Captive Portal vs. GlobalProtect: User Authentication and User-ID Mapping

Overview

Palo Alto Networks' PAN-OS offers multiple methods for user authentication and IP-to-username mapping, essential for implementing user-based security policies. Two prominent methods are Captive Portal and GlobalProtect. This document compares these methods, detailing their mechanisms, use cases, and how they contribute to User-ID mappings.

Captive Portal

Captive Portal, also known as Authentication Portal, prompts users to authenticate when their traffic matches specific Authentication Policy rules. It's particularly useful in environments where users are not logged into monitored domains, such as guest networks or non-Windows systems.

Authentication Methods:

Kerberos SSO: Attempts transparent authentication using Kerberos tickets.
Web Form: Presents a login page supporting various authentication protocols like LDAP, RADIUS, SAML, or MFA.
Client Certificate: Authenticates users based on client certificates installed on their devices.

Modes of Operation:

Redirect Mode: Redirects users to a designated authentication page, minimizing certificate errors.
Transparent Mode: Intercepts traffic and presents authentication challenges directly, which may lead to certificate warnings.

Use Cases:

Guest or BYOD networks.
Environments lacking domain integration.
Situations requiring user authentication for specific applications or services.

GlobalProtect

GlobalProtect is Palo Alto Networks' VPN solution that provides secure access to enterprise resources. It ensures that user authentication occurs before granting network access, thereby maintaining accurate User-ID mappings.

Authentication Mechanisms:

Credential-Based: Users authenticate using their enterprise credentials.
Client Certificates: Utilizes certificates for authentication, enhancing security.
SAML Integration: Supports single sign-on (SSO) through SAML identity providers.

Deployment Scenarios:

Always-On VPN: Ensures continuous security by maintaining a persistent VPN connection.
On-Demand VPN: Establishes VPN connections as needed, based on user actions or policies.

Use Cases:

Remote workforce requiring secure access to internal resources.
Organizations needing consistent user authentication across various locations.
Environments where device posture and compliance need to be assessed before granting access.

Comparison Table

Feature	Captive Portal	GlobalProtect
Authentication Trigger	When traffic matches Authentication Policy rules	Upon VPN connection initiation
User Experience	May require manual login; potential certificate warnings	Seamless with SSO; minimal user intervention
Best Suited For	Guest users, BYOD environments	Remote employees, managed devices
User-ID Mapping Accuracy	Dependent on user interaction	High accuracy due to enforced authentication
Deployment Complexity	Relatively simple	Requires client installation and configuration

Mermaid Sequence Diagram: Captive Portal Authentication Flow

sequenceDiagram participant User participant Firewall participant AuthServer User->>Firewall: Accesses web resource Firewall->>User: Redirects to authentication portal User->>Firewall: Submits credentials Firewall->>AuthServer: Validates credentials AuthServer-->>Firewall: Authentication response Firewall->>User: Grants or denies access

Mermaid Sequence Diagram: GlobalProtect Authentication Flow

sequenceDiagram participant User participant GlobalProtect Client participant Portal participant Gateway participant AuthServer User->>GlobalProtect Client: Launches VPN connection GlobalProtect Client->>Portal: Sends authentication request Portal->>AuthServer: Validates user credentials AuthServer-->>Portal: Authentication response Portal->>GlobalProtect Client: Provides configuration and gateway list GlobalProtect Client->>Gateway: Initiates connection Gateway->>AuthServer: Validates user credentials AuthServer-->>Gateway: Authentication response Gateway->>GlobalProtect Client: Establishes VPN tunnel

Authentication Portal Modes: Transparent vs. Redirect

Palo Alto Networks' PAN-OS offers two modes for the Authentication Portal, which determines how the firewall captures web requests for user authentication:

Transparent Mode

Mechanism: The firewall intercepts browser traffic as per the Authentication Policy rule and impersonates the original destination URL, issuing an HTTP 401 response to invoke authentication.
Certificate Consideration: Since the firewall does not possess the actual certificate for the destination URL, users accessing secure sites (HTTPS) will encounter browser certificate errors.
Use Case: Recommended only when absolutely necessary, such as in Layer 2 or virtual wire deployments where Redirect mode isn't feasible.

Redirect Mode

Mechanism: The firewall intercepts unknown HTTP or HTTPS sessions and redirects them to a Layer 3 interface on the firewall using an HTTP 302 redirect for authentication.
User Experience: Preferred mode as it avoids certificate errors, providing a smoother user experience.
Session Management: Supports session cookies, allowing users to continue browsing authenticated sites without re-authentication upon IP address changes, beneficial for roaming users.
Requirements: Necessitates additional Layer 3 configuration, including DNS records for the redirect host.
Compatibility: Essential for environments utilizing Kerberos Single Sign-On (SSO) or Multi-Factor Authentication (MFA), as browsers provide credentials only to trusted sites.

Mermaid Sequence Diagram: Transparent Mode Authentication Flow

sequenceDiagram participant User participant Firewall participant AuthServer User->>Firewall: Sends HTTP/HTTPS request to destination Firewall->>User: Issues HTTP 401 Unauthorized User->>Firewall: Submits credentials Firewall->>AuthServer: Validates credentials AuthServer-->>Firewall: Authentication response Firewall->>User: Grants or denies access

Mermaid Sequence Diagram: Redirect Mode Authentication Flow

sequenceDiagram participant User participant Firewall participant AuthPortal participant AuthServer User->>Firewall: Sends HTTP/HTTPS request to destination Firewall->>User: Issues HTTP 302 Redirect to AuthPortal User->>AuthPortal: Accesses authentication portal AuthPortal->>User: Presents login page User->>AuthPortal: Submits credentials AuthPortal->>AuthServer: Validates credentials AuthServer-->>AuthPortal: Authentication response AuthPortal->>User: Grants or denies access

Captive Portal vs. GlobalProtect: User Authentication and User-ID Mapping

Overview

Captive Portal

Authentication Methods:

Modes of Operation:

Use Cases:

GlobalProtect

Authentication Mechanisms:

Deployment Scenarios:

Use Cases:

Comparison Table

Mermaid Sequence Diagram: Captive Portal Authentication Flow

Mermaid Sequence Diagram: GlobalProtect Authentication Flow

Authentication Portal Modes: Transparent vs. Redirect

Transparent Mode

Redirect Mode

Mermaid Sequence Diagram: Transparent Mode Authentication Flow

Mermaid Sequence Diagram: Redirect Mode Authentication Flow

References