Policies > Captive Portal
Use the following tables to set up and customize a captive portal to direct user authentication by way of an authentication profile, an authentication sequence, or a certificate profile. Captive portal is used in conjunction with the User-ID Agent to extend user identification functions beyond the Active Directory domain. Users are directed to the portal and authenticated, thereby creating a user-to-IP address mapping.
Before defining captive portal policies, enable captive portal and configure captive portal settings on the User Identification page, as described in Device > User Identification > Captive Portal Settings.
The following tables describe the captive portal policy settings:
Looking for more?
Captive Portal General Tab
Select the General tab to configure a name and description for the captive portal policy. A tag can also be configured to allow you to sort or filter policies when a large number of policies exist.
Field Description
Name Enter a name to identify the rule. The name is case-sensitive and can have up to 31 characters, which can be letters, numbers, spaces, hyphens, and underscores. The name must be unique on a firewall and, on Panorama, unique within its device group and any ancestor or descendant device groups.
Description Enter a description for the rule (up to 255 characters).
Tag If you need to tag the policy, click Add to specify the tag. A policy tag is a keyword or phrase that allows you to sort or filter policies. This is useful when you have defined many policies and want to view those that are tagged with a particular keyword. For example, you may want to tag certain security policies with Inbound to DMZ, decryption policies with the words Decrypt and No-decrypt, or use the name of a specific data center for policies associated with that location.
Captive Portal Source Tab
Select the Source tab to define the source zone or source address that defines the incoming source traffic to which the captive portal policy will be applied.
Field Description
Source Specify the following information: Choose a source zone if the policy needs to be applied to traffic coming from all interfaces in a given zone. Click Add to specify multiple interfaces or zones. Specify the Source Address setting to apply the captive portal policy for traffic coming from specific source addresses. Select Negate to choose any address except the configured ones. Click Add to specify multiple interfaces or zones.
Captive Portal Destination Tab
Select the Destination tab to define the destination zone or destination address that defines the destination traffic to which the policy will be applied.
Field Description
Destination Specify the following information: Choose a destination zone if the policy needs to be applied to traffic to all interfaces in a given zone. Click Add to specify multiple interfaces or zones. Specify the Destination Address setting to apply the captive portal policy for traffic to specific destination addresses. Select Negate to choose any address except the configured ones. Click Add to specify multiple interfaces or zones.
Captive Portal Service/URL Category Tab
Select the Service/URL Category tab to have the policy action occur based on a specific TCP and/or UDP port numbers. A URL Category can also be used as an attribute for the policy.
Field Description
Service Select services to limit to specific TCP and/or UDP port numbers. Choose one of the following from the drop-down: any —The selected services are allowed or denied on any protocol or port. default —The selected services are allowed or denied only on the default ports defined by Palo Alto Networks. This option is recommended for allow policies. Select —Click Add. Choose an existing service or choose Service or Service Group to specify a new entry. (Or select Objects > Services and Objects > Service Groups).
URL Category Select URL categories for the captive portal rule. Choose any to apply the actions specified on the Service/Action tab regardless of the URL category. To specify a category, click Add and select a specific category (including a custom category) from the drop-down. You can add multiple categories. Refer to Objects > External Dynamic Lists for information on defining custom categories.
Captive Portal Action Tab
Select the Action tab to select the method for authenticating Captive Portal users.
Field Description
Action Setting Select an action to take: web-form —Present a Captive Portal page for the user to explicitly enter authentication credentials or use client certificate authentication. You specify the authentication method when configuring Captive Portal . no-captive-portal —Allow traffic to pass without presenting a captive portal page for authentication. browser-challenge —Transparently obtain user authentication credentials. If you select this action, you must enable Kerberos Single Sign-On (SSO) or NT LAN Manager (NTLM) authentication when you configure Captive Portal . If Kerberos SSO authentication fails, the firewall falls back to NTLM authentication. If you did not configure NTLM, or NTLM authentication fails, the firewall falls back to web-form authentication.

Related Documentation