Using Captive Portal.pdf - Palo Alto Networks Live

What is Captive Portal?• A component of User-ID, it provides another means toauthenticate users to map username to IP address• One of several methods to identify users- Active Directory agent (PAN Agent)- LDAP agent (User-ID Agent)- User-ID API- Direct authentication to FW (SSL VPN)• Mapping enables group/user based policies and per-userloggingPage 2 |© 2011 Palo Alto Networks. Proprietary and Confidential.

How Does Captive Portal Work?• Applies when a user is unknown• User-to-IP mapping not learned from any other method• Typically used as a secondary/fallback method to AD or LDAP but can beprimary• Enabled by policy via Captive Portal rulebase• HTTP traffic is redirected and user is authenticated• After successful authentication, user traffic is allowed for aperiod of time• After expiration, user is redirected again to authenticatePage 3 |© 2011 Palo Alto Networks. Proprietary and Confidential.

Captive Portal Use Cases• Identify users on non-Windows machines• Identify Windows users not logged into domain• Identify shared PC/kiosk users• Identify guest network usersPage 4 |© 2011 Palo Alto Networks. Proprietary and Confidential.

Components of Captive PortalPage 5 |© 2011 Palo Alto Networks. Proprietary and Confidential.

Captive Policy Rulebase• If user is unknown, FW checks Captive Portal rulebasePage 6 |© 2011 Palo Alto Networks. Proprietary and Confidential.

Captive Portal Rulebase Action• Captive Portal (Web Form)- User receives a web page from the FW- Enters username/password- Authenticated using specified Authentication ProfileProfile can specify one of several methods• Local• RADIUS• LDAP• Kerberos (R4.0)• Client certificate (R4.0)• Sequence chain of above (R4.0)Page 7 |© 2011 Palo Alto Networks. Proprietary and Confidential.

Captive Portal Rulebase Action• NT LAN Manager (NTLM) Auth- User transparently authenticated by browser challenge- Requires Active Directory User-ID agent (PAN Agent)- CaveatsApplies to Windows PCs onlyWorks only if the browser is Firefox or IE• For other browsers , NTLM authentication is bypassed and user ispresented with a web formPage 8 |© 2011 Palo Alto Networks. Proprietary and Confidential.

Captive Portal Flow SummaryHTTP TrafficUnknown UserCaptive PortalPolicyWeb FormNTLM•IE and Firefox•Other browserAuthenticationBrowser AuthAuthenticationPage 9 |© 2010 Palo Alto Networks. Proprietary and Confidential 3.1-b

Captive Portal Configuration Modes• Transparent and Redirect modes• Both can be used with any FW deployment mode (Vwire, L2 and L3)Page 10 |© 2011 Palo Alto Networks. Proprietary and Confidential.

Transparent Mode• When user attempts access a URL, redirected to web form- Host name does not change• Simple to configure but several limitations- Results in browser certificate mismatch warnings- No session cookie supportPage 11 |© 2011 Palo Alto Networks. Proprietary and Confidential.

Redirect Mode• FW redirects browser to an L3 interface on FW• Required for NTLM and session cookie retentionPage 12 |© 2011 Palo Alto Networks. Proprietary and Confidential.

Captive Portal – Web Form••IP with Unknown User sendsweb traffic•Traffic is matched to aCaptive Portal Policy withCaptive Portal as an action•Browser is sent to captiveportal page with a redirect•User enters username andpassword•Firewall authenticates user•Browser then redirected backto original address. User isnow known.Page 13 |© 2010 Palo Alto Networks. Proprietary and Confidential

Captive Portal – NTLM Auth••IP with Unknown User sendsweb traffic•Traffic is matched to aCaptive Portal Policy withNTLM Auth as an action•Browser is sent a 302 errorredirecting it to an interface onthe firewall•Firewall sends browser a 401error•Browser sends NTLMauthentication which is passedto an AD User Agent•Browser then redirected backto original address. User isnow known.Page 14 |© 2010 Palo Alto Networks. Proprietary and Confidential

Session Cookies• Without session cookies- User is redirected to authenticate based on Expiration/Idle Timers- Difficult balance: excessive authentication vs. potential unauthorized use• With session cookies- FW sets a browser session cookieAllows a user to be transparently re-authenticatedCan use short Expiration/Idle Timers without user annoyance- Roaming OptionWithout Roaming enabled, must be same source address with cookieWith Roaming enabled, different source address allowed with cookie- Captive Portal will prompt for credentials only if: Browser has been closed and portal timers have expired. Can set timeouts low (1minute) to take advantage of this.Browser is open for longer than Cookie timeout setting (default= 24 hours)Page 15 |© 2011 Palo Alto Networks. Proprietary and Confidential.

