first policy (index = 1) under Policies > Authentication using to the web-form authentication method.
  • They will then try to access necessary resource and the traffic will be allowed or denied per user/group based policies. 

          - If we don’t assign an SSL/TLS Service Profile, the firewall uses port 6081 and the firewall's default certificate. The firewall uses TLS 1.2 by default. In order
          to use a different TLS version, we need to configure an SSL/TLS Service Profile and select the TLS version we want to use.
          - If we assign an SSL/TLS Service Profile, the firewall uses port 6082. That is the port captive portal uses while sending the first 302 redirect message.


  • Print
  • Copy Link

Choose Language