Palo Alto Networks: How to configure Captive Portal to authenticate users when accessing the internet with accounts from AD

1.Goal of the article

In the previous article, techbast showed you how to configure the Captive Portal to authenticate users when using the internet with a local account on a Palo Alto device.

In today’s article techbast will guide you on how to configure Captive Portal also for the purpose of authenticating users when using the internet but with an account from the AD Server in the system.

2.Diagram

Details:

  • The Palo Alto firewall device was connected to the internet through the ethernet port1/1 with the WAN IP of 192.168.219.129.
  • The LAN area of the Palo Alto device is configured at ethernet port1/2 which allocates network layer 10,145.41.0/24 using DHCP.
  • In the LAN layer, there is also an AD Server with IP 10.145.41.10/24, on this server, and IT OU has been created, in the IT OU there is a Support group, in the Support group there are users as user1,user2,user3.’
  • Laptop 1 is connected to an ethernet1/2 port and receives DHCP with IP 10.145.41.3/24.

3.Scenario

Techbast will configure the Captive Portal on the Palo Alto device so that when the devices in the LAN access and use the internet, they will have to authenticate with the synced account from the AD Server.

4.What to do

  • Create Certificate
  • Configure Decryption Policy
  • Add Certificate to Laptop 1
  • Create SSL/TLS Service Profile
  • AD Sync
  • Create Authentication Profile
  • Enable Captive Portal
  • Create Authentication policy
  • Result

5.Configuration

5.1.Create certificate

To configure Decryption go to Device > Certificates Management > Certificates.

Click Generate to generate a new certificate with the following parameters:

  • Certificate Name: trusted-ca
  • Common Name: 10.145.41.1 (It’s a LAN’s IP)
  • Certificate Authority: tích chọn Certificate Authority.

Click Generate to generate.

Click Generate to generate a new certificate with the following parameters:

  • Common Name : untrusted-ca
  • Common Name: untrusted
  • Certificate Authority: select Certificate Authority.

Click Generate to generate.

Click on trusted-ca name to edit as follows:

  • Check the box for Forward Trust Certificate.

Click OK to save.

Similar to clicking on the name untrusted-ca to edit as follows:

  • Check Forward Untrust Certificate.

Click OK to save.

5.2 Create Decryption Policy

Next, we will create a Decryption Policy, to create it, go to Policies > Decryption > Click Add and configure it with the following parameters:

  • Name : Decryption
  • Source: Trust-Player3
  • Destination: Untrust
  • Service/URL Category : Any
  • Options : Select Decrypt in Action and select SSL Forward Proxy in Type

5.3.Add the certificate to the computer

In the Windows search box, type mmc and press Enter to open the Microsoft Management Console.

Select Console Root > Click File > Click Add/Remove Snap-in…

The Add or Remove Snap-ins panel appears, select Certificate and click Add.

The Certificates snap-in panel appears, select Computer account > Next > select Local computer > click Finish > Click OK.

Go to Certificates (Local Computer) > right click on Trusted Root Certification Authorities > Certificates > select All Task > Import.

The Certificate Import Wizard window appears, click Next > in the File name section, click Browse, and navigate to where you saved the certificate when exporting.

Click Next > Finish to complete the import.

5.4.Create SSL/TLS Service Profile

Go to Device > Certificate Management > SSL/TLS Service Profile.

Click Add to create with the following parameters:

  • Name: local-portal
  • Certificate: trusted-ca
  • Min Version: TLSv1.0
  • Max Version: Max
  • Click OK to save

Click Commit and OK to save the configuration changes.

5.5.AD sync

5.5.1. Configure Service Features

First we need to configure Service Features to route some services to the port that is connecting to the AD server.

Here we will route services like DNS, Kerberos, LDAP, UID Agent.

To open these services we access the configuration page of Palo Alto. Go to Device > Setup > Service > Service Features > Service Route Configuration.

The Service Route Configuration panel appears and select Customize.

To configure the service, we left-click on the service to be configured, here I choose DNS, the Service Route Source table pops up, we will select the ethernet1/2 port in the Source Interface and at the Source Address will automatically show the IP. of the ethernet1/2 port is 10,145.41.10/24.

Click OK to save.

The remaining services we also do the same.

Click OK in the Service Route Configuration panel to save.

Click Commit and OK to save the configuration changes.

5.5.2. Enable User Identification on LAN zone

To be able to synchronize users from the AD server, we need to enable the User Identification feature on the zone containing the john domain workstations, here we will enable this feature on the Trust-Player3 zone.

To turn on Network > Zones > left-click on the Trust-Player3 zone > the Zone table appears > we will check the box Enable User Identification in the User Identification ACL section.

Click OK to save.

Click Commit and OK to save the configuration changes.

5.5.3. Configure LDAP Service Profile

To create, go to Device > Server Profiles > LDAP > Click Add and create the following information:

  • Profile Name: learningit
  • Server List: Click Add, enter Name as adserver, LDAP Server is IP of server 10.145.41.10 and Port is 389.
  • Ở Server Settings :
  • Type: select active-directory
  • Base DN: DC=learningit,DC=xyz
  • Bind DN: administrator@learningit.xyz
  • Password and Confirm Password: enter the password of the administrator account.
  • Bind Timeout: 30
  • Search Timeout: 30
  • Retry Interval: 60
  • Required SSL/TLS secured connection: uncheck if any.
  • Click OK to save.

