How to authenticate users using captive portal for non-http/https traffic
This article is to discuss available configuration options that we can implement on Palo Alto Networks firewall if we want to have an authentication mechanism while users are trying to access resources behind the firewall via non-http/https protocols.
- We can use authentication policy with MFA (Multi Factor Authentication), and the MFA can be used in conjunction with GP (Global Protect). GP client would present the user with a link which would be the MFA login page.
You can refer to the following links for more info on how to make necessary configuration:
Configure Multi-Factor Authentication
2. Another option is to have the end users going manually to the captive portal page and authenticating themselves. After authentication they will be granted
access based on their user/group name.
This works as below:
- The users should access the captive portal by typing the URL https://188.8.131.52:6082/php/uid.php?vsys=1&rule=0; where:
184.108.40.206 => IP address of the captive portal is 220.127.116.11
vsys=1 => The id of the vsys is 1 where the authentication policy is configured
rule=0 => The id of the rule is 0 which is the first policy (index = 1) under Policies > Authentication using to the web-form authentication method.
- They will then try to access necessary resource and the traffic will be allowed or denied per user/group based policies.
- If we don’t assign an SSL/TLS Service Profile, the firewall uses port 6081 and the firewall's default certificate. The firewall uses TLS 1.2 by default. In order
to use a different TLS version, we need to configure an SSL/TLS Service Profile and select the TLS version we want to use.
- If we assign an SSL/TLS Service Profile, the firewall uses port 6082. That is the port captive portal uses while sending the first 302 redirect message.