🔐 Palo Alto Networks Captive Portal Authentication Guide

1. Overview of Captive Portal Authentication

Captive Portal is a feature on Palo Alto Networks firewalls that prompts users to authenticate before granting access to network resources. When a user's traffic matches an Authentication Policy rule, the firewall intercepts the request and redirects the user to an authentication page. Upon successful authentication, the user's IP address is mapped to their username, enabling user-based policy enforcement.

2. Authentication Methods

The Captive Portal supports various authentication methods:

• Web Form: Users enter credentials into a web form. Supports integration with LDAP, RADIUS, TACACS+, SAML, and local user databases.
• Kerberos SSO: Enables single sign-on by obtaining user credentials from the browser. Requires a Kerberos infrastructure.
• Client Certificate: Authenticates users based on client certificates installed on their devices.

For more details, refer to the Captive Portal Authentication Methods documentation.

3. Captive Portal Modes

The firewall offers two modes for Captive Portal operation:

• Redirect Mode: Preferred mode that redirects users to a dedicated authentication page hosted on the firewall. Provides a better user experience and supports Kerberos SSO and MFA.
• Transparent Mode: Intercepts traffic and issues HTTP 401 responses to prompt for authentication. May cause certificate errors in browsers and is generally used in specific deployment scenarios.

Learn more about these modes in the Authentication Portal Modes guide.

4. Constructing an Authentication Policy

To implement Captive Portal authentication, follow these steps:

1. Configure Authentication Profiles: Define how the firewall authenticates users, specifying the authentication method and server profiles.
2. Create Authentication Enforcement Objects: Associate authentication profiles with specific methods (e.g., web-form, browser-challenge).
3. Set Up Captive Portal: Enable Captive Portal on the desired interfaces and specify the redirect host and SSL/TLS service profile.
4. Define Authentication Policy Rules: Specify the source and destination zones, users, services, and the associated authentication enforcement object.

Detailed configuration steps are available in the Configure Authentication Policy documentation.

5. Best Practices and Considerations

• Use Redirect Mode: Offers a seamless user experience and supports advanced authentication methods.
• Implement SSL/TLS Certificates: Ensure that the redirect host uses a valid certificate to prevent browser warnings.
• Integrate with User-ID: Captive Portal updates User-ID mappings, enabling user-based policy enforcement.
• Monitor Authentication Logs: Regularly review logs to identify and troubleshoot authentication issues.

6. Additional Resources

• Configure Captive Portal
• Authentication Policy