Instructions for configuring Captive Portal on the Palo Alto firewall device

1.The purpose of the article

Techbast will guide how to configure Captive Portal to help administrators authenticate users when they access the network.

2.Diagram

Details:

  • Internet is connected at ethernet port1/1 with IP address 192.168.15.2/24 and this zone is called Untrust.
  • The LAN is configured at ethernet port 1/2 with IP 10.145.41.1/24 and configured with DHCP.
  • Computer PC1 is connected at ethernet1/2 port and receives DHCP with IP 10.145.41.3/24.

3.Scenario

Techbast will configure the Captive Portal on the Palo Alto device so that when PC1 accesses and uses the internet, it will have to authenticate.

4.Step of configuration

  • Create certificate
  • Create Decryption policy
  • Add the certificate to the computer
  • Create user
  • Create Authentication Profile
  • Create SSL/TLS Service Profile
  • Enable Captive Portal
  • Create Authentication Policy
  • Result

5.Configuration

5.1.Create certificate

To configure Decryption go to Device > Certificates Management > Certificates.

Click Generate to generate a new certificate with the following parameters:

  • Certificate Name: trusted-ca
  • Common Name: 10.145.41.1 (It’s a LAN’s IP)
  • Certificate Authority: tích chọn Certificate Authority.

Click Generate to generate.

Click Generate to generate a new certificate with the following parameters:

  • Common Name : untrusted-ca
  • Common Name: untrusted
  • Certificate Authority: select Certificate Authority.

Click Generate to generate.

Click on trusted-ca name to edit as follows:

  • Check the box for Forward Trust Certificate.

Click OK to save.

Similar to clicking on the name untrusted-ca to edit as follows:

  • Check Forward Untrust Certificate.

Click OK to save.

5.2 Create Decryption Policy

Next, we will create a Decryption Policy, to create it, go to Policies > Decryption > Click Add and configure it with the following parameters:

  • Name : Decryption
  • Source: Trust-Player3
  • Destination: Untrust
  • Service/URL Category : Any
  • Options : Select Decrypt in Action and select SSL Forward Proxy in Type

5.3.Add the certificate to the computer

In the Windows search box, type mmc and press Enter to open the Microsoft Management Console.

Select Console Root > Click File > Click Add/Remove Snap-in…

The Add or Remove Snap-ins panel appears, select Certificate and click Add.

The Certificates snap-in panel appears, select Computer account > Next > select Local computer > click Finish > Click OK.

Go to Certificates (Local Computer) > right click on Trusted Root Certification Authorities > Certificates > select All Task > Import.

The Certificate Import Wizard window appears, click Next > in the File name section, click Browse, and navigate to where you saved the certificate when exporting.

Click Next > Finish to complete the import.

5.4.Create user

We need to create a user so that when a user accesses the internet it needs to enter this user for authentication

Go to Device > Local User Database > User.

Click Add and create a user with the following information:

  • Name: u1
  • Mode: Password
  • Enter the password for the user at Password and Confirm Password
  • Click OK to save

Continue to click Add and create a user with the following information:

  • Name: u2
  • Mode: Password
  • Enter the password at Password and Confirm Password
  • Click OK to save

Click Commit and OK to save the configuration changes.

5.5.Create Authentication Profile

Go to Device > Authentication Profile and click Add to create it with the following parameters:

Tab Authentication

  • Name: Local
  • Type: Local Database
  • Username Modifier: %USERINPUT%

Tab Advanced:

  • Click Add at the Allow list table and select all.

Click OK to save the Authentication Profile.

Click Commit and OK to save the configuration changes.

5.6.Create SSL/TLS Service Profile

Go to Device > Certificate Management > SSL/TLS Service Profile.

Click Add to create with the following parameters:

  • Name: local-portal
  • Certificate: trusted-ca
  • Min Version: TLSv1.0
  • Max Version: Max
  • Click OK to save

Click Commit and OK to save the configuration changes.

5.7.Enable Captive Portal

Go to Device > User Identification > Captive Portal.

Click on the wheel icon and configure the following parameters:

  • Select Enable Captive Portal.
  • SSL/TLS Service Profile: select local-portal
  • Authentication Profile: select local
  • Mode: select Redirect
  • Select Enable at Session Cookie
  • Redirect Host: enter the IP of LAN port 10.145.41.1
  • Click OK to save

Click Commit and OK to save the configuration changes.

5.8.Create Authentication Policy

Go to Policies > Authentication > click Add and create the following information:

Tab General:

  • Name: Captive_Portal

Tab Source:

  • Source Zone: select Trust-Player3 (this is the zone of the LAN zone)

Tab Destination:

  • Destination Zone: select Untrust (This is the zone of the internet WAN area)

Tab Service/URL Category:

  • Service: select service-http and service-https

Tab Action:

  • Authentication Enforcement: select default-web-form
  • Timeout (min): 60
  • Select Log Authentication Timeouts

Click OK to save.

Click Commit and OK to save the configuration changes.

With this configuration, we will force users to authenticate when they use http and https protocols to connect to the internet. When they connect, Palo Alto will automatically redirect the connection to the authentication website with ip 10.145.41.1 forcing the user to enter the created password account to authenticate.

The reason we need to configure Decryption is that https traffic is encrypted traffic when going through the Palo Alto firewall, it will not be recognized.

So if we want to authenticate when the user uses https, we need to configure Decryption so that the fire can recognize the https traffic going through to enforce authentication.

5.9.Result

We will take PC1 with IP 10.145.41.3 accessing the internet using a web browser.

The browser will now redirect us to the authentication website of palo alto.

We need to enter the username and password we created for authentication, if the authentication is successful we will be allowed to access the internet.

This successful authentication is also logged by the Palo Alto device, to see it in Monitor > Authentication.

This log will give you an idea of which IP in the system is authenticated and authenticated by which user.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.