Captive Portal – Web Form with Session CookiesUser has previously authenticated to Captive Portal•Captive Portal timer expires•User sends web traffic•Browser is sent to captiveportal page with a redirect•Firewall sees browser cookie.Resets timers.•Browser redirected back tooriginal address.Page 16 |© 2010 Palo Alto Networks. Proprietary and Confidential

Captive Portal Flow SummaryHTTP TrafficUnknown UserCaptive PortalPolicyWeb FormNTLMTransparent AuthenticationRedirect Authentication Session CookieRedirect•IE / Firefox•Other browserBrowser AuthAuthenticationPage 17 |© 2010 Palo Alto Networks. Proprietary and Confidential

Captive Portal ConfigurationPage 18 |© 2011 Palo Alto Networks. Proprietary and Confidential.

Captive Portal | ConfigurationCreate a Server Profile- Server connection information- Protocol specific settingsCreate an Authentication Profile- Allowed and Denied users- Account Lockout- Authentication Usage- References a Server ProfilePage 19 |© 2011 Palo Alto Networks. Proprietary and Confidential.

Captive Portal | ConfigurationLifetime ofuser mappingsAuthenticationProfileSSL CertificatePage 20 |© 2011 Palo Alto Networks. Proprietary and Confidential.

Captive Portal | Configuration | PolicyPage 21 |© 2011 Palo Alto Networks. Proprietary and Confidential.

Captive Portal | Configuration• An Interface Management Profile with Response Pages enabledneeds to be applied to web host (redirect) interfacePage 22 |© 2011 Palo Alto Networks. Proprietary and Confidential.

Use Case Details• Kiosk Environment- Computer shared by multiple usersIT wants each individual user identifiedCommon in hospitals where doctors/nurses share a mobile PC- Each PC typically logged into domain with a master accountConfigure agent to ignore this account• ignore_user_list.txt in C:\Program Files\Palo Alto Networks\PanAgent directory- Use Web Form with redirectConfigure session cookies and short expiration timers (1 minute)• Guest Network- Captive Portal Web Form used as a primary authenticationmechanism- With or without username/passwordWithout requires the import of a new captive portal comfort pagePage 23 |© 2011 Palo Alto Networks. Proprietary and Confidential.

TroubleshootingPage 24 |© 2011 Palo Alto Networks. Proprietary and Confidential.

Rulebase Issues• Security policy must be matched first before the session isredirected to captive portal- lf a deny policy is matched, the packets will be dropped and thesession will not be redirected to the captive portal- Security policy must allow web-browsing and DNS for unknownusers• Captive Portal will not work with this rulebasePage 25 |© 2011 Palo Alto Networks. Proprietary and Confidential.

User-ID Issues• User-ID must be enabled on the source zone• For NTLM, PAN Agent must be operational and connectedto FWPage 26 |© 2011 Palo Alto Networks. Proprietary and Confidential.

Troubleshooting• An Interface Management Profile with Response Pagesselected must be applied to the redirect interface• Make sure Captive Portal is enabled• For Redirect, make sure web host interface on FW isreachable• Authentication issues- Review System log for ‘Not in allowed List’ or ‘Badusername/password’Page 27 |© 2011 Palo Alto Networks. Proprietary and Confidential.

Useful Commands> test cp-policy-match source x.x.x.x destination y.y.y.y> show user ip-user-mapping allIP Ident. By User TTL (s) Max. TTL (s)--------------- --------- --------- ----------------------10.154.172.76 AD jaugustus 2949 294910.154.90.109 NTLM lstockton 889 88910.154.20.148 CP dchinn 720 72010.154.126.204 AD mgallagher 519 519> clear user-cache> all Clear all ip to user cache in data plane> ip Clear the specified ip to user cache in data planePage 28 |© 2011 Palo Alto Networks. Proprietary and Confidential.

KnowledgePoint Links• How to Configure Captive Portal- https://live.paloaltonetworks.com/docs/DOC-1159• How to Configure Captive Portal in V-Wire using Redirect Mode- https://live.paloaltonetworks.com/docs/DOC-1841• Captive Portal and NTLM for L2 Network- https://live.paloaltonetworks.com/docs/DOC-1138• Ignoring Users in PAN Agent:- https://live.paloaltonetworks.com/docs/DOC-1116• Testing Captive Portal When Using PAN Agent- https://live.paloaltonetworks.com/docs/DOC-1211• Configuring User Authentication in PANOS 3.1- https://live.paloaltonetworks.com/docs/DOC-1718• Configuring Kerberos Authentication in PANOS 4.0- https://live.paloaltonetworks.com/docs/DOC-1762Page 29 |© 2011 Palo Alto Networks. Proprietary and Confidential.

© 2010 Palo Alto Networks. Proprietary and Confidential.