Device > User Identification > Captive Portal Settings
In the Device > User Identification > Captive Portal Settings page, Edit ( ) the following settings to configure the firewall to use Captive Portal authentication for user mapping.
If Captive Portal will use an SSL/TLS Service Profile (see Device > Certificate Management > SSL/TLS Service Profile), authentication profile (see Device > Authentication Profile), or Certificate Profile (see Device > Certificate Management > Certificate Profile), configure the profile before starting. The complete procedure to configure Captive Portal for user mapping requires additional tasks.
Field Description
Enable Captive Portal Select this option to enable the Captive Portal option for user identification.
Idle Timer (min) Enter the user time to live (user TTL) in minutes for a Captive Portal session (range is 1-1440; default is 15). This timer resets every time there is activity from a Captive Portal user. If the time the user is idle exceeds the Idle Timer value, PAN-OS removes the Captive Portal user mapping and the user must log in again.
Timer (min) This is the maximum TTL in minutes, which is the maximum time that any Captive Portal session can remain mapped (range is 1-1440; default is 60). After this duration elapses, PAN-OS removes the mapping and users must re-authenticate even if the session is active. This timer prevents stale mappings and the value set here overrides the Idle Timer value. Therefore, the best practice is to set the expiration Timer higher than the Idle Timer.
SSL/TLS Service Profile To specify a firewall server certificate and the allowed protocols for securing redirect requests, select an SSL/TLS service profile (see Device > Certificate Management > SSL/TLS Service Profile). If you select None, the firewall will use its local default certificate for SSL/TLS connections. To transparently redirect users without displaying certificate errors, assign a profile associated with a certificate that matches the IP address of the interface to which you are redirecting web requests.
Authentication Profile Select an authentication profile for authenticating users who are redirected to a web form for authentication (see Device > Authentication Profile). Even if Captive Portal will use Kerberos single sign-on (SSO) or NT LAN Manager (NTLM) authentication, you must assign an Authentication Profile or Certificate Profile to authenticate users in case Kerberos SSO or NTLM authentication fails or the client or browser does not support it.
Mode Select how the firewall captures web requests for authentication: Transparent —The firewall intercepts browser traffic according to the Captive Portal rule and impersonates the original destination URL, issuing an HTTP 401 to prompt the user to authenticate. However, because the firewall does not have the real certificate for the destination URL, the browser displays a certificate error to users attempting to access a secure site. Therefore, only use this mode when absolutely necessary, such as in Layer 2 or virtual wire deployments. Redirect —The firewall intercepts unknown HTTP or HTTPS sessions and redirects them to a Layer 3 interface on the firewall using an HTTP 302 redirect to prompt the user to authenticate. This is the preferred mode because it provides a better end-user experience (no certificate errors). However, it requires that you enable response pages on the Interface Management profile assigned to the Layer 3 interface to which the firewall redirects web requests (for details, see Network > Network Profiles > Interface Mgmt and Layer 3 Interface). Another benefit of the Redirect mode is that it allows for session cookies, which enable the user to continue browsing to authenticated sites without requiring re-mapping each time the timeouts expire. This is especially useful for users who roam from one IP address to another (for example, from the corporate LAN to the wireless network) because they won’t need to re-authenticate upon changing IP address as long as the session stays open. If Captive Portal will use Kerberos SSO (recommended) or NTLM authentication, Redirect mode is required because the browser will only provide credentials to trusted sites.
Session Cookie ( Redirect mode only ) Enable —Select this option to enable session cookies. Timeout —If you Enable session cookies, this timer specifies the number of minutes for which the cookie is valid (range is 60-10080; default is 1440). Roaming —Select this option to retain the cookie if the IP address changes while the session is active (for example, if the client moves from a wired to a wireless network). The user must re-authenticate only if the cookie times out or the user closes the browser.
Redirect Host ( Redirect mode only ) Specify the intranet hostname that resolves to the IP address of the Layer 3 interface to which the firewall redirects web requests. If users authenticate through Kerberos single sign-on (SSO), the Redirect Host must be the same as the hostname specified in the Kerberos keytab.
Certificate Profile Select a Certificate Profile for authenticating Captive Portal users (see Device > Certificate Management > Certificate Profile). For this authentication type, Captive Portal prompts the browser to present a valid client certificate to authenticate the user. For this method, you must deploy client certificates on each user system. Furthermore, on the firewall, you must install the trusted certificate authority (CA) certificate used to issue the client certificates and assign the CA certificate to the certificate profile. This is the only authentication method that enables Transparent authentication for Mac OS and Linux clients.
NTLM Authentication When you configure Captive Portal for NT LAN Manager (NTLM) authentication , the firewall uses an encrypted challenge-response mechanism to obtain user credentials from the browser. When configured properly, the browser provides the credentials to the firewall transparently without prompting the user, but will display a prompt for credentials if necessary. If the browser cannot perform NTLM or if NTLM authentication fails, the firewall falls back to web form or Certificate Profile authentication, depending on how you configure Captive Portal. By default, Internet Explorer supports NTLM. You can configure Firefox and Chrome to use it. You cannot use NTLM to authenticate non-Windows clients. These options apply only to the Windows-based User-ID agents. When using the PAN-OS integrated User-ID agent, the firewall must be able to successfully resolve the DNS name of your domain controller to join the domain. You can then enable Enable NTLM Authentication in the PAN-OS integrated User-ID agent setup and provide the credentials for the firewall to join the domain. NTLM is available only for Windows Server version 2003 and earlier versions. To configure NTLM for use with Windows-based User-ID agents, define the following: Attempts —The number of attempts after which NTLM authentication fails (range is 1-60; default is 1). Timeout —The number of seconds after which NTLM authentication times out (range is 1-60; default is 2). Reversion Time —The number of seconds after which the firewall will retry contacting the first User-ID agent listed in the Device > User Identification > User-ID Agents page after that agent becomes unavailable (range is 60-3600; default is 300). As a best practice, choose Kerberos SSO transparent authentication over NTLM authentication when configuring Captive Portal. Kerberos is a stronger, more robust authentication method than NTLM and it does not require the firewall to have an administrative account to join the domain.

Related Documentation