Click Commit and OK to save the configuration changes.

5.5.4. Configure User Mapping

To configure go to Device > User Identification > User Mapping.

Here we have 3 parts to configure: Palo Alto Networks User-ID Agent Setup, Server Monitoring, Include/Exclude Networks.

In the Palo Alto Networks User-ID Agent Setup section to configure we click on the wheel icon on the right, a configuration panel will appear, and need to configure the following parameters.

Server Monitor Account tab :

  • User Name: learningit\administrator
  • Password và Confirm Password: Enter the password of the administrator account in these 2 boxes
  • Kerberos Server Profile: None

Tab Server Monitor :

  • Enable Security Log : check
  • Server Log Monitor Frequency (sec) : 2
  • Enable Session : uncheck
  • Server Session Read Frequency (sec) : 10
  • Novell eDirectory Query Interval (sec) : 30
  • Syslog Service Profile : None

Tab Client Probing :

  • Enable Probing : check
  • Probe Interval (min) : 5

Tab Cache :

  • Enable User Identification Timeout : check
  • User Identification Timeout (min) : 120
  • Allow matching usernames without domains : uncheck
  • Click OK to save.

Next we will configure the Monitoring Server, click Add the User Identification Monitored Server table appears and configure the following parameters:

  • Name : learningit
  • Check Enable
  • Type : Microsoft Active Directory
  • Transport Protocol : WMI
  • Network Address : 10.145.41.10
  • Click OK to save

Finally, the Include/Exclude Networks section, click Add, and the Include Exclude Network panel appears and configure the following parameters:

  • Name : All
  • Check Enable
  • Discovery : Include
  • Network Address : 0.0.0.0/0
  • Click OK to save

After the configuration is complete, we notice in the Server Monitoring section, the status of the server we connect to has shown Connected.

Click Commit and OK to save the configuration changes.

5.5.5. Configure Group Mapping Setting

To configure, go to Device > User Identification > Group Mapping Settings > Click Add the Group Mapping table appears and we will configure Server Profile, Group Incude List.

Tab Server Profile :

  • Name : learningit
  • Server Profile : learningit
  • User Domain : learningit.xyz
  • Object Class (Gourp Object) : group
  • Object Class (User Object) : person
  • Check Enable

Tab Group Include List :

  • We will click the arrow at DC=learningit,DC=xyz so that it displays a list of OUs, Groups that it has associated with AD then select the OU or Group that we want to use and then press the “+” sign to switch. it over the Include Group table.
  • Here I will synchronize the support group located in the IT OU.
  • Click OK to save

Click Commit and OK to save the configuration changes.

5.6. Create Authentication Profile

To create an Authentication Profile go to Device > Authentication Profile > click Add and configure the following parameters.

Tab Authentication:

  • Name: Learningit Auth.
  • Type: select LDAP.
  • Server Profile: learningit.
  • Password Expiry Warning: 7
  • Username Modifier: select %USERDOMAIN%\%USERINPUT%

Tab Advanced:

  • At the Allow List panel, click Add and select all.
  • If you choose all ie all users will be used, you can also choose the user you want instead of selecting all.
  • Click OK to save.

Click Commit and OK to save the configuration changes.

5.7.Enable Captive Portal

Go to Device > User Identification > Captive Portal.

Click on the wheel icon and configure the following parameters:

  • Select Enable Captive Portal.
  • SSL/TLS Service Profile: select local-portal
  • Authentication Profile: select Learningit Auth
  • Mode: select Redirect
  • Select Enable at Session Cookie
  • Redirect Host: enter the IP of LAN port 10.145.41.1
  • Click OK to save

Click Commit and OK to save the configuration changes.

5.8.Create Authentication Policy

Go to Policies > Authentication > click Add and create the following information:

Tab General:

  • Name: Captive_Portal

Tab Source:

  • Source Zone: select Trust-Player3 (this is the zone of the LAN zone)

Tab Destination:

  • Destination Zone: select Untrust (This is the zone of the internet WAN area)

Tab Service/URL Category:

  • Service: select service-http and service-https

Tab Action:

  • Authentication Enforcement: select default-web-form
  • Timeout (min): 60
  • Select Log Authentication Timeouts

Click OK to save.

Click Commit and OK to save the configuration changes.

With this configuration, we will force users to authenticate when they use http and https protocols to connect to the internet. When they connect, Palo Alto will automatically redirect the connection to the authentication website with ip 10.145.41.1 forcing the user to enter the created password account to authenticate.

The reason we need to configure Decryption is that https traffic is encrypted traffic when going through the Palo Alto firewall, it will not be recognized.

So if we want to authenticate when the user uses https, we need to configure Decryption so that the fire can recognize the https traffic going through to enforce authentication.

5.9.Result

We will take Laptop 1 with IP 10.145.41.3 accessing the internet using a web browser.
The browser will now redirect us to the authentication website of Palo alto.
We need to enter the username and password that we have synced from AD to authenticate, if the authentication is successful we will be allowed to access the internet.

This successful authentication is also logged by the Palo Alto device, to see it in Monitor > Authentication.
This log will give you an idea of which IP in the system has authenticated and authenticated by which user, where this user is obtained from.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.